CN111222130A - Page response method, page request method and device - Google Patents
Page response method, page request method and device Download PDFInfo
- Publication number
- CN111222130A CN111222130A CN201811426578.8A CN201811426578A CN111222130A CN 111222130 A CN111222130 A CN 111222130A CN 201811426578 A CN201811426578 A CN 201811426578A CN 111222130 A CN111222130 A CN 111222130A
- Authority
- CN
- China
- Prior art keywords
- page content
- page
- information
- api
- preset type
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/51—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2119—Authenticating web pages, e.g. with suspicious links
Abstract
One or more embodiments of the present specification provide a page response method, a page request method, and an apparatus, where the page response method may include: acquiring corresponding page content according to a page request initiated by a client; when the page content relates to calling of a preset type API, generating verification information applied to the page content; respectively adding the verification information to the head of the page content and interface parameters of calling functions corresponding to the preset type API in the page content; and returning the page content to the client.
Description
Technical Field
One or more embodiments of the present disclosure relate to the field of internet technologies, and in particular, to a page response method, a page request method, and an apparatus.
Background
In the related art, by implementing a CSP (Content Security Policy) mechanism, detection and defense can be performed against vulnerabilities such as XSS (Cross Site Scripting) vulnerabilities, for example, whether a specific code block in the page Content needs to execute js code is determined, so as to determine whether the specific code block is allowed to be executed, thereby improving network Security.
Disclosure of Invention
In view of this, one or more embodiments of the present disclosure provide a page response method, a page request method, and a page request device.
To achieve the above object, one or more embodiments of the present disclosure provide the following technical solutions:
according to a first aspect of one or more embodiments of the present specification, there is provided a page response method, including:
acquiring corresponding page content according to a page request initiated by a client;
when the page content relates to calling of a preset type API, generating verification information applied to the page content;
respectively adding the verification information to the head of the page content and interface parameters of calling functions corresponding to the preset type API in the page content;
and returning the page content to the client.
According to a second aspect of one or more embodiments of the present specification, there is provided a page request method including:
initiating a page request to a server;
analyzing the page content returned by the server to acquire first check information contained in the head of the page content and second check information contained in interface parameters of a calling function corresponding to a preset type API in the page content;
and when the first check information is consistent with the second check information, allowing execution of a calling function corresponding to the preset type API.
According to a third aspect of one or more embodiments of the present specification, there is provided a page response apparatus including:
the acquisition unit acquires corresponding page content according to a page request initiated by the client;
the generating unit is used for generating verification information applied to the page content when the page content relates to calling of a preset type API;
the first adding unit is used for respectively adding the verification information to the head of the page content and the interface parameter of the calling function corresponding to the preset type API in the page content;
and the return unit is used for returning the page content to the client.
According to a fourth aspect of one or more embodiments of the present specification, there is provided a page requesting apparatus including:
the request unit is used for initiating a page request to the server;
the analysis unit is used for analyzing the page content returned by the server so as to acquire first check information contained in the head of the page content and second check information contained in interface parameters of calling functions corresponding to the preset type API in the page content;
and the control unit allows the calling function corresponding to the preset type API to be executed when the first check information is consistent with the second check information.
Drawings
Fig. 1 is a schematic diagram of an architecture of a page interaction system according to an exemplary embodiment.
Fig. 2 is a flowchart of a page response method according to an exemplary embodiment.
FIG. 3 is a flowchart of a page request method provided by an exemplary embodiment.
FIG. 4 is a schematic diagram of a page interaction process provided by an exemplary embodiment.
Fig. 5 is a schematic structural diagram of an apparatus according to an exemplary embodiment.
Fig. 6 is a block diagram of a page response apparatus according to an exemplary embodiment.
Fig. 7 is a schematic structural diagram of another apparatus provided in an exemplary embodiment.
Fig. 8 is a block diagram of a page request device according to an exemplary embodiment.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The implementations described in the following exemplary embodiments do not represent all implementations consistent with one or more embodiments of the present specification. Rather, they are merely examples of apparatus and methods consistent with certain aspects of one or more embodiments of the specification, as detailed in the claims which follow.
It should be noted that: in other embodiments, the steps of the corresponding methods are not necessarily performed in the order shown and described herein. In some other embodiments, the method may include more or fewer steps than those described herein. Moreover, a single step described in this specification may be broken down into multiple steps for description in other embodiments; multiple steps described in this specification may be combined into a single step in other embodiments.
Fig. 1 is a schematic diagram of an architecture of a page interaction system according to an exemplary embodiment. As shown in fig. 1, the system may include a server 11, a network 12, a number of electronic devices such as a cell phone 13, a PC14, and the like.
The server 11 may be a physical server comprising a separate host, or the server 11 may be a virtual server carried by a cluster of hosts. During operation, the server 11 may operate a server-side program of an application to be implemented as a server of the application. In one or more embodiments of the present disclosure, the server 11 may cooperate with the mobile phone 13 and the client running on the PC14 to implement a secure page interaction scheme.
The cellular phone 13 and the PC14 are only some types of electronic devices that can be used. In fact, it is obvious that the user can also use electronic devices of the type such as: tablet devices, notebook computers, Personal Digital Assistants (PDAs), wearable devices (e.g., smart glasses, smart watches, etc.), etc., which are not limited by one or more embodiments of the present disclosure. During operation, the electronic device may run a client-side program of an application to be implemented as a client of the application.
And the network 12 for interaction between the handset 13, PC14 and server 11 may include various types of wired or wireless networks. In one embodiment, the Network 12 may include the Public Switched Telephone Network (PSTN) and the Internet.
Fig. 2 is a flowchart of a page response method according to an exemplary embodiment. As shown in fig. 2, the method is applied to a server (e.g., the server 11 shown in fig. 1, etc.), and may include the following steps:
In an embodiment, after receiving a page request initiated by a client, a server may respond to the page request according to a response mode in the related art to obtain corresponding page content, which is not limited in this specification.
And step 204, when the page content relates to the calling of the preset type API, generating verification information applied to the page content.
In one embodiment, the preset type API may include a privileged API, i.e., a system API that the encapsulated js interface object needs to perform a privileged operation, such as a file operation, a process operation, a registry operation, and the like. Of course, the preset type API may also include other types predefined or specified, and this specification does not limit this.
In an embodiment, the verification information may include a random string generated for the page content. Wherein, the random character string can be associated with the page content; or, the random character string may be related to the page content, for example, the digital digest information of the page content may be used as a random seed, and the verification information is generated by a pseudo random number generator in the related art, so that the randomness of the verification information may be increased, and manipulation by a lawbreaker may be avoided.
In an embodiment, by adding the verification information to the header of the page content and the interface parameter of the calling function of the preset type API, respectively, the client may obtain the verification information from the header of the page content and the interface parameter of the calling function of the preset type API when the client needs to use the calling function of the preset type API, then: if the two check messages are consistent, the calling function of the preset type API can be considered to be safe and reliable, and is not an XSS vulnerability utilized by lawbreakers, and the calling function of the preset type API is allowed to be executed; if the two check information are inconsistent, the calling function of the preset type API is considered to have abnormity, and the XSS vulnerability which is probably utilized by lawless persons can be rejected to execute the calling function of the preset type API, so that the safety risk is avoided.
In one embodiment, through the check information, the page response scheme of the present specification can implement protection against copper leakage, such as XSS, based on the dimension of a single API, and the protection granularity is significantly smaller than that of the CSP mechanism based on the dimension of code segments in the related art, which helps to implement a higher protection level.
In one embodiment, the check information contained in the page content should be returned to the client in the form of original value, rather than variable form, so that the client can directly read the check information and use the check information to determine whether the security risk exists.
In one embodiment, the server has a corresponding digital identity, such as a public-private key pair based on an asymmetric algorithm, where the server maintains a private key, and the client pre-embeds or otherwise obtains a public key. The server can sign the information related to the page content through a private key, and adds the generated signed information to the head of the page content, so that the client can carry out signature verification through a held public key: if the signature verification is successful, the page content received by the client is proved to be from the server; if the signature verification fails, the content of the page received by the client is abnormal, and the client is likely to be attacked by hijacking of a man-in-the-middle.
In one embodiment, the information related to the page content may include: digital summary information of page contents, etc., which the present specification does not limit. The digital digest information may include, for example, a hash value, and the like, which is not limited in this specification.
FIG. 3 is a flowchart of a page request method provided by an exemplary embodiment. As shown in fig. 3, the method applied to a client (e.g. the mobile phone 13, the PC14, etc. shown in fig. 1) may include the following steps:
In an embodiment, the client may initiate the above-mentioned page request to the server according to a request manner in the related art, which is not limited in this specification.
In one embodiment, the preset type API may include a privileged API, i.e., a system API that the encapsulated js interface object needs to perform a privileged operation, such as a file operation, a process operation, a registry operation, and the like. Of course, the preset type API may also include other types predefined or specified, and this specification does not limit this.
In an embodiment, the verification information may include a random string generated for the page content. Wherein, the random character string can be associated with the page content; or, the random character string may be related to the page content, for example, the digital digest information of the page content may be used as a random seed, and the verification information is generated by a pseudo random number generator in the related art, so that the randomness of the verification information may be increased, and manipulation by a lawbreaker may be avoided.
And step 306, when the first check information is consistent with the second check information, allowing a calling function corresponding to the preset type API to be executed.
In an embodiment, since the server adds the same check information to the header of the page content and the interface parameter of the calling function of the preset type API, when the client obtains the first check information and the second check information from the header of the page content and the interface parameter of the calling function of the preset type API, respectively: if the two check messages are consistent, the calling function of the preset type API can be considered to be safe and reliable, and is not an XSS vulnerability utilized by lawbreakers, and the calling function of the preset type API is allowed to be executed; if the two check information are inconsistent, the calling function of the preset type API is considered to have abnormity, and the XSS vulnerability which is probably utilized by lawless persons can be rejected to execute the calling function of the preset type API, so that the safety risk is avoided.
In an embodiment, since the server adds the same check information to the header of the page content and the interface parameter of the call function of the preset type API, when the client calls the call function of the preset type API, the client may obtain the first check information and the second check information from the call function of the preset type API, and perform consistency check on the first check information and the second check information: when the two check messages are consistent, the calling function of the preset type API is safe and reliable, and is not an XSS vulnerability utilized by lawbreakers, and the calling function of the preset type API can normally run; when the two check messages are inconsistent, it can be considered that the calling function of the preset type API has an exception, and is likely to be an XSS vulnerability utilized by a lawless person, and the calling function of the preset type API will terminate operation, so as to avoid generating a security risk.
In one embodiment, through the check information, the page response scheme of the present specification can implement protection against copper leakage, such as XSS, based on the dimension of a single API, and the protection granularity is significantly smaller than that of the CSP mechanism based on the dimension of code segments in the related art, which helps to implement a higher protection level.
In an embodiment, the check information included in the page content is in an original value, not in a variable form, so that the client can directly read the check information and determine whether the security risk exists.
In one embodiment, the server has a corresponding digital identity, such as a public-private key pair based on an asymmetric algorithm, where the server maintains a private key, and the client pre-embeds or otherwise obtains a public key. The server side can sign the information related to the page content through the private key, and the generated signed information is added to the head of the page content. Accordingly, the client may obtain the signed information included in the header of the page content, and when it is determined that the signed information is obtained by the server signing the information related to the page content through its own private key, it may consider that the signature verification is successful, indicating that the page content received by the client is indeed from the server, and when it is determined that the signed information is not obtained by the server signing the information related to the page content through its own private key, it may consider that the signature verification is failed, indicating that the page content received by the client is abnormal, such as likely to be attacked by a man-in-the-middle hijacking, and the client may generate an abnormal notification and/or forcibly quit.
In one embodiment, the information related to the page content may include: digital summary information of page contents, etc., which the present specification does not limit. The digital digest information may include, for example, a hash value, and the like, which is not limited in this specification.
For ease of understanding, the page response scheme based on the present specification will be described below by taking the interaction process between the PC14 and the server 11 shown in fig. 1 as an example. For example, the client runs on the PC14 and includes a browser for accessing a page, and the server 11 runs on the server 11, so that the server 11 can perform response processing on a page request to the client on the PC14 through the server, and the technical solution of the present specification can ensure that the page response process is not subject to XSS vulnerability attack or man-in-the-middle hijack attack, etc., so as to improve security.
FIG. 4 is a schematic diagram of a page interaction process provided by an exemplary embodiment. As shown in fig. 4, the interactive process may include the following steps:
in step 401, the PC14 initiates a page request to the server 11.
In one embodiment, the PC14 may initiate the page request to the server 11 based on a request mechanism in the related art, which is not limited in this specification. For example, the page request may be initiated according to a URL entered by the user in the browser address bar, according to a web page link clicked by the user, and the like.
In step 402, the server 11 determines the corresponding page content according to the page request.
In an embodiment, the server 11 may determine the page content corresponding to the page request based on a response mechanism in the related art, which is not limited in this specification. In the related art, the server 11 may return the page content generated in step 402 directly to the PC14 as a response to the page request; in the technical solution of the present specification, the server 11 needs to implement the following processing to solve the security risk caused by XSS vulnerability or hijacking by a man in the middle, and the like.
In one embodiment, the server 11 may cache the generated page content by redirecting the page content into the cache for subsequent processing.
In step 404, the server 11 adds a nonce to the interface parameter of the privileged API call function in the page content.
In an embodiment, the server 11 may check whether the call to the privileged API is involved in the generated page content; for example, when a privileged API call function is included in the page content, the server 11 may determine that there is a call to the privileged API and generate the nonce described above.
In an embodiment, the nonce is information generated by the server 11 and used for performing security check on the page content; in general, the server 11 may generate different nonces for each page content separately to avoid lawless persons from performing manipulations.
In one embodiment, the server 11 may generate a set of random numbers as a nonce herein through a random number generation algorithm in the related art. For example, the server 11 may perform hash calculation on the generated page content, and generate the random number by using a pseudo random number generator in the related art, using the obtained hash value as a random seed; because the random seed is the hash value of the page content, the value of the random seed has extremely high unpredictability, the generated random number can be ensured to have real and extremely high randomness, and the value of the control nonce of a lawbreaker is avoided.
In an embodiment, the server 11 may add a nonce to the interface parameter of the privileged API call function, so that a one-to-one association relationship is generated between the nonce and the privileged API call function, and thus, in a subsequent verification process, it may be determined whether the privileged API call function is the function originally provided by the server 11 based on the value of the nonce. Of course, the server 11 may also establish the association between the nonce and the privileged API call function in other ways, which is not limited in this specification.
In step 405, the server 11 writes the signature and nonce to the http header of the page content.
In one embodiment, the http header of the present specification may be augmented with two extension fields: a chksum field and a nonce field. The server 11 may generate an electronic signature relating to the page content and add the electronic signature to the chksum field; and, the server 11 may add the nonce generated in the above step to the nonce field.
In an embodiment, the server 11 may perform hash calculation on the page content to obtain a corresponding hash value, and further generate an electronic signature related to the hash value through a private key corresponding to the server 11, and then add the electronic signature to the chksum field.
The server 11 returns the page content to the PC14, step 406.
In step 407, the PC14 performs signature verification on the received page content.
In one embodiment, after receiving the page content returned by the server 11, the PC14 may read the electronic signature in the chksum field from the http header and verify the electronic signature according to the public key of the server 11: if it is determined that the electronic signature is indeed obtained by signing the hash value of the page content by the private key of the server 11, it may be determined that the signature verification is passed, otherwise the PC14 may determine that the received page content does not really originate from the server 11, such as may suffer from a man-in-the-middle hijacking attack, and the PC14 may issue a warning prompt or directly exit the current page.
In step 408, the PC14 performs nonce verification on the received page content.
In one embodiment, the PC14 may check whether the page content contains a privileged API call function during the processing of the page content by the interpretation engine; when the privileged API call function is checked, the PC14 reads the nonce1 from the interface parameters of the privileged API call function on the one hand, and the nonce2 from the nonce field of the http header of the page content on the other hand, and compares the nonce1 with the nonce 2: if the values are consistent, the PC14 can determine that the corresponding privileged API call function is reliable and allows to execute privileged calls; if the values are inconsistent, the PC14 may determine that the corresponding privileged API call function has an XSS vulnerability risk, refuse to execute the privileged API call function or directly exit the current page.
FIG. 5 is a schematic block diagram of an apparatus provided in an exemplary embodiment. Referring to fig. 5, at the hardware level, the apparatus includes a processor 502, an internal bus 504, a network interface 506, a memory 508 and a non-volatile memory 510, but may also include hardware required for other services. The processor 502 reads a corresponding computer program from the non-volatile memory 510 into the memory 508 and runs it, forming a page response means on a logical level. Of course, besides software implementation, the one or more embodiments in this specification do not exclude other implementations, such as logic devices or combinations of software and hardware, and so on, that is, the execution subject of the following processing flow is not limited to each logic unit, and may also be hardware or logic devices.
Referring to fig. 6, in a software implementation, the page response apparatus may include:
an obtaining unit 601, configured to obtain corresponding page content according to a page request initiated by a client;
a generating unit 602, configured to generate, when the page content relates to a call to a preset type API, verification information applied to the page content;
a first adding unit 603, configured to add the verification information to the header of the page content and an interface parameter of a calling function corresponding to the preset type API in the page content, respectively;
a returning unit 604, which returns the page content to the client.
Optionally, the preset type API includes: a privileged API.
Optionally, the verification information includes: a random string generated for the page content.
Optionally, the check information is returned to the client in an original value form.
Optionally, the method further includes:
a signature unit 605, configured to sign information related to the page content through a private key, where the client holds a public key corresponding to the private key;
a second adding unit 606, which adds the generated signed information to the header of the page content.
Optionally, the information related to the page content includes: digital summary information of the page content.
Fig. 7 is a schematic block diagram of an apparatus provided in an exemplary embodiment. Referring to fig. 7, at the hardware level, the apparatus includes a processor 702, an internal bus 704, a network interface 706, a memory 708, and a non-volatile storage 710, but may also include hardware required for other services. The processor 702 reads the corresponding computer program from the non-volatile memory 710 into the memory 708 and then runs it, forming a page request device on a logical level. Of course, besides software implementation, the one or more embodiments in this specification do not exclude other implementations, such as logic devices or combinations of software and hardware, and so on, that is, the execution subject of the following processing flow is not limited to each logic unit, and may also be hardware or logic devices.
Referring to fig. 8, in a software implementation, the page request device may include:
a request unit 801, which initiates a page request to a server;
the parsing unit 802 parses the page content returned by the server to obtain first check information included in a header of the page content and second check information included in an interface parameter of a call function corresponding to a preset type API in the page content;
a control unit 803 allowing a call function corresponding to the preset type API to be executed when the first check information is identical to the second check information.
Optionally, the preset type API includes: a privileged API.
Optionally, the method further includes:
an obtaining unit 804, configured to obtain signed information included in a header of the page content;
the processing unit 805 generates an exception notification and/or forces logout when determining that the signed information is not obtained by the server signing the information related to the page content through its own private key.
Optionally, the information related to the page content includes: digital summary information of the page content.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. A typical implementation device is a computer, which may take the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email messaging device, game console, tablet computer, wearable device, or a combination of any of these devices.
In a typical configuration, a computer includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic disk storage, quantum memory, graphene-based storage media or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
The terminology used in the description of the one or more embodiments is for the purpose of describing the particular embodiments only and is not intended to be limiting of the description of the one or more embodiments. As used in one or more embodiments of the present specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used in one or more embodiments of the present description to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of one or more embodiments herein. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
The above description is only for the purpose of illustrating the preferred embodiments of the one or more embodiments of the present disclosure, and is not intended to limit the scope of the one or more embodiments of the present disclosure, and any modifications, equivalent substitutions, improvements, etc. made within the spirit and principle of the one or more embodiments of the present disclosure should be included in the scope of the one or more embodiments of the present disclosure.
Claims (20)
1. A page response method, comprising:
acquiring corresponding page content according to a page request initiated by a client;
when the page content relates to calling of a preset type API, generating verification information applied to the page content;
respectively adding the verification information to the head of the page content and interface parameters of calling functions corresponding to the preset type API in the page content;
and returning the page content to the client.
2. The method of claim 1, wherein the API of the preset type comprises: a privileged API.
3. The method of claim 1, wherein the verification information comprises: a random string generated for the page content.
4. The method of claim 1, wherein the verification information is returned to the client in the form of an original value.
5. The method of claim 1, further comprising:
signing information related to the page content through a private key, wherein the client holds a public key corresponding to the private key;
and adding the generated signed information to the head of the page content.
6. The method of claim 5, wherein the information related to the page content comprises: digital summary information of the page content.
7. A page request method, comprising:
initiating a page request to a server;
analyzing the page content returned by the server to acquire first check information contained in the head of the page content and second check information contained in interface parameters of a calling function corresponding to a preset type API in the page content;
and when the first check information is consistent with the second check information, allowing execution of a calling function corresponding to the preset type API.
8. The method of claim 7, wherein the API of the preset type comprises: a privileged API.
9. The method of claim 7, further comprising:
acquiring signed information contained in the head of the page content;
and when the signed information is determined not to be obtained by the server side through signing the information related to the page content by the private key of the server side, generating an abnormal notice and/or forcibly quitting.
10. The method of claim 9, wherein the information related to the page content comprises: digital summary information of the page content.
11. A page response apparatus, comprising:
the acquisition unit acquires corresponding page content according to a page request initiated by the client;
the generating unit is used for generating verification information applied to the page content when the page content relates to calling of a preset type API;
the first adding unit is used for respectively adding the verification information to the head of the page content and the interface parameter of the calling function corresponding to the preset type API in the page content;
and the return unit is used for returning the page content to the client.
12. The apparatus of claim 11, wherein the API of the preset type comprises: a privileged API.
13. The apparatus of claim 11, wherein the verification information comprises: a random string generated for the page content.
14. The apparatus of claim 11, wherein the verification information is returned to the client in the form of an original value.
15. The apparatus of claim 11, further comprising:
the signature unit is used for signing the information related to the page content through a private key, wherein the client holds a public key corresponding to the private key;
and the second adding unit is used for adding the generated signed information to the head of the page content.
16. The apparatus of claim 15, wherein the information related to the page content comprises: digital summary information of the page content.
17. A page request apparatus, comprising:
the request unit is used for initiating a page request to the server;
the analysis unit is used for analyzing the page content returned by the server so as to acquire first check information contained in the head of the page content and second check information contained in interface parameters of calling functions corresponding to the preset type API in the page content;
and the control unit allows the calling function corresponding to the preset type API to be executed when the first check information is consistent with the second check information.
18. The apparatus of claim 17, wherein the API of the preset type comprises: a privileged API.
19. The apparatus of claim 17, further comprising:
the acquisition unit is used for acquiring signed information contained in the head of the page content;
and the processing unit generates an abnormal notice and/or forces quit when the signed information is determined not to be obtained by the server side through signing the information related to the page content by the private key of the server side.
20. The apparatus of claim 19, wherein the information related to the page content comprises: digital summary information of the page content.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811426578.8A CN111222130B (en) | 2018-11-27 | 2018-11-27 | Page response method, page request method and page request device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811426578.8A CN111222130B (en) | 2018-11-27 | 2018-11-27 | Page response method, page request method and page request device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111222130A true CN111222130A (en) | 2020-06-02 |
| CN111222130B CN111222130B (en) | 2023-10-03 |
Family
ID=70832027
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811426578.8A Active CN111222130B (en) | 2018-11-27 | 2018-11-27 | Page response method, page request method and page request device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111222130B (en) |
Citations (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101005497A (en) * | 2006-11-27 | 2007-07-25 | 科博技术有限公司 | System and method for preventing vicious code attach |
| JP2009026010A (en) * | 2007-07-18 | 2009-02-05 | Yahoo Japan Corp | Content distribution device, content distribution control method, and content distribution control program |
| CN101997880A (en) * | 2010-12-01 | 2011-03-30 | 湖南智源信息网络技术开发有限公司 | Method and device for verifying security of network page or interface |
| CN103067343A (en) * | 2011-10-21 | 2013-04-24 | 阿里巴巴集团控股有限公司 | Method and system for preventing tampering of usage of ActiveX control |
| CN103401836A (en) * | 2013-07-01 | 2013-11-20 | 北京卓易讯畅科技有限公司 | Method and device used for judging whether webpage is hijacked by ISP (internet service provider) or not |
| US8677481B1 (en) * | 2008-09-30 | 2014-03-18 | Trend Micro Incorporated | Verification of web page integrity |
| CN103873493A (en) * | 2012-12-10 | 2014-06-18 | 腾讯科技(深圳)有限公司 | Method, device and system for page information verification |
| CN104239577A (en) * | 2014-10-09 | 2014-12-24 | 北京奇虎科技有限公司 | Method and device for detecting authenticity of webpage data |
| CN104301331A (en) * | 2014-10-31 | 2015-01-21 | 北京思特奇信息技术股份有限公司 | Service interface permissions validation method and device |
| CN105100242A (en) * | 2015-07-24 | 2015-11-25 | 北京奇虎科技有限公司 | Data processing method and system |
| US9426171B1 (en) * | 2014-09-29 | 2016-08-23 | Amazon Technologies, Inc. | Detecting network attacks based on network records |
| CN106033511A (en) * | 2015-03-17 | 2016-10-19 | 阿里巴巴集团控股有限公司 | Method and device for preventing website data from leaking |
| CN106330818A (en) * | 2015-06-17 | 2017-01-11 | 腾讯科技(深圳)有限公司 | Method and system for protecting client embedded webpage |
| CN106412024A (en) * | 2016-09-07 | 2017-02-15 | 网易无尾熊(杭州)科技有限公司 | Page acquisition method and device |
| CN106681926A (en) * | 2017-01-05 | 2017-05-17 | 网易(杭州)网络有限公司 | Method and device for testing webpage performances |
| CN107315948A (en) * | 2016-04-26 | 2017-11-03 | 阿里巴巴集团控股有限公司 | Data calling method and device |
-
2018
- 2018-11-27 CN CN201811426578.8A patent/CN111222130B/en active Active
Patent Citations (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101005497A (en) * | 2006-11-27 | 2007-07-25 | 科博技术有限公司 | System and method for preventing vicious code attach |
| JP2009026010A (en) * | 2007-07-18 | 2009-02-05 | Yahoo Japan Corp | Content distribution device, content distribution control method, and content distribution control program |
| US8677481B1 (en) * | 2008-09-30 | 2014-03-18 | Trend Micro Incorporated | Verification of web page integrity |
| CN101997880A (en) * | 2010-12-01 | 2011-03-30 | 湖南智源信息网络技术开发有限公司 | Method and device for verifying security of network page or interface |
| CN103067343A (en) * | 2011-10-21 | 2013-04-24 | 阿里巴巴集团控股有限公司 | Method and system for preventing tampering of usage of ActiveX control |
| CN103873493A (en) * | 2012-12-10 | 2014-06-18 | 腾讯科技(深圳)有限公司 | Method, device and system for page information verification |
| CN103401836A (en) * | 2013-07-01 | 2013-11-20 | 北京卓易讯畅科技有限公司 | Method and device used for judging whether webpage is hijacked by ISP (internet service provider) or not |
| US9426171B1 (en) * | 2014-09-29 | 2016-08-23 | Amazon Technologies, Inc. | Detecting network attacks based on network records |
| CN104239577A (en) * | 2014-10-09 | 2014-12-24 | 北京奇虎科技有限公司 | Method and device for detecting authenticity of webpage data |
| CN104301331A (en) * | 2014-10-31 | 2015-01-21 | 北京思特奇信息技术股份有限公司 | Service interface permissions validation method and device |
| CN106033511A (en) * | 2015-03-17 | 2016-10-19 | 阿里巴巴集团控股有限公司 | Method and device for preventing website data from leaking |
| CN106330818A (en) * | 2015-06-17 | 2017-01-11 | 腾讯科技(深圳)有限公司 | Method and system for protecting client embedded webpage |
| CN105100242A (en) * | 2015-07-24 | 2015-11-25 | 北京奇虎科技有限公司 | Data processing method and system |
| CN107315948A (en) * | 2016-04-26 | 2017-11-03 | 阿里巴巴集团控股有限公司 | Data calling method and device |
| CN106412024A (en) * | 2016-09-07 | 2017-02-15 | 网易无尾熊(杭州)科技有限公司 | Page acquisition method and device |
| CN106681926A (en) * | 2017-01-05 | 2017-05-17 | 网易(杭州)网络有限公司 | Method and device for testing webpage performances |
Non-Patent Citations (3)
| Title |
|---|
| ZULIN ZHANG等: "A Fragile Watermarking Scheme Based on Hash Function for Web Pages", 《2011 INTERNATIONAL CONFERENCE ON NETWORK COMPUTING AND INFORMATION SECURITY》, pages 417 - 420 * |
| 唐华栋: "网页防抓取系统的设计与实现", 《中国优秀硕士学位论文全文数据库》, pages 139 - 233 * |
| 朱毅: "网络终端代码防篡改技术研究", 《中国优秀硕士学位论文全文数据库》, pages 139 - 49 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111222130B (en) | 2023-10-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112333198B (en) | Secure cross-domain login method, system and server | |
| US11805129B2 (en) | Fictitious account generation on detection of account takeover conditions | |
| US10936727B2 (en) | Detection of second order vulnerabilities in web services | |
| US10778704B2 (en) | Systems and methods for phishing and brand protection | |
| US9191411B2 (en) | Protecting against suspect social entities | |
| US10176318B1 (en) | Authentication information update based on fraud detection | |
| US20160004855A1 (en) | Login using two-dimensional code | |
| US20140173726A1 (en) | Methods and systems for preventing unauthorized acquisition of user information | |
| JP2010508588A (en) | Detection and prevention of artificial intermediate phishing attacks | |
| US20210203668A1 (en) | Systems and methods for malicious client detection through property analysis | |
| JP2015530673A (en) | Method, processing system, and computer program for identifying whether an application is malicious | |
| US20190222587A1 (en) | System and method for detection of attacks in a computer network using deception elements | |
| US10783277B2 (en) | Blockchain-type data storage | |
| AU2017273371B2 (en) | Method and device for preventing server from being attacked | |
| WO2015109912A1 (en) | Buffer overflow attack detection device and method and security protection system | |
| JP6204981B2 (en) | Providing consistent security information | |
| CN110445768B (en) | Login method and device and electronic equipment | |
| CN109981533B (en) | DDoS attack detection method, device, electronic equipment and storage medium | |
| CN112640389B (en) | System, method, and machine-readable medium for protecting uniform resource locators | |
| CN111222130B (en) | Page response method, page request method and page request device | |
| US11736512B1 (en) | Methods for automatically preventing data exfiltration and devices thereof | |
| CN113190812A (en) | Login method, system, electronic equipment and storage medium | |
| CN107592322B (en) | Website intercepting method and device | |
| CN112069436A (en) | Page display method, system and equipment | |
| Al-Rousan et al. | A New Security Model for Web Browser Local Storage |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |