CN110958239A

CN110958239A - Method and device for verifying access request, storage medium and electronic device

Info

Publication number: CN110958239A
Application number: CN201911176916.1A
Authority: CN
Inventors: 方亮; 张得俊; 陆鹏; 李晓玮
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2019-11-26
Filing date: 2019-11-26
Publication date: 2020-04-03
Anticipated expiration: 2039-11-26
Also published as: CN110958239B

Abstract

The invention discloses a method and a device for verifying an access request, a storage medium and an electronic device. Wherein, the method comprises the following steps: acquiring a target access request, wherein the target access request carries first client fingerprint information; comparing the fingerprint information of the first client with fingerprint information in a fingerprint information set, wherein the fingerprint information in the fingerprint information set comprises client fingerprint information carried in an access request acquired before a target access request; in the event that the set of fingerprint information includes first client fingerprint information, the target access request is confirmed as an anomalous access request. By adopting the technical scheme, the problem of safety in the related technology that when a crawler or a malicious user tampers a request parameter or accesses the interfaces in batches by using a script, the interfaces are easy to be broken down or the pressure of the server is increased is solved.

Description

Method and device for verifying access request, storage medium and electronic device

Technical Field

The invention relates to the field of computers, in particular to a verification method and device of an access request, a storage medium and an electronic device.

Background

The cookie is an option for storing data at the client, and can be set at the client or the server, and the cookie is sent along with any http request. Since the cookie information is plaintext and is easy to steal, a user can easily and completely copy all request information including cookies, so that the Application Programming Interface (API for short) is not secure, and a crawler or a malicious user can conveniently and rapidly tamper with request parameters or use a script batch access Interface to cause an over-pressure or even paralysis of the Interface or the server.

In the related technology, when the current API request is copied to a curl mode or a fetch mode, the request can be called circularly in a program conveniently, or parameters can be changed in other tools to simulate the request, so that request information can be stolen easily, and data can be obtained in a script in batches.

Therefore, in the related art, when a crawler or a malicious user tampers a request parameter or accesses an interface in batch by using a script in a network request, security problems such as interface paralysis or increased server pressure are easily caused.

Disclosure of Invention

The embodiment of the invention provides a verification method and device for an access request, a storage medium and an electronic device, which are used for at least solving the technical problem that in the related technology, when a crawler or a malicious user tampers request parameters or uses a script to access interfaces in batches, the security is easy to cause interface paralysis or server pressure increase and the like.

According to an aspect of the embodiments of the present invention, there is provided a method for verifying an access request, including: acquiring a target access request, wherein the target access request carries first client fingerprint information; comparing the fingerprint information of the first client with fingerprint information in a fingerprint information set, wherein the fingerprint information in the fingerprint information set comprises client fingerprint information carried in an access request acquired before a target access request; in the event that the set of fingerprint information includes first client fingerprint information, the target access request is confirmed as an anomalous access request.

According to another aspect of the embodiments of the present invention, there is further provided a verification apparatus for an access request, where a first obtaining unit is configured to obtain a target access request, where the target access request carries first client fingerprint information; the first comparison unit is used for comparing the first client fingerprint information with fingerprint information in a fingerprint information set, wherein the fingerprint information in the fingerprint information set comprises client fingerprint information carried in an access request acquired before a target access request; a first confirming unit, configured to confirm the target access request as an abnormal access request if the fingerprint information set includes the first client fingerprint information.

According to an aspect of the embodiments of the present invention, there is provided another method for verifying an access request, including: acquiring an access instruction generated by executing a target operation on a target operation object on a target client, wherein the target operation object comprises a target button or a target component on the target client, or a page element on a first page displayed by the target client; responding to the access instruction to acquire first client fingerprint information, wherein the first client fingerprint information is used for uniquely identifying the target access request; and sending a target access request carrying the fingerprint information of the first client to a server. .

According to another aspect of the embodiments of the present invention, there is provided another access request verification apparatus, including a second obtaining unit, configured to obtain, on a target client, an access instruction generated by performing a target operation on a target operation object, where the target operation object includes a target button or a target component on the target client, or a page element on a first page displayed by the target client; the first response unit is used for responding to the access instruction to acquire first client fingerprint information, wherein the first client fingerprint information is used for uniquely identifying the target access request; and the first sending unit is used for sending the target access request carrying the fingerprint information of the first client to the server.

According to another aspect of the embodiments of the present invention, there is also provided a computer-readable storage medium, in which a computer program is stored, where the computer program is configured to execute the above-mentioned method for verifying an access request when the computer program runs.

According to another aspect of the embodiments of the present invention, there is also provided an electronic apparatus, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the method for verifying the access request through the computer program.

In the embodiment of the invention, a target access request is acquired, wherein the target access request carries first client fingerprint information, then the first client fingerprint information is compared with fingerprint information in a fingerprint information set, when the access request is acquired, the client fingerprint information carried in the access request is recorded in the fingerprint information set, and when the fingerprint information set comprises the first client fingerprint information, the target access request is confirmed to be an abnormal access request. The method and the device have the advantages that by comparing the fingerprint information of the first client with the fingerprint information in the fingerprint information set, when the fingerprint information set comprises the fingerprint information of the first client, the request corresponding to the first fingerprint information can be confirmed to be an abnormal access request, so that the technical effect of confirming whether the access request is abnormal or not according to the fingerprint information of the first client in the target access request is achieved, and the technical problem of safety such as interface paralysis or server pressure increase and the like caused by the fact that a crawler or a malicious user tampers request parameters or access interfaces in batches by using scripts in the related technology is solved.

Drawings

The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:

FIG. 1 is a schematic diagram of an application environment of a method for verifying an access request according to an embodiment of the invention;

FIG. 2 is a flow chart illustrating an alternative method for verifying access requests according to an embodiment of the present invention;

FIG. 3 is a flow chart illustrating an alternative method for verifying access requests according to an embodiment of the present invention;

FIG. 4 is a diagram of alternative browser fingerprint information, in accordance with an embodiment of the present invention;

FIG. 5 is a schematic diagram of an alternative interface security encryption flow according to an embodiment of the present invention;

FIG. 6 is a schematic diagram of an alternative request fingerprint generation flow according to an embodiment of the invention;

FIG. 7 is a diagram illustrating an application scenario of an alternative access request verification method according to an embodiment of the present invention;

FIG. 8 is a block diagram of an alternative access request verification apparatus according to an embodiment of the present invention;

FIG. 9 is a block diagram of an alternative access request verification apparatus according to an embodiment of the present invention;

FIG. 10 is a schematic diagram of an alternative electronic device according to an embodiment of the invention;

fig. 11 is a schematic structural diagram of an alternative electronic device according to an embodiment of the invention.

Detailed Description

In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

Technical terms involved in the embodiments of the present invention include:

(1) browser fingerprint information: like the appearance and fingerprint of a person, the client (mainly referred to as a browser) also has various 'appearance' information and 'fingerprint' information, and after the information is comprehensively analyzed and calculated, the client can be uniquely identified, and then locking and tracking can be carried out.

(2) Requesting a fingerprint: each request has uniqueness, and the client information carried in each request is called a request fingerprint.

According to one aspect of the embodiment of the invention, a method for verifying an access request is provided. Alternatively, the method for checking the access request can be applied to the application environment shown in fig. 1, but is not limited to the application environment. As shown in fig. 1, a client (e.g., Android, iOS, or Web) for target instant messaging runs on the first terminal device 102 and the second terminal device 106. Network access is available through the client (e.g., QQ, wechat, etc.), and in a network request scenario, a target access request is sent to the server 104 through the network, and the server 104 may be a background server of the client. The server 104 acquires a target access request, wherein the target access request carries first client fingerprint information (which may also be referred to as first browser fingerprint information); comparing the fingerprint information of the first client with fingerprint information in a fingerprint information set, wherein the fingerprint information in the fingerprint information set comprises client fingerprint information carried in an access request acquired before a target access request; in the event that the set of fingerprint information includes first client fingerprint information, the target access request is confirmed as an anomalous access request. For the second terminal device 106, a network access request may also be sent to the server 104 over the network. The above is merely an example, and the embodiments of the present application are not limited herein.

Optionally, in this embodiment, the terminal device (including the first terminal device and the second terminal device) may be a terminal device configured with a client, and may include but is not limited to at least one of the following: mobile phones (such as Android phones, iOS phones, etc.), notebook computers, tablet computers, palm computers, MID (Mobile Internet Devices), PAD, desktop computers, etc. Such networks may include, but are not limited to: a wired network, a wireless network, wherein the wired network comprises: a local area network, a metropolitan area network, and a wide area network, the wireless network comprising: bluetooth, WIFI, and other networks that enable wireless communication. The server may be a single server or a server cluster composed of a plurality of servers. The above is only an example, and the present embodiment is not limited to this.

Optionally, in this embodiment, the terminal devices (including the first terminal device and the second terminal device) may be headless browser simulators or the like. The headless browser can be understood as a browser without a user interface, which can be run at a server end and called in a command line manner, for example, a screenshot can be called by a command when the headless browser is installed at the server end, and the screenshot of any website can be intercepted when a user inputs a website, and the headless browser can also be used for crawler operation. The simulator may also be a simulator, and software manufactured according to the principle of the simulator may also be referred to as a simulation program, which means that a computer or other multimedia platforms (a palm computer, a mobile phone, etc.) can run software on other platforms mainly through a program simulating the functions of a hardware processor and an instruction system through software. Simulators are used for television games and street game machines, and some are used for palm computers.

For example, when a target access request is initiated through a headless or simulator, when a server acquires the target access request, first client fingerprint information (which may also be referred to as first browser fingerprint information) in the target access request may be compared with fingerprint information in a fingerprint information set, and when the fingerprint information set includes the first client fingerprint information, the target access request may be confirmed as an abnormal access request.

Optionally, in this embodiment, as an optional implementation manner, the method may be executed by a server, or may be executed by a terminal device, or may be executed by both the server and the terminal device, and in this embodiment, the description is given by taking an example that the server (for example, the server 104) executes. As shown in fig. 2, the flow of the method for checking the access request may include the steps of:

step S202, a target access request is obtained, wherein the target access request carries first client fingerprint information;

step S204, comparing the fingerprint information of the first client with the fingerprint information in a fingerprint information set, wherein the fingerprint information in the fingerprint information set comprises the client fingerprint information carried in the access request acquired before the target access request;

step S206, in the case that the fingerprint information set includes the first client fingerprint information, confirming the target access request as an abnormal access request.

Alternatively, the above method for verifying the access request may be, but is not limited to, a scenario in which a browser is used for network access. The browser may be a headless browser or a simulator, etc.

For example, each time there is an access request, the server may record client fingerprint information (e.g., browser fingerprint information) carried by the access request to form a fingerprint information set a, when a target access request is acquired, compare a first client fingerprint information B carried in the target access request with fingerprint information recorded in the fingerprint information set a, and if the set a includes B, it indicates that the first client fingerprint information is not unique, and at this time, the target access request is an abnormal access request.

According to the embodiment, a target access request is obtained, wherein the target access request carries first client fingerprint information, the first client fingerprint information is compared with fingerprint information in a fingerprint information set, the client fingerprint information carried in the access request is recorded in the fingerprint information set when the access request is obtained, and when the fingerprint information set comprises the first client fingerprint information, the target access request is confirmed to be an abnormal access request. The method and the device have the advantages that by comparing the fingerprint information of the first client with the fingerprint information in the fingerprint information set, when the fingerprint information set comprises the fingerprint information of the first client, the request corresponding to the first fingerprint information can be confirmed to be an abnormal access request, so that the technical effect of confirming whether the access request is abnormal or not according to the fingerprint information of the first client in the target access request is achieved, and the technical problem of safety such as interface paralysis or server pressure increase and the like caused by the fact that a crawler or a malicious user tampers request parameters or access interfaces in batches by using scripts in the related technology is solved.

The method for checking the access request in this embodiment is described below with reference to fig. 2.

In step S202, a target access request is obtained, where the target access request carries the fingerprint information of the first client.

Optionally, the target access request may be an access request sent by a headless browser or a simulator, and the target access request carries first client fingerprint information, where the first client fingerprint information records related information of the target access request, where the client fingerprint information (which may also be referred to as browser fingerprint information) is similar to human appearance and fingerprints, and the client also has various kinds of "appearance" information and "fingerprint" information, and after comprehensively analyzing and calculating the information, the client may be uniquely identified, and then locked and tracked, taking as an example that the target access request is generated by the client (for example, a browser). It should be understood that the above description is only an example, and the embodiments of the present application are not limited thereto.

Alternatively, taking the client as a Browser as an example, the Browser fingerprint information may include information such as a hardware type, an operating system, a User agent, a system font, a language, a screen resolution, a Browser plug-in (Flash, Java, etc.), a Browser extension, a Browser setting, and a time zone difference (Browser GMT Offset).

The fingerprint information of the first client is information located at a predetermined position in the target access request, and the information at the predetermined position is used for identifying the current target access request. The predetermined position can be understood as a certain field in the message information and is used for identifying reading key information of a protocol between the client and the server, if the target access request is a normal access request, the predetermined position can uniquely identify the target access request, and if the target access request is an abnormal access request, the predetermined position does not uniquely identify the target access request.

Optionally, in this embodiment, before obtaining the target access request, obtaining, on the target client, an access instruction generated by performing a target operation on a target operation object, where the target operation object includes a target button or a target component on the target client, or a page element on a first page displayed by the target client; responding to the access instruction to acquire target hardware information, target user operation information, a current timestamp and target key information of hardware where the target client is located, wherein the target user operation information is used for representing target operation and/or a target operation object; encrypting target information to obtain first client fingerprint information, wherein the target information comprises target hardware information, target user operation information, a current timestamp and target key information; and sending a target access request carrying the fingerprint information of the first client to a server.

Optionally, the target client acts as the browser (e.g., an IE browser). The target operation object may be understood as a target button or a target component on the target client, or may be a page element of a first page displayed on the target client. For example, the target operation object may be an input box on the target client, address information of a web page, and the like, which is not limited herein.

Optionally, in a case that the target client is a client with normal access, when an access instruction for executing a target operation (web browsing operation) on a target operation object is generated in the target client, responding to the access instruction, and acquiring target information of the target client, where the target information includes target hardware information of hardware where the target client is located, target user operation information, a current timestamp, and target key information, where the target user operation information is used to represent the target operation and/or the target operation object. And then, encrypting the target information to obtain first client fingerprint information, and then sending a target access request carrying the first client fingerprint information to the server.

Alternatively, in the case where the target client is an abnormally-accessed client (e.g., headless browser or emulator), the target client (e.g., browser) may obtain one or more pieces of the target information in a large amount in a short time, or maliciously steal cookie information of the normally-accessed browser, and in this case, when a target access request is generated by the abnormally-accessed browser, the server may confirm the target access request as an abnormal access request.

According to the embodiment, the target hardware information, the target user operation information, the current timestamp and the target key information in the target information are encrypted to obtain the first client fingerprint information, so that the first client fingerprint information has uniqueness, and the information confidentiality is improved.

In step S204, the first client fingerprint information is compared with fingerprint information in a fingerprint information set, where the fingerprint information in the fingerprint information set includes client fingerprint information carried in an access request acquired before the target access request.

For the server, before the target access request is acquired, when there is an access request, the client fingerprint information carried in the acquired access request may be recorded in the server to obtain a fingerprint information set. After the target access request is acquired, comparing first client fingerprint information carried by the target access request with fingerprint information in a fingerprint information set, and when the fingerprint information recorded in the fingerprint information set comprises the first client fingerprint information, indicating that the target access request corresponding to the first client fingerprint information has accessed the server, and at the moment, confirming the target access request as an abnormal access request.

Optionally, when the fingerprint information recorded in the fingerprint information set does not include the first client fingerprint information, it may be indicated that the target access request corresponding to the first client fingerprint information has not accessed the server, and at this time, the target access request may be determined as a normal access request. It is understood that the present embodiment is not limited thereto.

Optionally, when some malicious users steal the browser information of the normal access request through a headless browser or a simulator, tamper the stolen browser information, and access the server in batch through the tampered browser information, generally, because the information carried by the access request of the malicious access server may have a large amount of repetition, according to the above scheme, since the server can record the fingerprint information of the access request, as long as the fingerprint information of the first client carried by the new access request (such as the above target access request) coincides with the fingerprint information in the access request that has been recorded, the target access request can be confirmed as an abnormal access request.

Optionally, in this embodiment, after comparing the first client fingerprint information with the fingerprint information in the fingerprint information set, in the case that the fingerprint information set does not include the first client fingerprint information, decrypting the first client fingerprint information to obtain first decryption information; and confirming the target access request as an abnormal access request under the condition that the first decryption information does not comprise the hardware information of the hardware where the client is located, or under the condition that the hardware information contained in the first decryption information is not complete.

Optionally, when the obtained first client fingerprint information is not included in the fingerprint information set, the first client fingerprint information is decrypted to obtain first decryption information, and if the first decryption information obtained through decryption does not include hardware information of hardware where the browser is located, or the hardware information included in the first decryption information obtained through decryption is incomplete, it may be determined that the target access request is an abnormal access request. The browser is a browser corresponding to the target access request.

Optionally, the client and the target client may be the same client, for example, both the client and the target client are clients with abnormal access (such as headless browser or simulator), and at this time, the target access request generated by the client is an abnormal access request. The client may be a browser. The above is merely an example and is not intended to be limiting.

According to the embodiment, as the normally accessed browser can acquire the hardware information, when the first decryption information obtained by decryption does not include the hardware information where the browser is located, or the included hardware information is incomplete, the target access request can be confirmed as the abnormal access request, the malicious access request that the server is not accessed or the server is not accessed completely with the hardware information is effectively avoided, and the security of server access is improved.

Optionally, in this embodiment, after comparing the first client fingerprint information with the fingerprint information in the fingerprint information set, in the case that the fingerprint information set does not include the first client fingerprint information, decrypting the first client fingerprint information to obtain first decryption information; and in the case that the first decryption information does not include user operation information indicating an operation performed on the client and/or an operation object of the operation, confirming the target access request as an abnormal access request.

Optionally, when the obtained first client fingerprint information is not included in the fingerprint information set, the first client fingerprint information is decrypted to obtain first decryption information, and if the first decryption information obtained by decryption does not include user operation information, it may be determined that the target access request is an abnormal access request. The client is a client corresponding to the target access request. Wherein, the user operation information can be understood as being used for triggering the target access request.

Optionally, the client and the target client may be the same client, for example, both the client and the target client are clients with abnormal access (e.g., headless browser or simulator), at this time, the first client fingerprint information may not include user operation information, and the server may confirm the target access request generated by the client as an abnormal access request. The above is merely an example and is not intended to be limiting.

According to the embodiment, the client side with normal access can acquire the user operation information, and when the first decryption information obtained by decryption does not include the user operation information, the target access request can be confirmed as an abnormal access request, so that malicious access requests which do not carry the user operation information are effectively prevented from accessing the server, and the access security of the server is improved.

Optionally, in this embodiment, after comparing the first client fingerprint information with the fingerprint information in the fingerprint information set, in the case that the fingerprint information set does not include the first client fingerprint information, decrypting the first client fingerprint information to obtain first decryption information; and confirming the target access request as a normal access request under the condition that the first decryption information comprises user operation information and hardware information of hardware where the client is located and the key information included in the first decryption information passes verification, wherein the user operation information is used for representing an operation executed on the client and/or an operation object of the operation.

Optionally, when the obtained first client fingerprint information is not included in the fingerprint information set, the first client fingerprint information is decrypted to obtain first decryption information, and if the first decryption information obtained through decryption includes user operation information, hardware information of hardware where the client is located, and key information included in the first decryption information passes verification, it may be determined that the target access request is a normal access request.

For example, when a target access request is generated by a client, the target access request carries first client fingerprint information, the first client fingerprint information includes client hardware information, user operation information, a current timestamp, and key information (such as private key information), the client sends the target access request to a server, the server obtains the target access request, compares the first client fingerprint information with fingerprint information in a fingerprint information set in the server, if the first client fingerprint information is not included, the target access request is unique, then decrypts the first client fingerprint information to obtain first decryption information, when the first decryption information includes the user operation information, hardware information of hardware where the client is located, and the current timestamp, and the server verifies that the key information passes through (such as the server passes through verification by using a public key paired with the private key), the target access request may be confirmed as a normal access request.

According to the embodiment, the client side with normal access can acquire the user operation information and the hardware information of the hardware where the client side is located, and when the key information included in the decrypted first decryption information passes verification, the target access request can be confirmed as the normal access request, so that the access security of the server is improved.

Alternatively, in the present embodiment, in the case where the target access request is confirmed as the normal access request, the first client fingerprint information is recorded in the fingerprint information set.

When the target access request is confirmed to be a normal access request, the fingerprint information of the first client corresponding to the target access request can be recorded in the fingerprint information set.

By the embodiment, the fingerprint information of the first client corresponding to each access request of the user can be recorded in the fingerprint information set, the behavior of accessing the server by maliciously stealing the related information of the access request of the user can be avoided, and the security of accessing the server is improved.

In step S206, in case the set of fingerprint information comprises first client fingerprint information, the target access request is confirmed as an abnormal access request.

Optionally, when the fingerprint information set includes first client fingerprint information, if the first client fingerprint information is generated by a headless browser or a simulator with malicious access, the first client fingerprint information is not unique, and the target access request is determined to be an abnormal access request.

Optionally, in this embodiment, in a case where the fingerprint information set includes first client fingerprint information, the target access request is confirmed as an abnormal access request, and in a case where the fingerprint information set includes second client fingerprint information that is the same as the first client fingerprint information and an interval between a generation time of the first client fingerprint information and a generation time of the second client fingerprint information is smaller than a predetermined threshold, the target access request is confirmed as an abnormal access request.

Alternatively, when second client fingerprint information identical to the first client fingerprint information is included in the fingerprint set, if the generation time of the first client fingerprint information and the generation time interval of the second client fingerprint information are less than a predetermined threshold, which may be set to 5 seconds, 10 seconds, 1 minute, or the like, the target access request is confirmed as an abnormal access request. The above is merely an example and is not limited herein.

For example, when a malicious crawler accesses the server through the same client fingerprint information within a short time (e.g., 5 minutes, etc.), the access request may be confirmed as an abnormal access request.

Through the embodiment, when the fingerprint set has the second client fingerprint information which is the same as the first client fingerprint information, if the time interval generated by the two client fingerprint information is smaller than the preset threshold value, the target access request can be confirmed as the abnormal access request, the malicious access request in a short time is avoided, and the safety of the server is improved.

Optionally, in this embodiment, in a case that the target access request is confirmed as an abnormal access request, the target access request is discarded, so as to cancel the access result requested by obtaining the target access request.

Alternatively, when it is confirmed that the target access request is an abnormal access request, the target access request is discarded, and the access result requested by the target access request is cancelled, which may also be understood as prohibiting the abnormal access request from accessing the server. It is understood that the above is only an example, and the present embodiment does not limit the present invention.

By the embodiment, when the abnormal access request is confirmed to exist, the abnormal access request can be discarded, and the safety of accessing the server is improved.

Optionally, in this embodiment, as an optional implementation manner, the method may be executed by a server, or may be executed by a terminal device, or may be executed by both the server and the terminal device, and in this embodiment, the description is given by taking an example that the terminal device (for example, the first terminal device 102) executes. As shown in fig. 3, the flow of the method for checking the access request may include the steps of:

step S302, obtaining an access instruction generated by executing target operation on a target operation object on a target client, wherein the target operation object comprises a target button or a target component on the target client, or a page element on a first page displayed by the target client;

step S304, responding to the access instruction to obtain first client fingerprint information, wherein the first client fingerprint information is used for uniquely identifying the target access request;

step S306, sending a target access request carrying the fingerprint information of the first client to the server.

Optionally, the above-mentioned method for checking the access request may be, but is not limited to, a scenario in which the client is used for network access. Wherein the client may be a web browser (e.g., an IE browser).

For example, when an access instruction to perform a target operation on a target operation object is generated on the target client, the target operation object includes a target button or a target component on the target client, or a page element in a first page displayed in the target client, or the like. And then, responding to the access instruction, acquiring first client fingerprint information which can uniquely identify a target access request corresponding to the access instruction, and then sending the target access request corresponding to the first client fingerprint information to the server.

According to the embodiment, the access instruction generated by executing the target operation on the target operation object on the target client is obtained, the first client fingerprint information is obtained in response to the access instruction, the first client fingerprint information can uniquely identify the target access request, and then the target access request is sent to the server. The purpose of uniquely identifying the target access request through the fingerprint information of the first client is achieved, so that the technical effect that each normal network access request has uniqueness is achieved, and the technical problem of safety such as interface paralysis or server pressure increase and the like easily caused by the fact that a crawler or a malicious user tampers request parameters or access interfaces in batches by using scripts in the related art is solved.

The method for verifying the access request in this embodiment is described below with reference to fig. 3.

In step S302, an access instruction generated by performing a target operation on a target operation object is acquired on a target client, where the target operation object includes a target button or a target component on the target client, or a page element on a first page displayed by the target client.

Alternatively, the target client may be understood as a web client (e.g., an IE browser). The target operation object may be understood as a target button or a target component on the target client, or may be a page element of a first page displayed on the target client. For example, the target operation object may be an input box on the target client, address information of a web page, and the like, which is not limited herein.

Optionally, in this embodiment, the first client fingerprint information is obtained in response to the access instruction, and the target hardware information, the target user operation information, the current timestamp, and the target key information of the hardware where the target client is located are obtained in response to the access instruction, where the target user operation information is used to indicate a target operation and/or a target operation object; and encrypting the target information to obtain first client fingerprint information, wherein the target information comprises target hardware information, target user operation information, a current timestamp and target key information.

In the case that the target client is a client with normal access, when an access instruction for executing a target operation (web browsing operation) on a target operation object is generated in the target client, responding to the access instruction, and acquiring target information of the target client, wherein the target information includes target hardware information of hardware where the target client is located, target user operation information, a current timestamp, and target key information, and the target user operation information is used for representing the target operation and/or the target operation object. And then, encrypting the target information to obtain the fingerprint information of the first client.

For example, in an IE browser, when a search is performed through an input box, an access instruction is generated, and in response to the access instruction, hardware information (such as an equipment identification code) of hardware corresponding to the IE browser, a current timestamp for generating the access instruction, an input box id (and/or an address corresponding to search content) corresponding to the input box, and key information corresponding to the IE browser are acquired, and then the acquired information is encrypted, so that unique first client fingerprint information corresponding to the access instruction can be obtained. The above is merely an example, and the present embodiment is not limited thereto.

Through the embodiment, the first client fingerprint information has uniqueness, so that the security of the user network request is improved.

Optionally, in this embodiment, after the target access request carrying the fingerprint information of the first client is sent to the server, under the condition that the fingerprint information set on the server does not include the fingerprint information of the first client, an access result requested by the target access request sent by the server is obtained.

After a target access request carrying fingerprint information of a first client is sent to a server, the server can compare the fingerprint information of the first client with the fingerprint information in a fingerprint information set in the server, when the fingerprint information set does not include the fingerprint information of the first client, the server can confirm the target access request as a normal access request, then send an access result of the target access request to the target client, and at the moment, the target client can obtain the access result.

By the embodiment, under the condition that the fingerprint information set on the server does not include the fingerprint information of the first client, the client can normally acquire the access result corresponding to the target access request, and the security of the network access request is improved.

It should be noted that, in the related art, a cookie is an option used by a client to store data, and may be set at the client or at a server, and the cookie may be sent along with any http request, and since the cookie information is plaintext and is easy to steal, a user copies a certain request through a chrome console- > network- > XHR, and can completely copy all request information, including cookies, the API interface is not secure, and a crawler or malicious user can conveniently tamper request parameters, or access the interface in batch by using a script, which causes an excessive pressure on the interface or the server, or even paralysis of the interface or the server.

In order to solve the above problem, the following describes a flow of a verification method for an access request with reference to an optional example, and specifically includes the following steps:

step 1, triggering a network request and acquiring browser fingerprint information.

Common fingerprint information indicators may include information such as hardware type, operating system, User agent (User agent), system font, language, screen resolution, Browser plug-ins (e.g., Flash, Silverlight, Java, etc.), Browser extensions, Browser settings, time zone difference (Browser GMT Offset), etc. As shown in fig. 4, the browser fingerprint information may include the information shown in fig. 4.

As shown in fig. 5, the front end may put the browser fingerprint information into a field, and carry the browser fingerprint information in the request header each time. And then performing MD5 encryption on the browser fingerprint information, the user behavior fingerprint information and the timestamp information, converting the user behavior fingerprint information, the encrypted timestamp information and the browser fingerprint information into character strings by using a JSON data format, performing MD5 salt-free encryption, and transmitting the character strings to a server. The user behavior fingerprint information may be understood as the behavior of each time the user clicks a button or component of the browser, and/or the recorded attribute of the current operation element.

And 2, generating a corresponding request fingerprint according to the network request.

The information of the current operation (for example, an ID and/or an operation record of clicking a different link, etc.) + the timestamp + the hardware + the private key set by the server is edited, and 32 is obtained as a character string (which may be understood as the request fingerprint).

Alternatively, as shown in fig. 6, for generating the 32-bit string, the following steps may be performed: firstly, whether the hardware information is complete is checked, and if the hardware information is incomplete, the hardware information is not available, and only one of the hardware information of the user client can indicate that the hardware information is incomplete. And then, checking whether the user operation fingerprint is null, and if so, indicating that the user operation fingerprint is abnormal.

When the fingerprint information is not complete, it indicates that the hardware information of the browser is not complete, and the server is accessed through a normal browser, so that all the hardware information can be acquired, and if the hardware information is not complete, it indicates that the browser is a headless browser or a simulator, and needs to be fed back to the centralized processor. And/or when the user operation fingerprint is empty, the network request is not sent from the client but is a malicious simulation request, and the request of any client carries the user operation fingerprint and needs to be fed back to the centralized processor.

After the hardware information and the general user operation fingerprint are verified, salt MD5 encryption is carried out on the user agent field, the user fingerprint and a private key set by the server together, and a 32-bit character string is generated and stored in the cache system.

And 3, checking whether the fingerprint information is unique.

And for the generated request fingerprint, checking whether the request fingerprint exists in the search history of the cache system of the server, if so, confirming that the request information of the current user can be stolen, and directly feeding back the request fingerprint to the centralized processor of the server. If the request fingerprint is not searched in the cache system, the middleware allows the network request of the user corresponding to the request fingerprint to pass through, and returns the request result of the normal network request to the client. It should be noted that, by adding the private key as the obfuscation information to perform the salt verification on the browser fingerprint information, it can be ensured that the information requested by the client at each time generates different IDs, the uniqueness of the requested fingerprint is ensured, and the security is improved.

And 4, centralized feedback processing.

The main function of the centralized processor is to return different contents to the client according to different scenes, and only if the respective verification is passed and the request fingerprint is unique, the middleware will release the request and the request will reach the backend interface. For other situations, the user may be returned 403 of the network status code, prompted to perform an unauthorized operation, and so on. The above is merely an example and is not intended to be limiting.

And 5, caching the request fingerprints through a fingerprint caching management system.

The request fingerprints at each time are saved by adopting a redis cache, and the expiration time of the request fingerprints can be set to be 2 hours after the starting time of the cached fingerprints, that is, the request fingerprints can be cached in the server for 2 hours. It should be noted that, if a malicious crawler wants to use the same parameters to obtain data of normal request parameters of a user, the time interval must reach 2 hours, which greatly increases the cost of the crawler, and almost no crawler develops a script for such an inefficient crawling rate, thereby ensuring the security of an interface and reducing the pressure of the interface and a server.

Alternatively, the access request verification method may be applied to a scenario of an application program (which may be an App applet) as shown in fig. 7, where the application program may count revenue data of each channel and other financial data, and the security requirement on the interface is very strict. In order to ensure that the interface data is not transmitted or the requests are not stolen, all access requests can be safely encrypted by using the request verification method in the embodiment, so that malicious request behaviors can be effectively prevented.

In conclusion, according to the technical scheme, data cannot be correctly returned for the behavior of stealing the request information of the client, and a unique request fingerprint is generated according to the browser fingerprint information of each request, so that a crawler or a script cannot maliciously simulate access or crawl data in batches, and the method can be applied to a scene with a high interface security requirement. The life cycle of the interface fingerprint is set to be 2 hours, and the cost of the crawler is greatly increased, so that the safety of the interface is ensured, and the pressure of the interface and the server is also reduced. In the aspect of interface security, the scene of a malicious request is distinguished according to the fingerprint information, corresponding processing is carried out, and operability in interface security is improved.

Through the embodiment, by adopting the technical scheme, the fingerprint information of the browser user is encrypted to generate the unique ID, the unique ID is stored in the cache of the server, the same request information crawled in the browser cannot be used by a malicious user who simulates a request or embezzles a link request, so that a safety protection effect on the API interface is realized, a good anti-theft and anti-crawling effect is achieved, and the technical problem that in the related technology, when a crawler or malicious user tampers request parameters or accesses the interface in batches by using a script, the interface is easy to break down or the pressure of the server is increased and the like is solved.

It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the invention. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required by the invention.

According to another aspect of the embodiments of the present invention, there is also provided an apparatus for verifying an access request, as shown in fig. 8, the apparatus including:

(1) a first obtaining unit 802, configured to obtain a target access request, where the target access request carries first client fingerprint information;

(2) a first comparing unit 804, configured to compare the first client fingerprint information with fingerprint information in a fingerprint information set, where the fingerprint information in the fingerprint information set includes client fingerprint information carried in an access request acquired before a target access request;

(3) a first confirming unit 806, configured to confirm the target access request as an abnormal access request if the set of fingerprint information includes the first client fingerprint information.

Optionally, the above-mentioned method for checking the access request may be, but is not limited to, a scenario in which the client is used for network access. Wherein, the client can be a headless browser or a simulator, etc.

Alternatively, the first obtaining unit 802 may be configured to perform step S202, the first comparing unit 804 may be configured to perform step S204, and the first confirming unit 806 may be configured to perform step S206.

As an optional technical solution, the apparatus further includes:

(1) and the decryption unit is used for decrypting the first client fingerprint information to obtain first decryption information under the condition that the fingerprint information set does not include the first client fingerprint information.

(2) And the second confirming unit is used for confirming the target access request as an abnormal access request under the condition that the first decryption information does not comprise the hardware information of the hardware where the client is located, or under the condition that the hardware information included in the first decryption information is not complete.

According to the embodiment, the client side with normal access can acquire the hardware information, and when the first decryption information obtained by decryption does not include the hardware information where the client side is located or includes incomplete hardware information, the target access request can be confirmed as an abnormal access request, so that the server is effectively prevented from being accessed by incomplete malicious access requests without carrying or carrying the hardware information, and the access security of the server is improved.

As an optional technical solution, the apparatus further includes:

(1) the decryption unit is used for decrypting the first client-side fingerprint information to obtain first decryption information under the condition that the fingerprint information set does not include the first client-side fingerprint information;

(2) and a third confirming unit configured to confirm the target access request as an abnormal access request in a case where the first decryption information does not include user operation information indicating an operation performed on the client and/or an operation object of the operation.

As an optional technical solution, the apparatus further includes:

(2) and a fourth confirming unit, configured to confirm the target access request as a normal access request when the first decryption information includes user operation information and hardware information of hardware where the client is located, and the key information included in the first decryption information is verified, where the user operation information is used to indicate an operation performed on the client and/or an operation object of the operation.

As an optional technical solution, the apparatus further includes:

(1) a recording unit for recording the first client fingerprint information in the fingerprint information set.

As an optional technical solution, the first confirmation unit includes:

(1) and the confirming module is used for confirming the target access request as an abnormal access request under the condition that the fingerprint information set comprises second client fingerprint information which is the same as the first client fingerprint information and the interval between the generation time of the first client fingerprint information and the generation time of the second client fingerprint information is smaller than a preset threshold value.

As an optional technical solution, the apparatus further includes:

(1) a third obtaining unit, configured to obtain, on the target client, an access instruction generated by performing a target operation on a target operation object, where the target operation object includes a target button or a target component on the target client, or a page element on a first page displayed by the target client;

(2) the second response unit is used for responding to the access instruction to acquire target hardware information, target user operation information, a current timestamp and target key information of the hardware where the target client is located, wherein the target user operation information is used for representing target operation and/or a target operation object;

(3) the encryption unit is used for encrypting target information to obtain first client fingerprint information, wherein the target information comprises target hardware information, target user operation information, a current timestamp and target key information;

(4) and the second sending unit is used for sending the target access request carrying the fingerprint information of the first client to the server.

As an optional technical solution, the apparatus further includes:

(1) and the discarding unit is used for discarding the target access request so as to cancel the access result requested by the target access request.

According to another aspect of the embodiments of the present invention, there is also provided an apparatus for verifying an access request, as shown in fig. 9, the apparatus including:

(1) a second obtaining unit 902, configured to obtain, on the target client, an access instruction generated by performing a target operation on a target operation object, where the target operation object includes a target button or a target component on the target client, or a page element on a first page displayed by the target client;

(2) a first response unit 904, configured to obtain first client fingerprint information in response to the access instruction, where the first client fingerprint information is used to uniquely identify the target access request;

(3) a first sending unit 906, configured to send a target access request carrying the fingerprint information of the first client to the server.

Optionally, the above-mentioned method for checking the access request may be, but is not limited to, a scenario in which the client is used for network access. Wherein the client may be a web client (e.g., an IE client).

As an optional technical solution, the first response unit includes:

(1) the response module is used for responding to the access instruction to acquire target hardware information, target user operation information, a current timestamp and target key information of the hardware where the target client is located, wherein the target user operation information is used for representing target operation and/or a target operation object;

(2) and the encryption module is used for encrypting the target information to obtain the first client fingerprint information, wherein the target information comprises target hardware information, target user operation information, a current timestamp and target key information.

As an optional technical solution, the apparatus further includes:

(1) and the fourth acquisition unit is used for acquiring the access result requested by the target access request sent by the server under the condition that the fingerprint information set on the server does not comprise the fingerprint information of the first client.

According to a further aspect of embodiments of the present invention, there is also provided a storage medium having a computer program stored therein, wherein the computer program is arranged to perform the steps of any of the above-mentioned method embodiments when executed.

Alternatively, in the present embodiment, the storage medium may be configured to store a computer program for executing the steps of:

s1, acquiring a target access request, wherein the target access request carries the fingerprint information of the first client;

s2, comparing the first client fingerprint information with fingerprint information in a fingerprint information set, wherein the fingerprint information in the fingerprint information set comprises client fingerprint information carried in an access request acquired before a target access request;

s3, in a case where the set of fingerprint information includes the first client fingerprint information, confirming the target access request as an abnormal access request.

alternatively, in this embodiment, a person skilled in the art may understand that all or part of the steps in the methods of the foregoing embodiments may be implemented by a program instructing hardware associated with the terminal device, where the program may be stored in a computer-readable storage medium, and the storage medium may include: flash disks, ROM (Read-Only Memory), RAM (Random Access Memory), magnetic or optical disks, and the like.

According to a further aspect of the embodiment of the present invention, there is also provided an electronic device for implementing the method for verifying the access request, as shown in fig. 10, the electronic device includes a memory 1002 and a processor 1004, the memory 1002 stores a computer program, and the processor 1004 is configured to execute the steps in any one of the method embodiments through the computer program.

Optionally, in this embodiment, the electronic apparatus may be located in at least one network device of a plurality of network devices of a computer network.

Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:

Alternatively, it can be understood by those skilled in the art that the structure shown in fig. 10 is only an illustration, and the electronic device may also be a terminal device such as a smart phone (e.g., an Android phone, an iOS phone, etc.), a tablet computer, a palm computer, a Mobile Internet Device (MID), a PAD, and the like. Fig. 10 is a diagram illustrating a structure of the electronic device. For example, the electronic device may also include more or fewer components (e.g., network interfaces, etc.) than shown in FIG. 10, or have a different configuration than shown in FIG. 10.

The memory 1002 may be configured to store software programs and modules, such as program instructions/modules corresponding to the method and apparatus for verifying an access request in the embodiment of the present invention, and the processor 1004 executes various functional applications and data processing by running the software programs and modules stored in the memory 1002, that is, implementing the method for verifying an access request. The memory 1002 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 1002 may further include memory located remotely from the processor 1004, which may be connected to the terminal over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof. As an example, as shown in fig. 10, the memory 1002 may include, but is not limited to, a first obtaining unit 802, a first comparing unit 804, and a first confirming unit 806 in the checking apparatus of the access request. In addition, the access request may further include, but is not limited to, other module units in the verification apparatus of the access request, which is not described in this example again.

Optionally, the above-mentioned transmission device 1006 is used for receiving or sending data via a network. Examples of the network may include a wired network and a wireless network. In one example, the transmission device 1006 includes a Network adapter (NIC) that can be connected to a router via a Network cable and other Network devices so as to communicate with the internet or a local area Network. In one example, the transmission device 1006 is a Radio Frequency (RF) module, which is used for communicating with the internet in a wireless manner.

In addition, the electronic device further includes: a display 1008; and a connection bus 1010 for connecting the respective module parts in the above-described electronic apparatus.

s1, obtaining an access instruction generated by executing target operation on a target operation object on the target client, wherein the target operation object comprises a target button or a target component on the target client, or a page element on a first page displayed by the target client;

s2, responding to the access instruction to obtain first client fingerprint information, wherein the first client fingerprint information is used for uniquely identifying the target access request;

and S3, sending the target access request carrying the fingerprint information of the first client to the server.

Alternatively, in this embodiment, a person skilled in the art may understand that all or part of the steps in the methods of the foregoing embodiments may be implemented by a program instructing hardware associated with the terminal device, where the program may be stored in a computer-readable storage medium, and the storage medium may include: flash disk, ROM, RAM, magnetic or optical disk, and the like.

In other embodiments, the terminal or the server may be a node in a distributed system, wherein the distributed system may be a blockchain system, and the blockchain system may be a distributed system formed by connecting a plurality of nodes through a network communication form. Nodes can form a Peer-To-Peer (P2P, Peer To Peer) network, and any type of computing device, such as a server, a terminal, and other electronic devices, can become a node in the blockchain system by joining the Peer-To-Peer network.

According to another aspect of the embodiments of the present invention, there is also provided an electronic device for implementing the method for verifying the access request, as shown in fig. 11, the electronic device includes a memory 1102 and a processor 1104, the memory 1102 stores therein a computer program, and the processor 1104 is configured to execute the steps in any one of the method embodiments through the computer program.

Alternatively, it can be understood by those skilled in the art that the structure shown in fig. 11 is only an illustration, and the electronic device may also be a smart phone (such as an Android phone, an iOS phone, etc.), a tablet computer, a palmtop computer, and a terminal device such as an MID, a PAD, etc. Fig. 11 is a diagram illustrating a structure of the electronic device. For example, the electronic device may also include more or fewer components (e.g., network interfaces, etc.) than shown in FIG. 11, or have a different configuration than shown in FIG. 11.

The memory 1102 may be used to store software programs and modules, such as program instructions/modules corresponding to the method and apparatus for determining channel information in the embodiments of the present invention, and the processor 1104 executes various functional applications and data processing by running the software programs and modules stored in the memory 1102, that is, the method for determining channel information is implemented. The memory 1102 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 1102 can further include memory located remotely from the processor 1104 and such remote memory can be coupled to the terminal via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof. The memory 1102 may be specifically, but not limited to, used to store information such as feature information and probability result of the account to be processed. As an example, as shown in fig. 11, the memory 1102 may include, but is not limited to, a second obtaining unit 902, a first responding unit 904, and a first sending unit 906 in the verification apparatus for the access request. In addition, the access request may further include, but is not limited to, other module units in the verification apparatus of the access request, which is not described in this example again.

Optionally, the transmitting device 1106 is used for receiving or transmitting data via a network. Examples of the network may include a wired network and a wireless network. In one example, the transmitting device 1106 includes a NIC that is connectable to a router via a network cable to communicate with the internet or a local area network. In one example, the transmitting device 1106 is an RF module that is used to communicate with the internet via wireless means.

In addition, the electronic device further includes: a display 1108; and a connection bus 1110 for connecting the respective module parts in the above-described electronic apparatus.

Alternatively, in this embodiment, a person skilled in the art may understand that all or part of the steps in the methods of the foregoing embodiments may be implemented by a program instructing hardware associated with the terminal device, where the program may be stored in a computer-readable storage medium, and the storage medium may include: flash disks, Read-Only memories (ROMs), Random Access Memories (RAMs), magnetic or optical disks, and the like.

The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.

The integrated unit in the above embodiments, if implemented in the form of a software functional unit and sold or used as a separate product, may be stored in the above computer-readable storage medium. Based on such understanding, the technical solution of the present invention may be substantially or partially implemented in the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium, and including instructions for causing one or more computer devices (which may be personal computers, servers, or network devices) to execute all or part of the steps of the method according to the embodiments of the present invention.

In the above embodiments of the present invention, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.

In the several embodiments provided in the present application, it should be understood that the disclosed client may be implemented in other manners. The above-described embodiments of the apparatus are merely illustrative, and for example, a division of a unit is merely a division of a logic function, and an actual implementation may have another division, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.

Units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.

The foregoing is only a preferred embodiment of the present invention, and it should be noted that it is obvious to those skilled in the art that various modifications and improvements can be made without departing from the principle of the present invention, and these modifications and improvements should also be considered as the protection scope of the present invention.

Claims

1. A method for verifying an access request, comprising:

acquiring a target access request, wherein the target access request carries first client fingerprint information;

comparing the first client fingerprint information with fingerprint information in a fingerprint information set, wherein the fingerprint information in the fingerprint information set comprises client fingerprint information carried in an access request acquired before the target access request;

in a case that the set of fingerprint information includes the first client fingerprint information, the target access request is confirmed as an abnormal access request.

2. The method of claim 1, wherein after the comparing the first client fingerprint information to fingerprint information in a set of fingerprint information, the method further comprises:

decrypting the first client side fingerprint information to obtain first decryption information under the condition that the fingerprint information set does not include the first client side fingerprint information;

and confirming the target access request as an abnormal access request under the condition that the first decryption information does not comprise hardware information of hardware where the client is located, or under the condition that the hardware information included in the first decryption information is incomplete.

3. The method of claim 1, wherein after the comparing the first client fingerprint information to fingerprint information in a set of fingerprint information, the method further comprises:

and in the case that the first decryption information does not comprise user operation information, confirming the target access request as an abnormal access request, wherein the user operation information is used for representing an operation executed on a client and/or an operation object of the operation.

4. The method of claim 1, wherein after the comparing the first client fingerprint information to fingerprint information in a set of fingerprint information, the method further comprises:

and confirming the target access request as a normal access request under the condition that the first decryption information comprises user operation information and hardware information of hardware where the client is located and the key information included in the first decryption information passes verification, wherein the user operation information is used for representing an operation executed on the client and/or an operation object of the operation.

5. The method of any of claims 1 to 4, wherein, in the case that the set of fingerprint information includes the first client fingerprint information, confirming the target access request as an anomalous access request comprises:

and confirming the target access request as an abnormal access request under the condition that the fingerprint information set comprises second client fingerprint information which is the same as the first client fingerprint information and the interval between the generation time of the first client fingerprint information and the generation time of the second client fingerprint information is smaller than a preset threshold value.

6. The method of any of claims 1 to 4, wherein prior to said obtaining a target access request, the method further comprises:

acquiring an access instruction generated by executing a target operation on a target operation object on a target client, wherein the target operation object comprises a target button or a target component on the target client, or a page element on a first page displayed by the target client;

responding to the access instruction to acquire target hardware information, target user operation information, a current timestamp and target key information of the hardware where the target client is located, wherein the target user operation information is used for representing the target operation and/or the target operation object;

encrypting target information to obtain the first client fingerprint information, wherein the target information comprises the target hardware information, the target user operation information, the current timestamp and the target key information;

and sending the target access request carrying the fingerprint information of the first client to the server.

7. A method for verifying an access request, comprising:

responding to the access instruction to acquire first client fingerprint information, wherein the first client fingerprint information is used for uniquely identifying a target access request;

and sending the target access request carrying the fingerprint information of the first client to a server.

8. The method of claim 7, wherein the obtaining first client fingerprint information in response to the access instruction comprises:

encrypting target information to obtain the first client fingerprint information, wherein the target information comprises the target hardware information, the target user operation information, the current timestamp and the target key information.

9. An apparatus for verifying an access request, comprising:

the system comprises a first acquisition unit, a second acquisition unit and a third acquisition unit, wherein the first acquisition unit is used for acquiring a target access request, and the target access request carries first client fingerprint information;

a first comparing unit, configured to compare the first client fingerprint information with fingerprint information in a fingerprint information set, where the fingerprint information in the fingerprint information set includes client fingerprint information carried in an access request acquired before the target access request;

a first confirming unit, configured to confirm the target access request as an abnormal access request if the fingerprint information set includes the first client fingerprint information.

10. An apparatus for verifying an access request, comprising:

a second obtaining unit, configured to obtain, on a target client, an access instruction generated by performing a target operation on a target operation object, where the target operation object includes a target button or a target component on the target client, or a page element on a first page displayed by the target client;

the first response unit is used for responding to the access instruction to acquire first client fingerprint information, wherein the first client fingerprint information is used for uniquely identifying the target access request;

and the first sending unit is used for sending the target access request carrying the fingerprint information of the first client to a server.