CN111835706A - Method and device for detecting malicious extension of browser and computer equipment - Google Patents
Method and device for detecting malicious extension of browser and computer equipment Download PDFInfo
- Publication number
- CN111835706A CN111835706A CN202010458715.7A CN202010458715A CN111835706A CN 111835706 A CN111835706 A CN 111835706A CN 202010458715 A CN202010458715 A CN 202010458715A CN 111835706 A CN111835706 A CN 111835706A
- Authority
- CN
- China
- Prior art keywords
- key
- terminal
- browser
- change
- authentication code
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 50
- 230000008859 change Effects 0.000 claims abstract description 160
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 33
- 238000004364 calculation method Methods 0.000 claims abstract description 24
- 238000004891 communication Methods 0.000 claims description 30
- 230000006870 function Effects 0.000 claims description 14
- 238000012790 confirmation Methods 0.000 claims description 6
- 230000008569 process Effects 0.000 description 13
- 230000006399 behavior Effects 0.000 description 6
- 238000004590 computer program Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000002513 implantation Methods 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- VYZAMTAEIAYCRO-UHFFFAOYSA-N Chromium Chemical compound [Cr] VYZAMTAEIAYCRO-UHFFFAOYSA-N 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003340 mental effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000001902 propagating effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000012552 review Methods 0.000 description 1
- 238000005728 strengthening Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/958—Organisation or management of web site content, e.g. publishing, maintaining pages or automatic linking
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/161—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
- H04L69/162—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields involving adaptations of sockets based mechanisms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
Abstract
The embodiment of the invention provides a method and a device for detecting malicious extension of a browser and computer equipment, wherein the method comprises the following steps: receiving a key acquisition request sent by a terminal through a browser; generating a first key according to the key acquisition request, and returning the first key to the terminal; receiving a first message authentication code and a first change record sent by a terminal, wherein the first change record comprises DOM change trigger information corresponding to the first change; executing change operation corresponding to DOM change trigger information on the reference DOM tree to obtain a second DOM tree change sequence; calculating the first secret key and the second DOM tree change sequence by adopting a preset algorithm to obtain a second message authentication code; judging whether the second message authentication code obtained by calculation is the same as the first message authentication code; and if the two are the same, determining that the page structure of the browser is not damaged by the browser extension. The method can reliably detect the behavior of the malicious extension of the browser.
Description
Technical Field
The invention relates to the field of rack operation and maintenance, in particular to a method and a device for detecting malicious extension of a browser and computer equipment.
Background
Browsers allow users to interact with various communication networks (such as the internet) in order to view websites, access computer files in various formats, manage web applications, and the like; to extend the functional capabilities of web browsers, many web browsers allow extensions that are typically developed by independent developers/development teams, distributed to various browser application stores, and run within the closed environment provided by the browser after review by the browser vendor. The extension is an enhanced function of the browser, and the Interface authority of an Application Program Interface (API) provided by the browser is higher than the operability of the browser page.
The widespread use of browser extensions has also led to the development of propagating extensions that do not require content or that have been developed for the benefit of hackers. Such an extension may either cause unwanted or malicious behavior. For example, they may replace content in the form of advertisement insertion, collect user data or data related to a user's search query, steal passwords and user account records, and form botnets. Therefore, in order to prevent malicious extension, in the prior art, the malicious extension is usually prevented by strengthening an auditing mechanism of the browser extension; due to the imperfect auditing system and the mental mind of a malicious extension developer, part of malicious extension is difficult to avoid to pass the auditing of a browser manufacturer, is issued to an application store, is installed in respective browsers by users, causes light or heavy interference to the users, and brings direct economic loss (such as illegally acquiring personal data, bank account information and the like) to the users by changing the HTML page structure.
To address the problem of protecting computing devices or user data from various hacking actions and malicious programs that use browser extensions, a new approach is needed to analyze browser extensions and expose browser malicious extension behavior.
Disclosure of Invention
The embodiment of the invention provides a method and a device for detecting malicious extension of a browser, a storage medium and computer equipment, which can reliably detect the behavior of the malicious extension of the browser.
In a first aspect, an embodiment of the present invention provides a method for checking a malicious extension of a browser, where the method includes:
receiving a key acquisition request sent by a terminal through the browser;
generating a first key according to the key acquisition request, and returning the first key to the terminal;
receiving a first message authentication code and a first change record sent by the terminal, wherein the first message authentication code is obtained by the terminal by calculating a first key and a first DOM tree change sequence by adopting a predetermined algorithm, the first change record and the first DOM tree change sequence are generated by the terminal when a DOM tree of the browser is in first change during running, and the first change record comprises DOM change trigger information corresponding to the first change;
executing change operation corresponding to the DOM change trigger information on the reference DOM tree to obtain a second DOM tree change sequence;
calculating the first secret key and the second DOM tree change sequence by adopting the preset algorithm to obtain a second message authentication code;
judging whether the second message authentication code obtained by calculation is the same as the first message authentication code or not;
and if the two are the same, determining that the page structure of the browser is not damaged by the browser extension.
With reference to the first aspect, in a possible implementation manner, before the receiving terminal obtains the key through the key obtaining request sent by the browser, the method further includes:
receiving a websocket connection request sent by the terminal through the browser, and returning websocket connection confirmation information to the terminal according to the websocket connection request so as to establish a websocket full-duplex communication link with the terminal;
correspondingly, the receiving terminal sends a key obtaining request through the browser, and the key obtaining request comprises the following steps:
receiving the key acquisition request transmitted by the terminal through the websocket full-duplex communication link through the browser;
the returning the first key to the terminal includes:
returning the first key to the terminal through the websocket full-duplex communication link;
the receiving the first message authentication code and the first change record sent by the terminal includes:
and receiving the first message authentication code and the first change record sent by the terminal through the websocket full duplex communication link.
With reference to the first aspect, in a possible implementation manner, the calculating the first key and the second DOM tree variation sequence by using the predetermined algorithm to obtain a second message authentication code includes:
if the first key is smaller than a preset length, filling the first key with a value 0 to enable the length of the first key to be equal to the preset length;
carrying out XOR operation on the filled first key and the first bit sequence to obtain a second key;
combining the second key with the second DOM tree change sequence, and calculating a hash value of the combination of the second key and the second DOM tree change sequence by using a one-way hash function to obtain a first hash value;
carrying out XOR operation on the filled first key and a second bit sequence to obtain a third key;
combining the first hash value with the third key;
and calculating the hash value of the first hash value and the third key combination by using a one-way hash function to obtain the second message authentication code.
With reference to the first aspect, in a possible implementation manner, the DOM tree includes a plurality of nodes, and the sending of the first change by the DOM tree includes any one or more of:
at least one node is inserted as a child node into another node;
at least one node is removed from its parent node as a child node;
a node characteristic of at least one node is modified;
at least one node is inserted into or deleted from the document;
a value of at least one text node of the plurality of nodes changes.
With reference to the first aspect, in a possible implementation manner, the method further includes:
if the second message authentication code is different from the first message authentication code, determining that the page structure of the browser is damaged by browser extension;
and feeding back error information to the terminal and stopping providing service for the terminal.
In a second aspect, an embodiment of the present invention provides an apparatus for verifying a malicious extension of a browser, including:
the first receiving module is used for receiving a key acquisition request sent by the terminal through the browser;
the first generation module is used for generating a first key according to the key acquisition request and returning the first key to the terminal;
the second receiving module is used for receiving a first message authentication code and a first change record sent by the terminal, wherein the first message authentication code is obtained by the terminal through calculation of the first key and a first DOM tree change sequence by adopting a preset algorithm, the first change record and the first DOM tree change sequence are generated when a DOM tree of the terminal is changed for the first time when the browser runs, and the first change record comprises DOM change trigger information corresponding to the first change;
the first change module is used for executing change operation corresponding to the DOM change trigger information on the reference DOM tree to obtain a second DOM tree change sequence;
the first calculation module is used for calculating the first secret key and the second DOM tree change sequence by adopting the preset algorithm to obtain a second message authentication code;
the first judgment module is used for judging whether the second message authentication code obtained by calculation is the same as the first message authentication code or not; and
and the first determining module is used for determining that the page structure of the browser is not damaged by browser extension if the second message authentication code is the same as the first message authentication code.
With reference to the second aspect, in a possible implementation manner, the apparatus further includes:
the first establishing module is used for receiving a websocket connection request sent by the terminal through the browser, and returning websocket connection confirmation information to the terminal according to the websocket connection request so as to establish a websocket full-duplex communication link with the terminal;
wherein the first receiving module comprises: a first receiving unit, configured to receive the key acquisition request transmitted by the terminal through the websocket full-duplex communication link through the browser;
the first generation module comprises: the first returning unit is used for returning the first key to the terminal through the websocket full-duplex communication link;
the second receiving module includes: and the second receiving unit is used for receiving the first message authentication code and the first change record sent by the terminal through the websocket full-duplex communication link.
With reference to the second aspect, in a possible implementation manner, the predetermined algorithm is an HMAC algorithm, and the first calculation module includes:
a first padding unit, configured to pad the first key with a value 0 if the first key is smaller than a preset length, so that the length of the first key is equal to the preset length;
the first computing unit is used for carrying out XOR operation on the filled first key and a first bit sequence to obtain a second key;
the second calculation unit is used for combining the second secret key with the second DOM tree change sequence, and calculating a hash value of the combination of the second secret key and the second DOM tree change sequence by using a one-way hash function to obtain a first hash value;
the third calculation unit is used for carrying out XOR operation on the filled first key and the second bit sequence to obtain a third key;
a first combining unit configured to combine the first hash value with the third key; and
and the fourth calculation unit is used for calculating the hash value of the combination of the first hash value and the third key by using a one-way hash function to obtain the second message authentication code.
In a third aspect, an embodiment of the present invention provides a storage medium, where the storage medium includes a stored program, and when the program runs, a device in which the storage medium is located is controlled to execute the steps of the method.
In a fourth aspect, an embodiment of the present invention provides a computer device, including a memory for storing information including program instructions and a processor for controlling execution of the program instructions, wherein the program instructions are loaded by the processor and executed to implement the steps of the above method.
It can be understood that, in the embodiment of the present invention, the terminal calculates and obtains the first message authentication code according to the DOM tree structure change event of the current browser, then the server performs the same change operation on the original DOM structure, and uses the same algorithm to calculate and obtain the second message authentication code, and determines whether the page structure of the browser is damaged by the malicious extension of the browser according to whether the first message authentication code and the second message authentication code are the same, so as to achieve the purpose of detecting the integrity of the web page, effectively avoid the behaviors of the browser such as expanded advertisement implantation, sensitive information capture, and the like, ensure the security of the web page, and improve the security protection capability.
Drawings
The invention is further illustrated with reference to the following figures and examples.
Fig. 1 is a schematic diagram of a connection relationship between a terminal and a server according to an embodiment of the present invention;
fig. 2 is a flowchart of a method for checking malicious extension of a browser according to an embodiment of the present invention;
fig. 3 is a schematic block diagram of a device for checking malicious extension of a browser according to an embodiment of the present invention;
fig. 4 is a schematic block diagram of a computer device according to an embodiment of the present invention.
DETAILED DESCRIPTION OF EMBODIMENT (S) OF INVENTION
For better understanding of the technical solutions of the present invention, the following detailed descriptions of the embodiments of the present invention are provided with reference to the accompanying drawings.
It should be understood that the described embodiments are only some embodiments of the invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terminology used in the embodiments of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in the examples of the present invention and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should be understood that the term "and/or" as used herein is merely one type of association that describes an associated object, meaning that three relationships may exist, e.g., a and/or B may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
Fig. 1 is a schematic diagram of a relationship between a terminal and a server according to an embodiment of the present invention;
embodiments of the present application provide a communication connection between a terminal and a server, where the terminal and/or server include, but are not limited to, other portable devices such as a mobile phone, laptop or tablet computer having a touch sensitive surface (e.g., a touch screen display and/or a touchpad), and may also include one or more other physical user interface devices such as a physical keyboard, mouse, and/or joystick.
The terminal and/or the server provided by the embodiment of the application support various application programs, such as one or more of the following: a drawing application, a presentation application, a word processing application, a website creation application, a disc burning application, a spreadsheet application, a gaming application, a telephone application, a video conferencing application, an email application, an instant messaging application, an exercise support application, a photo management application, a digital camera application, a web browsing application, a digital music player application, and/or a digital video player application.
Referring to fig. 2, an embodiment of the present invention provides a method for checking a malicious extension of a browser, where the method is applicable to a server, and the method for checking a malicious extension of a browser includes:
step S01: and receiving a key acquisition request sent by the terminal through the browser.
Step S02: and generating a first key according to the key acquisition request, and returning the first key to the terminal.
Step S03: the method comprises the steps of receiving a first message authentication code and a first change record sent by a terminal, wherein the first message authentication code is obtained by calculating a first key and a first DOM tree change sequence by the terminal through a preset algorithm, the first change record and the first DOM tree change sequence are generated when the DOM tree of the terminal is changed for the first time when a browser runs, and the first change record comprises DOM change trigger information corresponding to the first change.
Step S04: and executing the change operation corresponding to the DOM change trigger information on the reference DOM tree to obtain a second DOM tree change sequence.
Step S05: and calculating the first secret key and the second DOM tree change sequence by adopting a preset algorithm to obtain a second message authentication code.
Step S06: judging whether the second message authentication code obtained by calculation is the same as the first message authentication code;
step S07: and if the two are the same, determining that the page structure of the browser is not damaged by the browser extension.
It can be understood that, in the embodiment of the present invention, the terminal calculates and obtains the first message authentication code according to the DOM tree structure change event of the current browser, then the server performs the same change operation on the original DOM structure, and uses the same algorithm to calculate and obtain the second message authentication code, and determines whether the page structure of the browser is damaged by the malicious extension of the browser according to whether the first message authentication code and the second message authentication code are the same, so as to achieve the purpose of detecting the integrity of the web page, effectively avoid the behaviors of the browser such as expanded advertisement implantation, sensitive information capture, and the like, ensure the security of the web page, and improve the security protection capability.
The following describes in detail a specific technical solution of the method for checking malicious extension of a browser provided in this embodiment with reference to fig. 2.
For step S01: and receiving a key acquisition request sent by the terminal through the browser.
Specifically, before receiving a key acquisition request sent by a terminal through a browser, the method further includes: and receiving a websocket connection request sent by the terminal through the browser, and returning websocket connection confirmation information to the terminal according to the websocket connection request so as to establish a websocket full-duplex communication link with the terminal.
In the process of realizing the websocket connection, a terminal is required to send out a websocket connection request through a browser, and then a server sends out a response, and the process is generally called as "handshake". After the handshake is completed, a fast channel, namely a websocket full-duplex communication link, is formed between the browser and the server, and data can be directly transmitted between the browser and the server.
Correspondingly, the key acquisition request sent by the browser to the server is transmitted through the websocket full-duplex communication link.
It can be understood that, since the browser extension in the prior art cannot access the websocket channel, the websocket is adopted to perform interactive communication of the secret key, and the security of the secret key can be effectively protected.
In the embodiment of the present invention, each time a user opens a browser (e.g., Internet Explorer, google chrome, etc.), the terminal sends a key acquisition request to the server through the browser, so as to start a verification process of malicious extension of the browser.
For step S02: generating a first key according to the key acquisition request, and returning the first key to the terminal;
when the server receives the key obtaining request, a first key may be generated according to a random number generation algorithm, where the first key may be composed of any one or more of letters, numbers, and symbols, and the first key may be, for example: 2344558888, the first key is a private key.
Returning the first key to the terminal may specifically include:
and returning the first key to the terminal through the websocket full duplex communication link.
For step S03: receiving a first message authentication code and a first change record sent by a terminal, wherein the first message authentication code is obtained by calculating a first key and a first DOM tree change sequence by the terminal by adopting a predetermined algorithm, the first change record and the first DOM tree change sequence are generated when the DOM tree of the terminal is changed for the first time when a browser runs, and the first change record comprises DOM change trigger information corresponding to the first change;
specifically, after receiving the first key of the server, the terminal stores the first key in the corresponding storage space. Meanwhile, in the running process of the browser, the terminal captures a DOM (Document Object Model) change event of the browser in real time, before the DOM change event is captured, a DOM change Object needs to be initialized, the DOM tree change corresponding to the browser is monitored through a change Observer API, change information is recorded in a variable defined by the DOM change, based on the above, when the DOM tree of the browser in running generates a first change, the terminal generates a first change record corresponding to the first change, and carries out serialization coding on the DOM tree after the first change, so as to obtain a first DOM tree change sequence.
The first message authentication code and the first change record are acquired through a websocket full-duplex communication link.
In an embodiment of the present invention, the first change log may further include: change type information (a ttributes, character Data, or child List), changed DOM node information, added DOM node information, deleted DOM node information, attribute information of the changed DOM node, a value before the changed DOM node is changed, and a value after the change.
In this embodiment of the present invention, the DOM tree includes a plurality of nodes, and the sending of the first change by the DOM tree may include any one or more of:
at least one node is inserted as a child node into another node;
at least one node is removed from its parent node as a child node;
a node characteristic of at least one node is modified;
at least one node is inserted into or deleted from the document;
the value of at least one text node of the plurality of nodes changes.
The predetermined algorithm may be an HMAC (Hash-based Message authentication Code) algorithm.
For step S04: and executing the change operation corresponding to the DOM change trigger information on the reference DOM tree to obtain a second DOM tree change sequence.
Wherein, the reference DOM tree may be an original DOM tree of the browser, or a DOM tree obtained after a previous DOM change of the browser recorded by the server in the browsing process, that is, in a browsing process of the browser, when the browser has a DOM change, the DOM tree after the DOM change is sent to the server, the server records and stores the D OM tree after each change, so as to use the DOM tree after each change as a reference DOM tree for a next checking process of malicious extension of the browser, if the first change is the first change of the DOM tree in the browsing process of the browser, the original DOM tree corresponding to the browser is used as the reference DOM tree, it can be understood that the checking method of malicious extension of the browser provided by the embodiment of the present invention can detect the page structure of the browser in the whole browsing process after the browser is opened, further improving the safety protection capability.
And after the server obtains the changed reference DOM tree after the changing operation is carried out, carrying out serialization coding on the changed reference DOM tree to obtain a second DOM tree change sequence.
For step S05: and calculating the first secret key and the second DOM tree change sequence by adopting a preset algorithm to obtain a second message authentication code.
The implementation algorithm for calculating the second message authentication code in the embodiment of the present invention is the same as that for calculating the first message authentication code, and specifically, the calculation of the first key and the first DOM tree change sequence/the second DOM tree change sequence by using a predetermined algorithm to obtain the first message authentication code/the second message authentication code includes:
step S010, if the first key is smaller than the preset length, filling the first key by using a value 0 to ensure that the length of the first key is equal to the preset length, so that the first key meets the preset length;
wherein, the filling of the first key by using the value 0 specifically includes: and adding a value of 0 at the tail of the first key until the first key meets the preset length.
In other embodiments, if the first key is equal to the preset length, there is no need to pad the first key.
And if the first key is larger than the preset length, deleting the characters at the tail part of the first key until the length of the first key is equal to the preset length.
Typically, the length of the first key is smaller than a preset length.
Step S020, carrying out XOR operation on the filled first secret key and a first bit sequence to obtain a second secret key, wherein the first bit sequence can be as follows: 00110110.
step S030, combining the second key with the first DOM tree change sequence/the second DOM tree change sequence, and calculating a hash value of the combination of the second key and the first DOM tree change sequence/the second DOM tree change sequence by using a one-way hash function to obtain a first hash value;
the combination of the second key and the first DOM tree change sequence specifically includes: and splicing the second key with the first DOM tree change sequence/the second DOM tree change sequence to add the second key to the head of the first DOM tree change sequence/the second DOM tree change sequence.
Step S040, performing xor operation on the filled first key and a second bit sequence to obtain a third key, where the second bit sequence may be: 01011100.
step S050, combining the first hash value with a third key;
step S060, calculating the hash value of the first hash value and the third key combination by using a one-way hash function to obtain the first message authentication code/the second message authentication code.
It is emphasized that the process of calculating the first message authentication code is performed by the terminal and the process of calculating the second message authentication code is performed by the server.
For step S06: and judging whether the calculated second message authentication code is the same as the first message authentication code.
The method includes the steps that a first DOM tree change sequence is obtained through a first change captured by a terminal on the basis of a DOM tree of a current browser, then a server executes change operation corresponding to DOM change trigger information on a reference DOM tree according to change trigger information recorded when the terminal sends the first change in the DOM tree of the browser, and a second DOM tree change sequence is obtained, wherein the terminal and the server respectively calculate a first message authentication code and a second message authentication code according to the first DOM tree change sequence and the second DOM tree change sequence and by using a first key and the same algorithm, and then judge whether a page structure of the browser is maliciously expanded and damaged by the browser according to the fact whether the first message authentication code and the second message authentication code are the same or not, so that the purpose of detecting the integrity of a webpage is achieved, implantation of advertisements expanded by the browser can be effectively avoided, And sensitive information capturing and other behaviors are performed, so that the safety of the webpage is ensured, and the safety protection capability is improved.
For step S07: and judging whether the calculated second message authentication code is the same as the first message authentication code.
Otherwise, if the second message authentication code is different from the first message authentication code, determining that the page structure of the browser is damaged by browser expansion, then feeding back error information to the terminal, and stopping providing service for the terminal, thereby achieving the purpose of safety protection.
Referring to fig. 3, an embodiment of the present invention provides a device 1 for checking malicious extension of a browser, including:
a first receiving module 11, configured to receive a key acquisition request sent by a terminal through a browser;
the first generating module 12 is configured to generate a first key according to the key obtaining request, and return the first key to the terminal;
the second receiving module 13 is configured to receive a first message authentication code and a first change record sent by the terminal, where the first message authentication code is obtained by the terminal by calculating a first key and a first DOM tree change sequence by using a predetermined algorithm, the first change record and the first DOM tree change sequence are generated when the DOM tree of the terminal is changed for the first time when the browser runs, and the first change record includes DOM change trigger information corresponding to the first change;
a first change module 14, configured to perform a change operation corresponding to the DOM change trigger information on the reference DOM tree, to obtain a second DOM tree change sequence;
the first calculation module 15 is configured to calculate the first key and the second DOM tree change sequence by using a predetermined algorithm to obtain a second message authentication code;
a first judging module 16, configured to judge whether the calculated second message authentication code is the same as the first message authentication code; and
a first determining module 17, configured to determine that the page structure of the browser is not damaged by the browser extension if the second message authentication code is the same as the first message authentication code.
Optionally, the device 1 for checking malicious extension of a browser further comprises:
the first establishing module is used for receiving a websocket connection request sent by the terminal through the browser, and returning websocket connection confirmation information to the terminal according to the websocket connection request so as to establish a websocket full-duplex communication link with the terminal;
wherein, the first receiving module 11 includes: the first receiving unit is used for receiving a key acquisition request transmitted by a terminal through a websocket full-duplex communication link through a browser;
the first generation module 12 includes: the first returning unit is used for returning the first key to the terminal through the websocket full-duplex communication link;
the second receiving module 13 includes: and the second receiving unit is used for receiving the first message authentication code and the first change record sent by the terminal through the websocket full-duplex communication link.
Optionally, the predetermined algorithm is an HMAC algorithm, and the first calculation module 15 includes:
the first padding unit is used for padding the first secret key by using a value 0 if the first secret key is smaller than the preset length, so that the length of the first secret key is equal to the preset length;
the first computing unit is used for carrying out XOR operation on the filled first key and the first bit sequence to obtain a second key;
the second calculation unit is used for combining the second key with the second DOM tree change sequence, and calculating a hash value of the combination of the second key and the second DOM tree change sequence by using a one-way hash function to obtain a first hash value;
the third calculation unit is used for carrying out XOR operation on the filled first key and the second bit sequence to obtain a third key;
a first combining unit for combining the first hash value with the third key; and
and the fourth calculation unit is used for calculating the hash value of the combination of the first hash value and the third key by using a one-way hash function to obtain a second message authentication code.
Optionally, the DOM tree comprises a plurality of nodes, and sending the first change comprises any one or more of:
at least one node is inserted as a child node into another node;
at least one node is removed from its parent node as a child node;
a node characteristic of at least one node is modified;
at least one node is inserted into or deleted from the document;
the value of at least one text node of the plurality of nodes changes.
Optionally, the device 1 for checking malicious extension of a browser further comprises:
the first determining module is used for determining that the page structure of the browser is damaged by browser extension if the second message authentication code is different from the first message authentication code;
and the first feedback module is used for feeding back the error information to the terminal and stopping providing the service for the terminal.
It should be appreciated that, in order to avoid duplication, other implementations of the apparatus for checking malicious extension of a browser provided in the embodiment of the present invention may refer to corresponding contents of the method embodiment of the present invention.
The embodiment of the invention provides a storage medium, which comprises a stored program, wherein when the program runs, a device where the storage medium is located is controlled to execute a method for checking malicious extension of a browser in the embodiment.
Referring to fig. 4, an embodiment of the present invention provides a computer device, where the computer device 50 of the embodiment includes: the processor 51, the memory 52, and the computer program 53 stored in the memory 52 and capable of running on the processor 51, where the computer program 53 is executed by the processor 51 to implement the method for checking malicious extension of a browser in the embodiment, and in order to avoid repetition, details are not repeated herein. Alternatively, the computer program is executed by the processor 51 to implement the functions of each model/unit in the user interface testing apparatus 1 in the embodiment, which is not repeated herein to avoid redundancy.
The computing device 50 may be a desktop computer, a notebook, a palm top computer, a cloud server, or other computing device. The computer device 50 may include, but is not limited to, a processor 51, a memory 52. Those skilled in the art will appreciate that fig. 4 is merely an example of a computer device 50 and is not intended to limit the computer device 50 and that it may include more or fewer components than shown, or some components may be combined, or different components, e.g., the computer device may also include input output devices, network access devices, buses, etc.
The Processor 51 may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory 52 may be an internal storage unit of the computer device 50, such as a hard disk or a memory of the computer device 50. The memory 52 may also be an external storage device of the computer device 50, such as a plug-in hard disk provided on the computer device 50, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like. Further, the memory 52 may also include both internal and external storage devices for the computer device 50. The memory 52 is used for storing computer programs and other programs and data required by the computer device. The memory 52 may also be used to temporarily store data that has been output or is to be output.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the embodiments provided in the present invention, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, a division of a unit is merely a logical division, and an actual implementation may have another division, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
Units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
The integrated unit implemented in the form of a software functional unit may be stored in a computer readable storage medium. The software functional unit is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) or a Processor (Processor) to execute some steps of the methods according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The present invention is not limited to the above preferred embodiments, and any modifications, equivalent substitutions, improvements, etc. within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (10)
1. A method for checking malicious extension of a browser is characterized by comprising the following steps:
receiving a key acquisition request sent by a terminal through the browser;
generating a first key according to the key acquisition request, and returning the first key to the terminal;
receiving a first message authentication code and a first change record sent by the terminal, wherein the first message authentication code is obtained by the terminal by calculating a first key and a first DOM tree change sequence by adopting a predetermined algorithm, the first change record and the first DOM tree change sequence are generated by the terminal when a DOM tree of the browser is in first change during running, and the first change record comprises DOM change trigger information corresponding to the first change;
executing change operation corresponding to the DOM change trigger information on the reference DOM tree to obtain a second DOM tree change sequence;
calculating the first secret key and the second DOM tree change sequence by adopting the preset algorithm to obtain a second message authentication code;
judging whether the second message authentication code obtained by calculation is the same as the first message authentication code or not;
and if the two are the same, determining that the page structure of the browser is not damaged by the browser extension.
2. The method of claim 1, wherein before the receiving the key acquisition request sent by the terminal through the browser, the method further comprises:
receiving a websocket connection request sent by the terminal through the browser, and returning websocket connection confirmation information to the terminal according to the websocket connection request so as to establish a websocket full-duplex communication link with the terminal;
correspondingly, the receiving terminal sends a key obtaining request through the browser, and the key obtaining request comprises the following steps:
receiving the key acquisition request transmitted by the terminal through the websocket full-duplex communication link through the browser;
the returning the first key to the terminal includes:
returning the first key to the terminal through the websocket full-duplex communication link;
the receiving the first message authentication code and the first change record sent by the terminal includes:
and receiving the first message authentication code and the first change record sent by the terminal through the websocket full duplex communication link.
3. The method of claim 1, wherein the predetermined algorithm is an HMAC algorithm, and the calculating the first key and the second DOM tree change sequence using the predetermined algorithm to obtain a second message authentication code comprises:
if the first key is smaller than a preset length, filling the first key with a value 0 to enable the length of the first key to be equal to the preset length;
carrying out XOR operation on the filled first key and the first bit sequence to obtain a second key;
combining the second key with the second DOM tree change sequence, and calculating a hash value of the combination of the second key and the second DOM tree change sequence by using a one-way hash function to obtain a first hash value;
carrying out XOR operation on the filled first key and a second bit sequence to obtain a third key;
combining the first hash value with the third key;
and calculating the hash value of the first hash value and the third key combination by using a one-way hash function to obtain the second message authentication code.
4. The method of claim 1, wherein the DOM tree comprises a plurality of nodes, wherein sending the first change comprises any one or more of:
at least one node is inserted as a child node into another node;
at least one node is removed from its parent node as a child node;
a node characteristic of at least one node is modified;
at least one node is inserted into or deleted from the document;
a value of at least one text node of the plurality of nodes changes.
5. The method of claim 1, wherein the method further comprises:
if the second message authentication code is different from the first message authentication code, determining that the page structure of the browser is damaged by browser extension;
and feeding back error information to the terminal and stopping providing service for the terminal.
6. An apparatus for verifying malicious extension of a browser, the apparatus comprising:
the first receiving module is used for receiving a key acquisition request sent by the terminal through the browser;
the first generation module is used for generating a first key according to the key acquisition request and returning the first key to the terminal;
the second receiving module is used for receiving a first message authentication code and a first change record sent by the terminal, wherein the first message authentication code is obtained by the terminal through calculation of the first key and a first DOM tree change sequence by adopting a preset algorithm, the first change record and the first DOM tree change sequence are generated when a DOM tree of the terminal is changed for the first time when the browser runs, and the first change record comprises DOM change trigger information corresponding to the first change;
the first change module is used for executing change operation corresponding to the DOM change trigger information on the reference DOM tree to obtain a second DOM tree change sequence;
the first calculation module is used for calculating the first secret key and the second DOM tree change sequence by adopting the preset algorithm to obtain a second message authentication code;
the first judgment module is used for judging whether the second message authentication code obtained by calculation is the same as the first message authentication code or not; and
and the first determining module is used for determining that the page structure of the browser is not damaged by browser extension if the second message authentication code is the same as the first message authentication code.
7. The apparatus of claim 6, wherein the apparatus further comprises:
the first establishing module is used for receiving a websocket connection request sent by the terminal through the browser, and returning websocket connection confirmation information to the terminal according to the websocket connection request so as to establish a websocket full-duplex communication link with the terminal;
wherein the first receiving module comprises: a first receiving unit, configured to receive the key acquisition request transmitted by the terminal through the websocket full-duplex communication link through the browser;
the first generation module comprises: the first returning unit is used for returning the first key to the terminal through the websocket full-duplex communication link;
the second receiving module includes: and the second receiving unit is used for receiving the first message authentication code and the first change record sent by the terminal through the websocket full-duplex communication link.
8. The apparatus of claim 6, wherein the predetermined algorithm is an HMAC algorithm, and wherein the first calculation module comprises:
a first padding unit, configured to pad the first key with a value 0 if the first key is smaller than a preset length, so that the length of the first key is equal to the preset length;
the first computing unit is used for carrying out XOR operation on the filled first key and a first bit sequence to obtain a second key;
the second calculation unit is used for combining the second secret key with the second DOM tree change sequence, and calculating a hash value of the combination of the second secret key and the second DOM tree change sequence by using a one-way hash function to obtain a first hash value;
the third calculation unit is used for carrying out XOR operation on the filled first key and the second bit sequence to obtain a third key;
a first combining unit configured to combine the first hash value with the third key; and
and the fourth calculation unit is used for calculating the hash value of the combination of the first hash value and the third key by using a one-way hash function to obtain the second message authentication code.
9. A storage medium, characterized in that the storage medium comprises a stored program, wherein the program, when executed, controls an apparatus in which the storage medium is located to perform the method of any one of claims 1 to 5.
10. A computer device comprising a memory for storing information including program instructions and a processor for controlling execution of the program instructions, characterized in that: the program instructions, when loaded and executed by a processor, implement the steps of the method of any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010458715.7A CN111835706B (en) | 2020-05-27 | 2020-05-27 | Method and device for checking malicious extension of browser and computer equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010458715.7A CN111835706B (en) | 2020-05-27 | 2020-05-27 | Method and device for checking malicious extension of browser and computer equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111835706A true CN111835706A (en) | 2020-10-27 |
| CN111835706B CN111835706B (en) | 2023-11-10 |
Family
ID=72913753
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010458715.7A Active CN111835706B (en) | 2020-05-27 | 2020-05-27 | Method and device for checking malicious extension of browser and computer equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111835706B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112532589A (en) * | 2020-11-06 | 2021-03-19 | 北京冠程科技有限公司 | Webpage monitoring method and device and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102027472A (en) * | 2008-05-21 | 2011-04-20 | 国际商业机器公司 | Method and system to selectively secure the display of advertisements on web browsers |
| US7975308B1 (en) * | 2007-09-28 | 2011-07-05 | Symantec Corporation | Method and apparatus to secure user confidential data from untrusted browser extensions |
| US20150341385A1 (en) * | 2014-05-22 | 2015-11-26 | Cabara Software Ltd. | Web page and web browser protection against malicious injections |
| CN116010735A (en) * | 2021-10-22 | 2023-04-25 | 北京奇虎科技有限公司 | Method and system for intercepting malicious extension of browser |
-
2020
- 2020-05-27 CN CN202010458715.7A patent/CN111835706B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7975308B1 (en) * | 2007-09-28 | 2011-07-05 | Symantec Corporation | Method and apparatus to secure user confidential data from untrusted browser extensions |
| CN102027472A (en) * | 2008-05-21 | 2011-04-20 | 国际商业机器公司 | Method and system to selectively secure the display of advertisements on web browsers |
| US20150341385A1 (en) * | 2014-05-22 | 2015-11-26 | Cabara Software Ltd. | Web page and web browser protection against malicious injections |
| CN116010735A (en) * | 2021-10-22 | 2023-04-25 | 北京奇虎科技有限公司 | Method and system for intercepting malicious extension of browser |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112532589A (en) * | 2020-11-06 | 2021-03-19 | 北京冠程科技有限公司 | Webpage monitoring method and device and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111835706B (en) | 2023-11-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10430583B2 (en) | Systems and methods to detect and neutralize malware infected electronic communications | |
| CN112333198B (en) | Secure cross-domain login method, system and server | |
| CN105940654B (en) | Franchise static web application in trust | |
| CN108769041A (en) | Login method, system, computer equipment and storage medium | |
| Bojinov et al. | Kamouflage: Loss-resistant password management | |
| CN110851879B (en) | Method, device and equipment for infringement and evidence preservation based on evidence preservation block chain | |
| CN105453102B (en) | The system and method for the private cipher key leaked for identification | |
| CN107852412B (en) | System and method, computer readable medium for phishing and brand protection | |
| Stock et al. | Protecting users against XSS-based password manager abuse | |
| US20180359256A1 (en) | Media agnostic content obfuscation | |
| CN110268406B (en) | Password security | |
| CN109376078A (en) | Test method, terminal device and the medium of mobile application | |
| US10783277B2 (en) | Blockchain-type data storage | |
| Nauman et al. | Using trusted computing for privacy preserving keystroke-based authentication in smartphones | |
| Senol et al. | Leaky forms: A study of email and password exfiltration before form submission | |
| Mohsen et al. | Android keylogging threat | |
| CN104348617A (en) | Verification code processing method and device, and terminal and server | |
| CN106030527B (en) | By the system and method for application notification user available for download | |
| CN106685945B (en) | Service request processing method, service handling number verification method and terminal thereof | |
| CN113469866A (en) | Data processing method and device and server | |
| CN111835706B (en) | Method and device for checking malicious extension of browser and computer equipment | |
| Baskaran et al. | Measuring the leakage and exploitability of authentication secrets in super-apps: The wechat case | |
| CN112600864A (en) | Verification code verification method, device, server and medium | |
| CN109324843B (en) | Fingerprint processing system and method and fingerprint equipment | |
| CN104995635B (en) | Picture sending method and device and terminal device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20231012 Address after: 607 Guoxin Investment Building, No. 07 Gaoxin South 7th Road, Gaoxin Community, Gaoxin District, Yuehai Street, Nanshan District, Shenzhen City, Guangdong Province, 518000 Applicant after: Shenzhen Shenglai Information Technology Co.,Ltd. Address before: 518000 Room 201, building A, No. 1, Qian Wan Road, Qianhai Shenzhen Hong Kong cooperation zone, Shenzhen, Guangdong (Shenzhen Qianhai business secretary Co., Ltd.) Applicant before: PING AN PUHUI ENTERPRISE MANAGEMENT Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |