CN112039913A - Server API calling method, device and storage medium - Google Patents

Server API calling method, device and storage medium Download PDF

Info

Publication number
CN112039913A
CN112039913A CN202010929536.7A CN202010929536A CN112039913A CN 112039913 A CN112039913 A CN 112039913A CN 202010929536 A CN202010929536 A CN 202010929536A CN 112039913 A CN112039913 A CN 112039913A
Authority
CN
China
Prior art keywords
api
calling
server
access request
client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010929536.7A
Other languages
Chinese (zh)
Inventor
李虎
曾毅峰
刘佳利
韩伟伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Pudong Development Bank Co Ltd
Original Assignee
Shanghai Pudong Development Bank Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Pudong Development Bank Co Ltd filed Critical Shanghai Pudong Development Bank Co Ltd
Priority to CN202010929536.7A priority Critical patent/CN112039913A/en
Publication of CN112039913A publication Critical patent/CN112039913A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention relates to a method, a device and a storage medium for calling a server API (application program interface), wherein the method comprises the following steps: the client sends an API access request; the server receives the API access request and analyzes the API access request to obtain corresponding analysis data; judging whether a repeated calling event exists or not according to the analyzed data, if so, terminating the API calling process and outputting corresponding warning information to the client; otherwise, setting API calling information based on the expiration time in the configuration file so as to call the API of the server side and return a calling result to the client side. Compared with the prior art, the method and the device adopt a mode of combining the redis transaction with the lua script to carry out idempotent verification on the API, can effectively prevent malicious repeated operation of an attacker, and ensure the safety of data.

Description

Server API calling method, device and storage medium
Technical Field
The invention relates to the technical field of Internet API security, in particular to a server side API calling method, a server side API calling device and a storage medium.
Background
Kong is an API gateway that forwards API communications between clients and (micro) services, primarily extending functionality through plug-ins, and has two main components:
1. kong Server, a nginx based Server, is used to receive API requests.
2. Apache Cassandra-used to store operational data.
In practical applications, a user can horizontally expand Kong services through multiple KongServer machines and distribute requests to these machines through a load balancer placed in front, and two Cassandra nodes are sufficient to support most cases, and it is considered appropriate to add more nodes unless the network is very congested.
One of the most attractive features of Kong for an open source community is that existing functions can be extended by plug-ins that are executed during the life of the API request response loop, which are written in Lua, and Kong can also have several basic functions: http basic authentication, key authentication, CORS, TCP, UDP, file logging, API request throttling, request forwarding, and nginx monitoring. In order to ensure the security of API call, at present, a signature process is usually performed on a message by means of the HAMC technology of Kong to prevent the message from being modified by a person during the transmission process, and specifically, the process is to perform a MAC algorithm on the message to obtain a digest string, then perform the same calculation after the message is obtained by a receiver, and finally compare whether the MAC strings are consistent to ensure the security of data and prevent replay attack. However, in practical applications, if an attacker obtains the client request information, the attacker can repeatedly invoke the interface within a certain time, which causes a potential safety hazard in the API invoking process.
Disclosure of Invention
The present invention is directed to overcome the above-mentioned drawbacks of the prior art, and provides a method, an apparatus, and a storage medium for calling a server API, which can prevent malicious repetitive operations of an attacker and provide security for data.
The purpose of the invention can be realized by the following technical scheme: a service side API calling method comprises the following steps:
s1, the client sends an API access request;
s2, the server receives the API access request and analyzes the API access request to obtain corresponding analysis data;
s3, judging whether a repeated calling event exists according to the analysis data, if so, executing a step S4, otherwise, executing a step S5;
s4, terminating the API calling process and outputting corresponding warning information to the client;
and S5, setting API calling information based on the expiration time in the configuration file to call the API of the server side, and returning the calling result to the client side.
Further, the specific process of step S1 is as follows: the client sends an API access request and sets a unique value in the request header.
Further, the step S2 specifically includes the following steps:
s21, the server receives the API access request;
and S22, analyzing the API access request to obtain the unique value in the request header, namely the analyzed data.
Further, the step S3 is to check the idempotency to determine whether there is a repeat call event.
Further, the step S3 specifically includes the following steps:
s31, judging whether a unique value exists in the redis transaction in a lua script mode;
s32, if yes, indicating that the repeated calling event exists, and then executing a step S4;
s33, if not, indicating that no repeated calling event exists, and then executing step S5.
Further, the warning message in step S4 is specifically "do not need to be repeatedly submitted".
Further, the step S5 specifically includes the following steps:
s51, acquiring the expiration time in the configuration file;
s52, setting corresponding API call information in the redis transaction according to the expiration time;
and S53, calling the API from the server side according to the set API calling information, and returning the calling result to the client side.
Further, the API call information includes a unique value and its survival time.
A server API calling apparatus, comprising:
the receiving module is used for receiving an API access request sent by a client;
the analysis module is used for analyzing the received API access request to acquire analysis data;
the processing module is used for judging whether a repeated calling event exists according to the analysis data and setting corresponding API calling information according to the expiration time in the configuration file;
and the calling module is used for calling the corresponding API from the server side according to the API calling information.
A storage medium having stored thereon a computer program which, when executed by a processor, implements a server API calling method as claimed in any one of the preceding claims.
Compared with the prior art, the unique value is set in the API access request header sent by the client, the unique value is judged whether to exist in the redis transaction or not in a mode of combining the redis transaction with the lua script, so that the idempotency verification of the API is realized, even if an attacker obtains the request information of the client, the repeated calling attack of the interface cannot be carried out, namely, the malicious repeated operation of the attacker can be prevented, the repeated calling attack of the interface is avoided, and the safety of data is effectively ensured.
Drawings
FIG. 1 is a schematic flow diagram of the process of the present invention;
FIG. 2 is a schematic flow chart of an embodiment;
FIG. 3 is a schematic structural diagram of an API call apparatus according to the present invention;
the notation in the figure is: 201. the device comprises a receiving module 202, an analyzing module 203, a processing module 204 and a calling module.
Detailed Description
The invention is described in detail below with reference to the figures and specific embodiments.
Examples
As shown in fig. 1, a method for calling a service API includes the following steps:
s1, the client sends an API access request, and a unique value is set in the API access request head;
s2, the server receives the API access request and analyzes the API access request to obtain corresponding analysis data, wherein the analysis data is the unique value in the API access request header;
s3, according to the analysis data, by checking idempotent, judging whether a repeated calling event exists, if so, executing a step S4, otherwise, executing a step S5, specifically:
judging whether a unique value exists in the redis transaction in a lua script mode;
if yes, indicating that the repeated calling event exists, and then executing the step S4;
if not, indicating that no repeated calling event exists, and then executing the step S5;
s4, terminating the API call process, and outputting corresponding warning information to the client, in this embodiment, the warning information is set as "don't repeat submission";
s5, based on the expiration time in the configuration file, API call information is set in the redis transaction to call the API of the server side, and a call result is returned to the client side, wherein the API call information comprises a unique value and the survival time of the unique value.
The embodiment applies the method, and the specific application flow is shown in fig. 2:
the client transmits a unique value key at a request head;
the server obtains the unique value key in the request header and then checks the idempotency of the redis transaction using lua: judging whether the unique value key exists in the redis transaction or not in the lua script, and if so, returning a request of no repeated submission to the client;
if the unique value key does not exist, acquiring the expiration time in the configuration file to set the unique value key and the survival time in the redis transaction, then calling the API of the server side, and returning the calling result to the client side.
The embodiment of the invention also provides a server API calling device, which comprises a receiving module 201, an analysis module 202, a processing module 203 and a calling module 204 which are connected in sequence, wherein the input end of the receiving module 201 is connected with the client, and the output end of the calling module 204 is connected with the client, specifically, the receiving module 201 is used for receiving an API access request sent by the client;
the analysis module 202 is configured to analyze the received API access request to obtain analysis data;
the processing module 203 is configured to determine whether a repeated calling event exists according to the analysis data, and set corresponding API calling information according to expiration time in the configuration file;
and the calling module 204 is used for calling the corresponding API from the server according to the API calling information.
Another embodiment of the present invention also provides a storage medium storing computer-readable instructions, which when executed by one or more processors, enable the one or more processors to execute the above-mentioned server API calling method.
In summary, the present invention adopts redis + lua to ensure the idempotency of API, and can provide security assurance for data, and effectively prevent malicious repeated operations of an attacker, for example, when a user needs to perform a refund operation, a unique value is set in a request header sent by a client, a server checks whether the unique value exists in a redis transaction, that is, performs the idempotency verification of the refund API, if the verification is successful, that is, the unique value does not exist in the redis transaction, a subsequent refund flow is executed, and if the verification fails, that is, the unique value exists in the redis transaction, it indicates that repeated calling has occurred, so that repeated calling attack of the attacker can be prevented, and the security of API calling is improved.

Claims (10)

1. A server side API calling method is characterized by comprising the following steps:
s1, the client sends an API access request;
s2, the server receives the API access request and analyzes the API access request to obtain corresponding analysis data;
s3, judging whether a repeated calling event exists according to the analysis data, if so, executing a step S4, otherwise, executing a step S5;
s4, terminating the API calling process and outputting corresponding warning information to the client;
and S5, setting API calling information based on the expiration time in the configuration file to call the API of the server side, and returning the calling result to the client side.
2. The method for calling the API of the server according to claim 1, wherein the specific process of step S1 is as follows: the client sends an API access request and sets a unique value in the request header.
3. The method for calling the API of the server according to claim 2, wherein the step S2 specifically includes the following steps:
s21, the server receives the API access request;
and S22, analyzing the API access request to obtain the unique value in the request header, namely the analyzed data.
4. The method as claimed in claim 3, wherein the step S3 is implemented by checking idempotent to determine whether there is a repeat call event.
5. The server API calling method according to claim 4, wherein the step S3 specifically includes the following steps:
s31, judging whether a unique value exists in the redis transaction in a lua script mode;
s32, if yes, indicating that the repeated calling event exists, and then executing a step S4;
s33, if not, indicating that no repeated calling event exists, and then executing step S5.
6. The method as claimed in claim 1, wherein the warning message in step S4 is "don't repeat submission".
7. The method for calling the API of the server according to claim 2, wherein the step S5 specifically includes the following steps:
s51, acquiring the expiration time in the configuration file;
s52, setting corresponding API call information in the redis transaction according to the expiration time;
and S53, calling the API from the server side according to the set API calling information, and returning the calling result to the client side.
8. The server-side API calling method of claim 2, wherein the API call information includes a unique value and its time-to-live.
9. A server API calling apparatus, comprising:
a receiving module 201, configured to receive an API access request sent by a client;
the analysis module 202 is configured to analyze the received API access request to obtain analysis data;
the processing module 203 is configured to determine whether a repeated calling event exists according to the analysis data, and set corresponding API calling information according to expiration time in the configuration file;
and the calling module 204 is used for calling the corresponding API from the server according to the API calling information.
10. A storage medium having stored thereon a computer program, characterized in that the computer program, when executed by a processor, implements the server API calling method according to any of claims 1 to 8.
CN202010929536.7A 2020-09-07 2020-09-07 Server API calling method, device and storage medium Pending CN112039913A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010929536.7A CN112039913A (en) 2020-09-07 2020-09-07 Server API calling method, device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010929536.7A CN112039913A (en) 2020-09-07 2020-09-07 Server API calling method, device and storage medium

Publications (1)

Publication Number Publication Date
CN112039913A true CN112039913A (en) 2020-12-04

Family

ID=73584106

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010929536.7A Pending CN112039913A (en) 2020-09-07 2020-09-07 Server API calling method, device and storage medium

Country Status (1)

Country Link
CN (1) CN112039913A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113553214A (en) * 2021-07-30 2021-10-26 国网电子商务有限公司 Idempotent checking method and device
CN113608893A (en) * 2021-07-23 2021-11-05 苏州浪潮智能科技有限公司 Method, system, terminal and storage medium for preventing repeated issuing of strategy to RabbitMQ
CN115065503A (en) * 2022-05-11 2022-09-16 浪潮云信息技术股份公司 Method for preventing replay attack of API gateway
CN116112558A (en) * 2022-11-21 2023-05-12 上海浦东发展银行股份有限公司 Interface interception method and system based on axios

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110113405A1 (en) * 2006-06-16 2011-05-12 Microsoft Corporation Automated method and system for collecting and reporting api performance profiles
CN107463588A (en) * 2016-06-03 2017-12-12 北京京东尚科信息技术有限公司 Data submit judging method
CN108650093A (en) * 2018-03-30 2018-10-12 深圳市富途网络科技有限公司 A kind of interface realizing method based on idempotence
CN109325196A (en) * 2018-07-27 2019-02-12 四川长虹电器股份有限公司 The method for preventing interface repetitive requests based on redis

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110113405A1 (en) * 2006-06-16 2011-05-12 Microsoft Corporation Automated method and system for collecting and reporting api performance profiles
CN107463588A (en) * 2016-06-03 2017-12-12 北京京东尚科信息技术有限公司 Data submit judging method
CN108650093A (en) * 2018-03-30 2018-10-12 深圳市富途网络科技有限公司 A kind of interface realizing method based on idempotence
CN109325196A (en) * 2018-07-27 2019-02-12 四川长虹电器股份有限公司 The method for preventing interface repetitive requests based on redis

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113608893A (en) * 2021-07-23 2021-11-05 苏州浪潮智能科技有限公司 Method, system, terminal and storage medium for preventing repeated issuing of strategy to RabbitMQ
CN113608893B (en) * 2021-07-23 2023-08-25 苏州浪潮智能科技有限公司 Method, system, terminal and storage medium for preventing repeated issuing strategy to RabbitMQ
CN113553214A (en) * 2021-07-30 2021-10-26 国网电子商务有限公司 Idempotent checking method and device
CN113553214B (en) * 2021-07-30 2024-04-02 国网数字科技控股有限公司 Idempotent verification method and device
CN115065503A (en) * 2022-05-11 2022-09-16 浪潮云信息技术股份公司 Method for preventing replay attack of API gateway
CN115065503B (en) * 2022-05-11 2024-05-31 浪潮云信息技术股份公司 Method for preventing replay attack of API gateway
CN116112558A (en) * 2022-11-21 2023-05-12 上海浦东发展银行股份有限公司 Interface interception method and system based on axios

Similar Documents

Publication Publication Date Title
CN112039913A (en) Server API calling method, device and storage medium
US11381629B2 (en) Passive detection of forged web browsers
US9432389B1 (en) System, apparatus and method for detecting a malicious attack based on static analysis of a multi-flow object
US8386784B2 (en) Apparatus and method for securely submitting and processing a request
CN109309685B (en) Information transmission method and device
US10869198B2 (en) Wireless system access control method and device
US20080215677A1 (en) Method, system and program product for providing a status of a transaction with an application on a server
US20170054640A1 (en) Device and method for establishing connection in load-balancing system
US8813237B2 (en) Thwarting cross-site request forgery (CSRF) and clickjacking attacks
CN107465693B (en) Request message processing method and device
US12015627B2 (en) Webpage integrity monitoring
CN109951546B (en) Transaction request processing method, device, equipment and medium based on intelligent contract
Falkenberg et al. A new approach towards DoS penetration testing on web services
CA3159619C (en) Packet processing method and apparatus, device, and computer-readable storage medium
CN112243002B (en) Data forwarding method, device, electronic equipment and computer readable medium
Seo et al. SIPAD: SIP–VoIP anomaly detection using a stateful rule tree
CN111447184A (en) Single sign-on method, device, system and computer readable storage medium
JP2018518127A (en) Passive security analysis with inline active security devices
CN112968910B (en) Replay attack prevention method and device
CN113660250B (en) Defense method, device and system based on WEB application firewall and electronic device
CN112910915A (en) Trusted connection authentication method, device, equipment and computer readable storage medium
CN113347184A (en) Method, device, equipment and medium for testing network flow security detection engine
CN108259416B (en) Method for detecting malicious webpage and related equipment
CN113225348B (en) Request anti-replay verification method and device
US10581905B2 (en) Detection of manipulation of applications

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20201204