CN112202717A - HTTP request processing method, device, server and storage medium - Google Patents

HTTP request processing method, device, server and storage medium Download PDF

Info

Publication number
CN112202717A
CN112202717A CN202010909215.0A CN202010909215A CN112202717A CN 112202717 A CN112202717 A CN 112202717A CN 202010909215 A CN202010909215 A CN 202010909215A CN 112202717 A CN112202717 A CN 112202717A
Authority
CN
China
Prior art keywords
http request
server
http
target server
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010909215.0A
Other languages
Chinese (zh)
Other versions
CN112202717B (en
Inventor
辛佳橼
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN202010909215.0A priority Critical patent/CN112202717B/en
Publication of CN112202717A publication Critical patent/CN112202717A/en
Application granted granted Critical
Publication of CN112202717B publication Critical patent/CN112202717B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the invention is suitable for the field of data security, and provides a processing method, a device, a server and a storage medium of an HTTP request, wherein the processing method of the HTTP request comprises the following steps: receiving a first HTTP request; the first HTTP request is used for accessing a target server; analyzing the first HTTP request by adopting an HTTP processing model corresponding to the server type of the target server to obtain analysis data; the server type characterizes an architecture of the target server.

Description

HTTP request processing method, device, server and storage medium
Technical Field
The present invention relates to the field of data security technologies, and in particular, to a method, an apparatus, a server, and a storage medium for processing a hypertext transfer Protocol (HTTP) request.
Background
As the network environment is more and more complex, the attack method of an attacker is more and more hidden, and in the attack aiming at the server, a defense system such as a firewall of the server can not detect malicious attacks in the HTTP request sent to the server, so that the server is attacked by bypassing the defense system, for example, the HTTP request smuggling attack is one of the attacks aiming at the server. In the related art, the server analyzes the HTTP request, and if the analyzed HTTP request is not a normal HTTP request, the server determines the HTTP request as abnormal request data and performs blocking processing. However, when defense is performed in the above manner, normal flow may be blocked, and the false alarm rate is high.
Disclosure of Invention
In order to solve the above problem, embodiments of the present invention provide a method, an apparatus, a server, and a storage medium for processing an HTTP request, so as to at least solve the problem of a high false positive rate of identification of a smuggling attack on the HTTP request in the related art.
The technical scheme of the invention is realized as follows:
in a first aspect, an embodiment of the present invention provides a method for processing an HTTP request, where the method includes:
receiving a first HTTP request; the first HTTP request is used for accessing a target server;
analyzing the first HTTP request by adopting an HTTP processing model corresponding to the server type of the target server to obtain analysis data; the server type characterizes an architecture of the target server.
In the foregoing solution, the processing method further includes:
detecting the analytic data to obtain a detection result; the detection result represents whether the first HTTP request contains attack data or not; the attack data is used for attacking the target server so as to enable the target server to be abnormal;
blocking the first HTTP request under the condition that the detection result represents that the first HTTP request contains attack data;
and sending the first HTTP request to the target server under the condition that the detection result shows that the first HTTP request does not contain attack data.
In the foregoing solution, the processing method further includes:
sending a second HTTP request to the target server; the second HTTP request is used for determining the server type of the target server;
receiving response data sent by the target server based on the second HTTP request;
determining a server type of the target server based on the response data;
and determining the HTTP processing model corresponding to the server type of the target server based on the set corresponding relation between the HTTP processing model and the server type.
In the foregoing solution, the determining the server type of the target server based on the response data includes:
acquiring a set characteristic value in the response data; the set characteristic value represents the server type of the target server;
and determining the server type of the target server based on the corresponding relation between the set characteristic value and the server type.
In the foregoing solution, the analyzing the first HTTP request by using the HTTP processing model corresponding to the server type of the target server to obtain analyzed data includes:
copying the first HTTP request to obtain a third HTTP request;
and analyzing the third HTTP request by adopting an HTTP processing model corresponding to the server type of the target server to obtain the analysis data.
In the foregoing solution, the analyzing the first HTTP request by using the HTTP processing model corresponding to the server type of the target server to obtain analyzed data includes:
under the condition that the first HTTP request comprises at least two HTTP sub-requests, splitting the first HTTP request based on the HTTP processing model to obtain analysis data; the parsed data includes the at least two HTTP sub-requests.
In the foregoing solution, the detecting the analysis data to obtain a detection result includes:
acquiring a field value of a set field of the analysis data;
under the condition that the field value of the set field meets the set condition, obtaining a detection result that the first HTTP request contains attack data; under the condition that the field value of the set field is stored in a set database, determining that the field value of the set field meets set conditions; the setting database stores field values of setting fields corresponding to HTTP requests containing attack data.
In a second aspect, an embodiment of the present invention provides an apparatus for processing an HTTP request, where the apparatus includes:
a receiving module, configured to receive a first HTTP request; the first HTTP request is used for accessing a target server;
the analysis module is used for analyzing the first HTTP request by adopting an HTTP processing model corresponding to the server type of the target server to obtain analysis data; the server type characterizes an architecture of the target server.
In a third aspect, an embodiment of the present invention provides a server, including a processor and a memory, where the processor and the memory are connected to each other, where the memory is used to store a computer program, and the computer program includes program instructions, and the processor is configured to call the program instructions to execute the steps of the HTTP request processing method provided in the first aspect of the embodiment of the present invention.
In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, including: the computer-readable storage medium stores a computer program. The computer program, when executed by a processor, implements the steps of the method for processing an HTTP request as provided by the first aspect of the embodiments of the present invention.
The embodiment of the invention receives a first HTTP request, and the first HTTP request is used for accessing a target server. And analyzing the first HTTP request by adopting an HTTP processing model corresponding to the server type of the target server to obtain analysis data. Wherein the server type characterizes an architecture of the target server. According to the embodiment of the invention, the first HTTP request is processed by adopting the HTTP processing model corresponding to the server type of the target server, so that the attack characteristic in the first HTTP request can be damaged, and the data security of the target server is protected.
Drawings
Fig. 1 is a schematic flow chart of an implementation of a HTTP request processing method according to an embodiment of the present invention;
fig. 2 is a schematic flow chart illustrating an implementation of another HTTP request processing method according to an embodiment of the present invention;
fig. 3 is a schematic flow chart illustrating an implementation of another HTTP request processing method according to an embodiment of the present invention;
fig. 4 is a schematic flow chart illustrating an implementation of another HTTP request processing method according to an embodiment of the present invention;
fig. 5 is a flowchart illustrating an implementation of another HTTP request processing method according to an embodiment of the present invention;
fig. 6 is a schematic implementation flow diagram of another HTTP request processing method according to an embodiment of the present invention;
fig. 7 is a schematic processing flow diagram of an HTTP request according to an embodiment of the present invention;
fig. 8 is a schematic diagram of an apparatus for processing an HTTP request according to an embodiment of the present invention;
fig. 9 is a schematic diagram of a server according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In a complex network environment, different servers implement the RFC (Request For Comments) standard in different ways, and an attacker can insert a part of a next Request data packet into a Request data packet under the condition that the boundary knowledge of the data packet by using a front-end server and a back-end server is inconsistent, wherein the front-end server looks as a complete Request, the back-end server looks as two requests, and the back-end server interprets a part of the front-end Request as the start of the next Request. Thus, it allows an attacker to bypass security controls, gain unauthorized access to sensitive data of the server and directly compromise users of other applications. The HTTP request smuggling attack is an attack mode for a server attack, and the HTTP request smuggling attack is described below as an example.
Specifically, in the Protocol design before HTTP1.0, each time a client makes an HTTP request, a Transmission Control Protocol (TCP) link needs to be established with a server. However, the current website page is composed of multiple resources, and to acquire the content of a web page, not only a hypertext Markup Language (HTML) document, but also js (javascript), Cascading Style Sheets (CSSs), pictures and other various resources are requested, and if data transmission is performed according to the previous protocol, a client and a server need to establish TCP links for many times, which may increase the load overhead of the server. In HTTP1.1, two characteristics of Keep-Alive and Pipeline are added. The Keep-Alive is to add a special request header Connection in the HTTP request, which tells the server that the TCP link is not closed after the HTTP request is received, and reuse the TCP link for the HTTP request of the same target server later, so that the client and the server only need to carry out TCP Connection once, thereby reducing the expense of the server, saving resources and accelerating the access speed. The Pipeline is that the client can send the HTTP request of the client like a Pipeline without waiting for the response of the server, and after receiving the request, the server strictly corresponds the request and the response according to a first-in first-out mechanism and then sends the response to the client. At present, most browsers and servers provide support for mapleline.
In order to improve the browsing speed of a user, improve the use experience and reduce the load of a server, a plurality of websites use Content Delivery Network (CDN) acceleration services, the simplest CDN acceleration service is that a reverse proxy server with a cache function is added in front of a source server, and the user can directly obtain the information from the reverse proxy server when requesting some static resources, and does not need to obtain the information from the source server. Generally, the TCP link is reused between the reverse proxy server and the source server at the back end. Because the distribution range of users is very wide, the time for establishing connection with the server is uncertain, so that the TCP link is difficult to reuse, the IP addresses of the reverse proxy server and the source server at the back end are relatively fixed, the requests of different users establish the link with the source server through the reverse proxy server, and the TCP link between the reverse proxy server and the source server can be reused.
When we send a relatively ambiguous HTTP request to the reverse proxy server, it is possible that the reverse proxy server considers this to be an HTTP request and forwards it to the back-end origin server, due to the different implementation of the reverse proxy server and origin server. However, after the source server is analyzed, it is found that the HTTP request includes 2 times of requests, the source server considers only a part of the HTTP requests as normal requests and the remaining part as smuggling requests, and when the part affects the requests of normal users, the HTTP smuggling attack is implemented.
At present, in the related art, a defense device analyzes a passing HTTP request, and if the analyzed HTTP request is not a normal HTTP request, the defense device determines the incoming HTTP request as abnormal request data and performs blocking processing. However, due to the diversification of server types of users, there are some servers that allow data transmission using irregular HTTP requests, such as Pipeline HTTP requests. If the defense is carried out by using the method, the normal flow transmitted by the user can be blocked, so that the false alarm rate is higher.
In view of the above disadvantages of the related art, embodiments of the present invention provide a method for processing an HTTP request, which can improve an attack recognition rate and reduce a false alarm rate. In order to explain the technical means of the present invention, the following description will be given by way of specific examples.
Referring to fig. 1, fig. 1 is a schematic diagram illustrating an implementation flow of a processing method for an HTTP request according to an embodiment of the present invention, where an execution subject of the processing method for the HTTP request is a defense system of a server, the defense system includes a Firewall and a Web Application protection system (WEF, Web Application Firewall), and the processing method for the HTTP request includes:
s101, receiving a first HTTP request; the first HTTP request is for accessing a target server.
Here, the first HTTP request may be an HTTP request sent by any user to the target server, and any user includes a normal user and an attacker. The first HTTP request may be a single HTTP request or may be a Pipeline HTTP request.
Assuming that the execution subject of the embodiment of the present invention is the firewall of the target server, the firewall receives the first HTTP request. The first HTTP request must have a corresponding request destination, i.e., the target server. An HTTP request consists of 4 parts of request line (request line), request headers (headers), blank line (blank line) and request data (request body). A request address Uniform Resource Locator (URL) is included in the request line. Here, the request address URL is the URL of the target server. Thus, the firewall may determine the corresponding target server from the first HTTP request.
S102, analyzing the first HTTP request by adopting an HTTP processing model corresponding to the server type of the target server to obtain analysis data; the server type characterizes an architecture of the target server.
In the embodiment of the present invention, the server types may include a Tomcat server, a JBoss server, a Weblogic server, and the like, the server types characterize the architecture of the target server, and the architectures of different types of servers are different.
The correspondence between the server type of the target server and the HTTP processing model may be set in advance. Under the condition of receiving the first HTTP request, the server type corresponding to the HTTP request can be identified, the HTTP processing model corresponding to the server type is confirmed through the preset corresponding relation, the first HTTP request is analyzed through the corresponding HTTP processing model to obtain analyzed data, and the problems that attack data bypass detection and normal data are mistakenly reported are solved.
Referring to fig. 2, in an embodiment, the processing method further includes:
s201, sending a second HTTP request to the target server; the second HTTP request is used to determine a server type of the target server.
Specifically, since the servers with different architectures respond to the HTTP request in different ways, the server type of the target server may be determined through the second HTTP request, and the second HTTP request may be used to request the target server to return a server identifier or feature, where the server identifier or feature represents an application currently running by the target server, and the server type is determined according to the application.
Here, when the number of the target servers is plural, the second HTTP requests may be transmitted to the plural target servers, respectively.
S202, response data sent by the target server based on the second HTTP request is received.
And after receiving the second HTTP request, the target server sends response data to the firewall, wherein the response data comprises server identification or characteristics.
S203, determining the server type of the target server based on the response data.
The response data returned by the target server comprises the identification or the characteristic of the target server, the identifications or the characteristics in the response data sent by different types of target servers are different, and the server type of the target server can be determined according to the preset corresponding relation between the characteristic value and the server type.
For example, when the server identifier or characteristic returned by the target server for the second HTTP request indicates that the target server is running the Tomcat application, the server type of the target server may be determined to be a Tomcat server.
Referring to fig. 3, in the above embodiment, the determining the server type of the target server based on the response data includes:
s301, a set characteristic value in the response data is obtained, and the set characteristic value represents the server type of the target server.
Here, the set characteristic value represents a server type of the target server, and one type of target server corresponds to one characteristic value. The position where the setting feature value is located in the response data is generally fixed, for example, the setting feature value is located in the first 2 bytes of the header of the response data.
S302, determining the server type of the target server based on the corresponding relation between the set characteristic value and the server type.
The preset corresponding relation between the characteristic values and the server types, and one characteristic value corresponds to one server type. And determining the server type corresponding to the set characteristic value according to the set characteristic value in the acquired response data and based on the corresponding relation between the set characteristic value and the server type, and determining the server type corresponding to the set characteristic value as the server type of the target server.
And S204, determining the HTTP processing model corresponding to the server type of the target server based on the corresponding relation between the set HTTP processing model and the server type.
Here, the HTTP processing model is a module for processing an HTTP request in a server, for example, an HTTP servlet class exists in a Tomcat server, and the HTTP servlet class is an HTTP processing model and can process an HTTP request for accessing the Tomcat server.
The correspondence between the HTTP processing model and the server type is preset, for example, the Tomcat server corresponds to the HTTP servlet class. And determining the HTTP processing model corresponding to the server type of the target server based on the set corresponding relation between the HTTP processing model and the server type.
Referring to fig. 4, in an embodiment, parsing the first HTTP request by using an HTTP processing model corresponding to the server type of the target server to obtain parsed data includes:
s401, copying the first HTTP request to obtain a third HTTP request.
The HTTP request is copied, and a total of two HTTP requests, namely a first HTTP request and a third HTTP request, are obtained, the third HTTP request is obtained by copying, and the first HTTP request is a parent for copying.
S402, analyzing the third HTTP request by adopting an HTTP processing model corresponding to the server type of the target server to obtain the analysis data.
Here, the purpose of copying the first HTTP request is to ensure the integrity of the data in the transmission process, and if the HTTP processing model is directly used to parse the first HTTP request, if the HTTP request is a normal request, the parsed data is transmitted to the target server, which destroys the integrity of data transmission, so that the request data received by the server is different from the original request data sent by the user. By copying the first HTTP request, one piece of original request data can be reserved while data are analyzed, and in the case that the first HTTP request is a normal request, the HTTP request which is not analyzed is sent to the target server, so that the request data received by the target server is the same as the original request data sent by the user.
Further, in an embodiment, the parsing the first HTTP request by using an HTTP processing model corresponding to the server type of the target server to obtain parsed data includes:
under the condition that the first HTTP request comprises at least two HTTP sub-requests, splitting the first HTTP request based on the HTTP processing model to obtain analysis data; the parsed data includes the at least two HTTP sub-requests.
Since different servers implement the RFC standard in different ways, an attacker inserts a part of a next request packet into a request packet under the condition that the boundary knowledge of the packet by the front-end server and the back-end server is inconsistent, and from the perspective of the front-end server, the attacker belongs to a complete request, while from the perspective of the back-end server, the attacker belongs to two requests, and the part of the front-end request is interpreted by the back-end server as the start of the next request. An attacker can add an attack part to this part, thereby affecting the target server.
In the embodiment of the present invention, the HTTP processing model may split a first HTTP request including a plurality of HTTP sub-requests, and split the plurality of HTTP sub-requests included therein into individual request data. Therefore, the attack characteristics of the HTTP smuggling attack of the defense system bypassing the server are destroyed, and the defense system can perform anomaly detection on each individual HTTP sub-request to judge whether attack data is contained.
The embodiment of the invention receives a first HTTP request, and the first HTTP request is used for accessing a target server. Analyzing the first HTTP request by adopting an HTTP processing model corresponding to the server type of the target server to obtain analysis data; the server type characterizes the architecture of the target server. According to the embodiment of the invention, the HTTP processing model corresponding to the server type of the target server is adopted to analyze the first HTTP request, so that the attack characteristic of the HTTP smuggling attack in the first HTTP request can be damaged, a defense system of the server can accurately identify whether the first HTTP request contains data representing the HTTP smuggling attack, the identification rate of the HTTP request smuggling attack is improved, the problem of high false alarm rate in the related technology is solved, and the data security of the target server is protected.
Referring to fig. 5, in an embodiment, the processing method further includes:
s501, detecting the analysis data to obtain a detection result; the detection result represents whether the first HTTP request contains attack data or not; the attack data is used for attacking the target server so as to enable the target server to be abnormal.
Referring to fig. 6, in the above embodiment, the detecting the analytic data to obtain a detection result includes:
s601, obtaining the field value of the setting field of the analysis data.
And acquiring a field value of a set field of the analysis data, wherein in practical application, the set field value can be a class name, a method name, an incoming parameter and the like in the analysis data. The class name, method name, and incoming parameters may be used to resolve whether the parsed data is attack data. These parameters are located in a set field in the parsed data, for example, the first 3 bytes of the header in the parsed data are the field value of the set field.
S602, under the condition that the field value of the set field meets the set condition, obtaining a detection result that the first HTTP request contains attack data; under the condition that the field value of the set field is stored in a set database, determining that the field value of the set field meets set conditions; the setting database stores field values of setting fields corresponding to HTTP requests containing attack data.
The setting database stores field values of setting fields corresponding to the HTTP requests containing the attack data, and if the field values of the setting fields are in the setting database, the first HTTP request containing the attack data, such as data of HTTP smuggling attack, is shown. If the field value of the setting field is not in the setting database, it indicates that the first HTTP request is normal request data.
The attack data is used to attack the target server to make the target server abnormal, such as data in an HTTP request smuggling attack.
S502, blocking the first HTTP request under the condition that the detection result represents that the first HTTP request contains attack data.
If the first HTTP request contains attack data, the defense system blocks the first HTTP request, the first HTTP request is prevented from entering the target server, and the attack data in the first HTTP request are prevented from influencing the target server.
Here, in the above-described embodiment, it is also necessary to block the third HTTP request obtained by copying.
S503, when the detection result indicates that the first HTTP request does not contain attack data, the first HTTP request is sent to the target server.
And if the first HTTP request does not contain the characterization attack data, the defense system passes the first HTTP request and sends the first HTTP request to the target server.
In the above embodiment, when the analysis data includes the at least two HTTP sub-requests, a field value of a set field of each HTTP sub-request is obtained, and if the field value of the set field of any one HTTP sub-request satisfies a set condition, a detection result that the first HTTP request includes attack data is obtained.
The embodiment of the invention obtains a detection result by detecting the analysis data, and blocks the first HTTP request under the condition that the detection result represents that the first HTTP request contains attack data; and under the condition that the detection result indicates that the first HTTP request does not contain attack data, sending the first HTTP request to the target server. The embodiment of the invention can accurately identify whether the first HTTP request contains attack data, thereby protecting the data security of the target server.
Referring to fig. 7, fig. 7 is a schematic view of a processing flow of an HTTP request according to an application embodiment of the present invention, where the processing flow of the HTTP request includes:
and S701, identifying the type of the server.
And sending request data to the server, receiving response data of the server, and determining the type of the server according to the characteristics contained in the response data. The type of the server is written into a server type table.
S702, an HTTP processing model is selected.
And determining the HTTP processing model corresponding to the server type based on the set corresponding relation between the server type and the HTTP processing model. An HTTP processing model library is stored in the defense system, and the corresponding relation between the server type and the HTTP processing model is established in the HTTP processing model library.
S703, receives the HTTP request.
S704, the HTTP request is parsed using the HTTP processing model.
The HTTP processing model may split an HTTP request including a plurality of HTTP requests, and split the plurality of HTTP requests included therein into individual request data. Therefore, the attack characteristics of the HTTP smuggling attack of the defense system bypassing the server are destroyed, and the defense system can perform anomaly detection on each individual HTTP request to judge whether attack data is contained.
S705, the analysis data is detected.
And analyzing the HTTP request by using an HTTP processing model to obtain analysis data, and detecting the analysis data.
And S706, judging whether the attack features are included.
Acquiring a field value of a set field of the analysis data; and under the condition that the field value of the set field meets the set condition, the detection result represents that the corresponding HTTP request contains attack data.
Here, the attack feature corresponds to a field value of the set field.
If the parsed data contains the attack signature, S708 is performed. If the attack signature is not contained, S707 is executed.
S707, the HTTP request is released.
The HTTP request is sent to the server.
S708, blocking the HTTP request and alarming.
And blocking the HTTP request and preventing the HTTP request from entering the server.
According to the application embodiment of the invention, the HTTP request is analyzed by adopting the HTTP processing model, so that the attack characteristic of the HTTP smuggling attack in the HTTP request can be damaged, and a defense system can accurately identify whether the HTTP request contains data representing the HTTP smuggling attack, thereby protecting the data security of the server.
It should be understood that, the sequence numbers of the steps in the foregoing embodiments do not imply an execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present invention.
It will be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
The technical means described in the embodiments of the present invention may be arbitrarily combined without conflict.
In addition, in the embodiments of the present invention, "first", "second", and the like are used for distinguishing similar objects, and are not necessarily used for describing a specific order or a sequential order.
Referring to fig. 8, fig. 8 is a schematic diagram of a vulnerability handling apparatus according to an embodiment of the present invention, as shown in fig. 8, the apparatus includes: the device comprises a receiving module and an analyzing module.
A receiving module, configured to receive a first HTTP request; the first HTTP request is used for accessing a target server;
the analysis module is used for analyzing the first HTTP request by adopting an HTTP processing model corresponding to the server type of the target server to obtain analysis data; the server type characterizes an architecture of the target server.
The processing apparatus further comprises:
the detection module is used for detecting the analytic data to obtain a detection result; the detection result represents whether the first HTTP request contains attack data or not; the attack data is used for attacking the target server so as to enable the target server to be abnormal;
the blocking module is used for blocking the first HTTP request under the condition that the detection result represents that the first HTTP request contains attack data;
and the sending module is used for sending the first HTTP request to the target server under the condition that the detection result represents that the first HTTP request does not contain attack data.
The processing apparatus further comprises:
the server type determining module is used for sending a second HTTP request to the target server; the second HTTP request is used for determining the server type of the target server; receiving response data sent by the target server based on the second HTTP request; determining a server type of the target server based on the response data; and determining the HTTP processing model corresponding to the server type of the target server based on the set corresponding relation between the HTTP processing model and the server type.
The server type determination module is specifically configured to:
acquiring a set characteristic value in the response data; the set characteristic value represents the server type of the target server; and determining the server type of the target server based on the corresponding relation between the set characteristic value and the server type.
The analysis module is specifically configured to:
copying the first HTTP request to obtain a third HTTP request; and analyzing the third HTTP request by adopting an HTTP processing model corresponding to the server type of the target server to obtain the analysis data.
The analysis module is specifically configured to:
under the condition that the first HTTP request comprises at least two HTTP sub-requests, splitting the first HTTP request based on the HTTP processing model to obtain analysis data; the parsed data includes the at least two HTTP sub-requests.
The detection module is specifically configured to:
acquiring a field value of a set field of the analysis data;
under the condition that the field value of the set field meets the set condition, obtaining a detection result that the first HTTP request contains attack data; under the condition that the field value of the set field is stored in a set database, determining that the field value of the set field meets set conditions; the setting database stores field values of setting fields corresponding to HTTP requests containing attack data.
It should be noted that: in the processing apparatus for HTTP request provided in the above embodiment, only the above-mentioned division of each module is exemplified when processing HTTP request is performed, and in practical application, the above-mentioned processing may be distributed to different modules according to needs, that is, the internal structure of the apparatus may be divided into different modules to complete all or part of the above-mentioned processing. In addition, the processing apparatus for the HTTP request and the processing method for the HTTP request provided in the above embodiments belong to the same concept, and specific implementation processes thereof are detailed in the method embodiments and are not described herein again.
Fig. 9 is a schematic diagram of a server according to an embodiment of the present invention. The server includes: cell phones, tablets, servers, etc. As shown in fig. 9, the server of this embodiment includes: a processor, a memory, and a computer program stored in the memory and executable on the processor. The processor, when executing the computer program, implements the steps in the various method embodiments described above, such as steps S101 to S102 shown in fig. 1. Alternatively, the processor implements the functions of the modules in the above-described device embodiments, for example, the functions of the receiving module and the analyzing module shown in fig. 8, when executing the computer program.
Illustratively, the computer program may be partitioned into one or more modules that are stored in the memory and executed by the processor to implement the invention. The one or more modules may be a series of computer program instruction segments capable of performing certain functions, which are used to describe the execution of the computer program in the server.
The server may include, but is not limited to, a processor, a memory. Those skilled in the art will appreciate that fig. 9 is merely an example of a server and is not intended to be limiting and may include more or fewer components than those shown, or some components may be combined, or different components, e.g., the server may also include input-output devices, network access devices, buses, etc.
The Processor may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic, discrete hardware components, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The storage may be an internal storage module of the server, such as a hard disk or a memory of the server. The memory may also be an external storage device of the server, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like provided on the server. Further, the memory may also include both an internal storage module of the server and an external storage device. The memory is used for storing the computer program and other programs and data required by the server. The memory may also be used to temporarily store data that has been output or is to be output.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-mentioned functional modules and modules are illustrated as examples, and in practical applications, the above-mentioned functional allocation may be performed by different functional modules and modules according to requirements, that is, the internal structure of the apparatus is divided into different functional modules or modules to perform all or part of the above-mentioned functions. In the embodiments, each functional module and each module may be integrated into one processing module, or each module may exist alone physically, or two or more modules are integrated into one module, and the integrated modules may be implemented in a form of hardware or a form of software functional modules. In addition, specific names of the functional modules and modules are only used for distinguishing the functional modules and the modules from each other, and are not used for limiting the protection scope of the present application. The modules and the specific working processes of the modules in the system may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and reference may be made to the related descriptions of other embodiments for parts that are not described or illustrated in a certain embodiment.
Those of ordinary skill in the art will appreciate that the various illustrative modules and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus/server and method may be implemented in other ways. For example, the above-described apparatus/server embodiments are merely illustrative, and for example, the modules or division of modules are merely one logical division, and there may be other divisions in actual implementation, for example, multiple modules or components may be combined or integrated into another system, or some features may be omitted, or not implemented. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or modules, and may be in an electrical, mechanical or other form.
The modules described as separate parts may or may not be physically separate, and parts displayed as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment.
In addition, functional modules in the embodiments of the present invention may be integrated into one processing module, or each of the modules may exist alone physically, or two or more modules are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode.
The integrated modules/modules, if implemented in the form of software functional modules and sold or used as separate products, may be stored in a computer readable storage medium. Based on such understanding, all or part of the flow of the method according to the embodiments of the present invention may also be implemented by a computer program, which may be stored in a computer-readable storage medium, and when the computer program is executed by a processor, the steps of the method embodiments may be implemented. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, usb disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-Only Memory (ROM), Random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, software distribution medium, and the like. It should be noted that the computer readable medium may contain content that is subject to appropriate increase or decrease as required by legislation and patent practice in jurisdictions, for example, in some jurisdictions, computer readable media does not include electrical carrier signals and telecommunications signals as is required by legislation and patent practice.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not substantially depart from the spirit and scope of the embodiments of the present invention, and are intended to be included within the scope of the present invention.

Claims (10)

1. A processing method for a hypertext transfer protocol (HTTP) request is characterized by comprising the following steps:
receiving a first HTTP request; the first HTTP request is used for accessing a target server;
analyzing the first HTTP request by adopting an HTTP processing model corresponding to the server type of the target server to obtain analysis data; the server type characterizes an architecture of the target server.
2. The processing method according to claim 1, characterized in that it further comprises:
detecting the analytic data to obtain a detection result; the detection result represents whether the first HTTP request contains attack data or not; the attack data is used for attacking the target server so as to enable the target server to be abnormal;
blocking the first HTTP request under the condition that the detection result represents that the first HTTP request contains attack data;
and sending the first HTTP request to the target server under the condition that the detection result shows that the first HTTP request does not contain attack data.
3. The processing method according to claim 1, characterized in that it further comprises:
sending a second HTTP request to the target server; the second HTTP request is used for determining the server type of the target server;
receiving response data sent by the target server based on the second HTTP request;
determining a server type of the target server based on the response data;
and determining the HTTP processing model corresponding to the server type of the target server based on the set corresponding relation between the HTTP processing model and the server type.
4. The processing method of claim 3, wherein the determining the server type of the target server based on the response data comprises:
acquiring a set characteristic value in the response data; the set characteristic value represents the server type of the target server;
and determining the server type of the target server based on the corresponding relation between the set characteristic value and the server type.
5. The processing method according to claim 1, wherein the parsing the first HTTP request using the HTTP processing model corresponding to the server type of the target server to obtain parsed data includes:
copying the first HTTP request to obtain a third HTTP request;
and analyzing the third HTTP request by adopting an HTTP processing model corresponding to the server type of the target server to obtain the analysis data.
6. The processing method according to claim 1, wherein the parsing the first HTTP request using the HTTP processing model corresponding to the server type of the target server to obtain parsed data includes:
under the condition that the first HTTP request comprises at least two HTTP sub-requests, splitting the first HTTP request based on the HTTP processing model to obtain analysis data; the parsed data includes the at least two HTTP sub-requests.
7. The processing method according to claim 2, wherein the detecting the analytic data to obtain a detection result includes:
acquiring a field value of a set field of the analysis data;
under the condition that the field value of the set field meets the set condition, obtaining a detection result that the first HTTP request contains attack data; under the condition that the field value of the set field is stored in a set database, determining that the field value of the set field meets set conditions; the setting database stores field values of setting fields corresponding to HTTP requests containing attack data.
8. An apparatus for processing an HTTP request, comprising:
a receiving module, configured to receive a first HTTP request; the first HTTP request is used for accessing a target server;
the analysis module is used for analyzing the first HTTP request by adopting an HTTP processing model corresponding to the server type of the target server to obtain analysis data; the server type characterizes an architecture of the target server.
9. A server comprising a memory, a processor and a computer program stored in the memory and executable on the processor, characterized in that the processor implements the method of processing an HTTP request according to any one of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program comprising program instructions that, when executed by a processor, cause the processor to execute the method of processing an HTTP request according to any one of claims 1 to 7.
CN202010909215.0A 2020-09-02 2020-09-02 HTTP request processing method and device, server and storage medium Active CN112202717B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010909215.0A CN112202717B (en) 2020-09-02 2020-09-02 HTTP request processing method and device, server and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010909215.0A CN112202717B (en) 2020-09-02 2020-09-02 HTTP request processing method and device, server and storage medium

Publications (2)

Publication Number Publication Date
CN112202717A true CN112202717A (en) 2021-01-08
CN112202717B CN112202717B (en) 2023-09-05

Family

ID=74006274

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010909215.0A Active CN112202717B (en) 2020-09-02 2020-09-02 HTTP request processing method and device, server and storage medium

Country Status (1)

Country Link
CN (1) CN112202717B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114285835A (en) * 2021-12-30 2022-04-05 北京天融信网络安全技术有限公司 HTTP request data processing method and system
CN115314280A (en) * 2022-08-04 2022-11-08 中国平安人寿保险股份有限公司 Injection protection method, injection protection device, electronic equipment and computer-readable storage medium

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160337400A1 (en) * 2015-05-15 2016-11-17 Virsec Systems, Inc. Detection of sql injection attacks
CN107454109A (en) * 2017-09-22 2017-12-08 杭州安恒信息技术有限公司 A kind of network based on HTTP flow analyses is stolen secret information behavioral value method
CN108512889A (en) * 2018-01-12 2018-09-07 深圳壹账通智能科技有限公司 A kind of application response method for pushing and proxy server based on HTTP
US20180295640A1 (en) * 2015-03-17 2018-10-11 Wangsu Science & Technology Co., Ltd. Method, device, and system for content delivery network-based mobile terminal traffic processing
CN109040316A (en) * 2018-09-19 2018-12-18 天津字节跳动科技有限公司 HTTP service treating method and apparatus
CN109120603A (en) * 2018-07-25 2019-01-01 平安科技(深圳)有限公司 A kind of injection loophole detection method and device
CN110324311A (en) * 2019-05-21 2019-10-11 平安科技(深圳)有限公司 Method, apparatus, computer equipment and the storage medium of Hole Detection
CN111371776A (en) * 2020-02-28 2020-07-03 北京邮电大学 Method, device, server and storage medium for detecting abnormality of HTTP request data

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180295640A1 (en) * 2015-03-17 2018-10-11 Wangsu Science & Technology Co., Ltd. Method, device, and system for content delivery network-based mobile terminal traffic processing
US20160337400A1 (en) * 2015-05-15 2016-11-17 Virsec Systems, Inc. Detection of sql injection attacks
CN107454109A (en) * 2017-09-22 2017-12-08 杭州安恒信息技术有限公司 A kind of network based on HTTP flow analyses is stolen secret information behavioral value method
CN108512889A (en) * 2018-01-12 2018-09-07 深圳壹账通智能科技有限公司 A kind of application response method for pushing and proxy server based on HTTP
CN109120603A (en) * 2018-07-25 2019-01-01 平安科技(深圳)有限公司 A kind of injection loophole detection method and device
CN109040316A (en) * 2018-09-19 2018-12-18 天津字节跳动科技有限公司 HTTP service treating method and apparatus
CN110324311A (en) * 2019-05-21 2019-10-11 平安科技(深圳)有限公司 Method, apparatus, computer equipment and the storage medium of Hole Detection
CN111371776A (en) * 2020-02-28 2020-07-03 北京邮电大学 Method, device, server and storage medium for detecting abnormality of HTTP request data

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114285835A (en) * 2021-12-30 2022-04-05 北京天融信网络安全技术有限公司 HTTP request data processing method and system
CN114285835B (en) * 2021-12-30 2024-04-19 北京天融信网络安全技术有限公司 HTTP request data processing method and system
CN115314280A (en) * 2022-08-04 2022-11-08 中国平安人寿保险股份有限公司 Injection protection method, injection protection device, electronic equipment and computer-readable storage medium
CN115314280B (en) * 2022-08-04 2024-08-27 中国平安人寿保险股份有限公司 Injection protection method, injection protection device, electronic equipment and computer readable storage medium

Also Published As

Publication number Publication date
CN112202717B (en) 2023-09-05

Similar Documents

Publication Publication Date Title
EP2408166B1 (en) Filtering method, system and network device therefor
US8805995B1 (en) Capturing data relating to a threat
CN106936791B (en) Method and device for intercepting malicious website access
EP3633948B1 (en) Anti-attack method and device for server
CN111314328A (en) Network attack protection method and device, storage medium and electronic equipment
CA3159619C (en) Packet processing method and apparatus, device, and computer-readable storage medium
CN112202717B (en) HTTP request processing method and device, server and storage medium
GB2516972A (en) Validating DDoS attacks based on social media content
CN111865996A (en) Data detection method and device and electronic equipment
CN111614624A (en) Risk detection method, device, system and storage medium
CN112887405A (en) Intrusion prevention method, system and related equipment
CN110022319B (en) Attack data security isolation method and device, computer equipment and storage equipment
CN113890758B (en) Threat information method, threat information device, threat information equipment and computer storage medium
CN114006746A (en) Attack detection method, device, equipment and storage medium
US10757118B2 (en) Method of aiding the detection of infection of a terminal by malware
CN108259416B (en) Method for detecting malicious webpage and related equipment
CN110933094A (en) Network security equipment and smb vulnerability detection method, device and medium thereof
CN117319065A (en) Access request interception method and device, electronic equipment and storage medium
CN113709136B (en) Access request verification method and device
WO2020019515A1 (en) Injection vulnerability detection method and device
CN112953957B (en) Intrusion prevention method, system and related equipment
CN111262842B (en) Webpage tamper-proofing method and device, electronic equipment and storage medium
CN114726579A (en) Method, apparatus, device, storage medium and program product for defending against network attacks
CN108965261B (en) Information processing method and device, storage medium, and electronic device
CN114079576A (en) Security defense method, security defense device, electronic apparatus, and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant