CN113158187B - Method and device for detecting click hijacking and electronic equipment - Google Patents

Method and device for detecting click hijacking and electronic equipment Download PDF

Info

Publication number
CN113158187B
CN113158187B CN202110328616.1A CN202110328616A CN113158187B CN 113158187 B CN113158187 B CN 113158187B CN 202110328616 A CN202110328616 A CN 202110328616A CN 113158187 B CN113158187 B CN 113158187B
Authority
CN
China
Prior art keywords
url
parameter
frame
suspicious
options
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110328616.1A
Other languages
Chinese (zh)
Other versions
CN113158187A (en
Inventor
任迪
郑高
江峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Dt Dream Technology Co Ltd
Original Assignee
Hangzhou Dt Dream Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Dt Dream Technology Co Ltd filed Critical Hangzhou Dt Dream Technology Co Ltd
Priority to CN202110328616.1A priority Critical patent/CN113158187B/en
Publication of CN113158187A publication Critical patent/CN113158187A/en
Application granted granted Critical
Publication of CN113158187B publication Critical patent/CN113158187B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/955Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
    • G06F16/9566URL specific, e.g. using aliases, detecting broken or misspelled links
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/958Organisation or management of web site content, e.g. publishing, maintaining pages or automatic linking
    • G06F16/986Document structures and storage, e.g. HTML extensions
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Abstract

The embodiment of the application provides a method and a device for detecting click hijacking and electronic equipment. The method comprises the following steps: intercepting a function called by an http response of a target application based on a java agent program deployed on the target application; acquiring a header parameter of the http response according to the intercepted function; judging whether the X-Frame-Opt i ons parameter in the header parameter is correct or not; if not, determining the url corresponding to the http response as a suspicious url; and the suspicious url is a suspected click hijacking url.

Description

Method and device for detecting click hijacking and electronic equipment
Technical Field
The embodiment of the application relates to the technical field of internet, in particular to a method and a device for detecting click hijacking and electronic equipment.
Background
Click hijacking (also known as UI-overlay attack) is a form of Web attack that is a form of visual fraud that executes malicious programs by tricking users into clicking hidden buttons contained in a Web page.
The hidden button may be implemented by an invisible iframe. An attacker generally embeds malicious code into a website through the iframe, and a corresponding button of the malicious code is not only hidden and invisible, but also generally covers a normal button of the website. Thus, for the user, clicking the normal button of the website does not trigger the normal button, but triggers the hidden button positioned above the normal button, and then executes the malicious code implanted by the attacker, so as to realize the illegal intention of the attacker.
For this reason, it is necessary to provide a scheme that can detect click hijacking.
Disclosure of Invention
The embodiment of the specification provides a method and a device for detecting click hijacking and an electronic device.
According to a first aspect of embodiments herein, there is provided a method of detecting click hijacking, the method comprising:
intercepting a function called by an http response of a target application based on a java agent deployed on the target application;
acquiring a header parameter of the http response according to the intercepted function;
judging whether the X-Frame-Options parameter in the header parameter is correct or not;
if not, determining the url corresponding to the http response as a suspicious url; and the suspicious url is a suspected click hijacking url.
Optionally, the java agent is deployed on the target application in the following manner:
and adding a java agent command to the starting command line of the server corresponding to the target application.
Optionally, the function called by the http response includes: service (http request response, http response) method for http servlet subclass.
Optionally, the determining whether the X-Frame-Options parameter in the header parameter is correct includes:
traversing the header parameter, and judging whether an X-Frame-Options parameter exists;
and if the X-Frame-Options parameter does not exist, determining that the X-Frame-Options parameter in the header parameter is incorrect.
Optionally, the method further includes:
if the X-Frame-Options parameter exists, judging whether the X-Frame-Options parameter is an ALLOW-FROM URI;
and if so, determining that the X-Frame-Options parameter in the header parameter is incorrect.
Optionally, the method further includes:
and outputting the suspicious url to an auditing platform, and processing the suspicious url according to an auditing result returned by the auditing platform.
Optionally, the auditing platform determines whether the suspicious url belongs to a click hijacking attack based on auditing rules; and if the audit platform can not identify the suspicious url, displaying the suspicious url in a visual mode.
Optionally, the method further includes:
after the suspicious url is determined, comparing the suspicious url with a false alarm url maintained locally; the false alarm url is a historical suspicious url which is determined to be a non-click hijack attack;
and when any suspicious url is the same as the false alarm url, modifying the suspicious url into a normal url.
According to a second aspect of embodiments herein, there is provided an apparatus for detecting click hijacking, the apparatus comprising:
the intercepting unit intercepts a function called by an http response of the target application based on a java agent deployed on the target application;
the acquisition unit is used for acquiring the header parameter of the http response according to the intercepted function;
the judging unit is used for judging whether the X-Frame-Options parameter in the header parameter is correct or not;
the determining unit is used for determining the url corresponding to the http response as a suspicious url when the X-Frame-Options parameter in the header parameter is incorrect; and the suspicious url is a suspected click hijacking url.
Optionally, the java agent is deployed on the target application through the following subunits:
and deploying the subunit, and adding a Java command in a starting command line of the server corresponding to the target application.
Optionally, the function called by the http response includes: service (http request response, http response) method for http servlet subclass.
Optionally, the determining unit includes:
traversing the subunit, and traversing the header parameter;
the first judging subunit judges whether an X-Frame-Options parameter exists or not;
and the determining subunit determines that the X-Frame-Options parameter in the header parameter is incorrect when the first judging unit outputs that the X-Frame-Options parameter does not exist.
Optionally, the apparatus further comprises:
the second judging subunit judges whether the X-Frame-Options parameter is an ALLOW-FROM URI or not when the X-Frame-Options parameter exists in the output of the first judging subunit;
and the determining subunit determines that the X-Frame-Options parameter in the header parameter is incorrect when the output of the second judging subunit is an ALLOW-FROM URI.
Optionally, the apparatus further comprises:
and the processing unit outputs the suspicious url to an auditing platform and processes the suspicious url according to an auditing result returned by the auditing platform.
Optionally, the auditing platform determines whether the suspicious url belongs to a click hijack attack based on an auditing rule; and if the audit platform cannot identify the suspicious url, displaying the suspicious url in a visual mode.
Optionally, the apparatus further comprises:
the screening unit is used for comparing the suspicious url with a local maintenance false alarm url after the suspicious url is determined; the false alarm url is a historical suspicious url determined to be a non-click hijacking attack; and when any suspicious url is the same as the false alarm url, modifying the suspicious url into a normal url.
According to a third aspect of embodiments of the present specification, there is provided an electronic apparatus comprising:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to any one of the above methods of detecting click hijacking.
The embodiment of the specification provides a scheme for detecting click hijacking, a function called by http response of target application is intercepted through a java agent program, a header parameter of the http response corresponding to the function is analyzed, if an error X-Frame-Options parameter is set in the header parameter, a suspicious url corresponding to the http response is output, and the output suspicious url is the suspected click hijacking url. Therefore, all urls with the possibility of click hijacking are subjected to full coverage detection based on the java agent technology, and the problem of missed detection is avoided.
Drawings
FIG. 1 is a flowchart of a method for detecting click hijacking according to an embodiment of the present disclosure;
FIG. 2 is a hardware block diagram of an apparatus for detecting click hijacking according to an embodiment of the present disclosure;
fig. 3 is a block diagram of an apparatus for detecting click hijacking according to an embodiment of the present disclosure.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present specification. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the specification, as detailed in the appended claims.
The terminology used in the description herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the description. As used in this specification and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, etc. may be used herein to describe various information, these information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, the first information may also be referred to as second information, and similarly, the second information may also be referred to as first information, without departing from the scope of the present specification. The word "if" as used herein may be interpreted as "at" \8230; "or" when 8230; \8230; "or" in response to a determination ", depending on the context.
The following may be described with reference to a method for detecting click hijacking as shown in fig. 1 as an example. The method may comprise the steps of:
step 210: intercepting a function called by an http response of a target application based on a java agent deployed on the target application.
Step 220: and acquiring the header parameter of the http response according to the intercepted function.
Step 230: and judging whether the X-Frame-Options parameter in the header parameter is correct or not.
Step 240: if not, determining the url corresponding to the http response as a suspicious url; and the suspicious url is a suspected click hijacking url.
The embodiment can be applied to a detection end, and the detection end can include a client where the target application is located, for example, a terminal device installed with the target application.
The detection end may also refer to the target application itself, that is, the detection logic is written into the target application, so that the target application executes the steps in the embodiment.
The target application may be a web application, a micro service application, and the like.
In a specific implementation, the java agent program can be deployed on the target application in the following manner:
and adding a java agent command to the starting command line of the server corresponding to the target application.
In the java technology, a java agent (java agent) mechanism is introduced from JDK1.5, wherein the java agent is a jar package, and the starting mode of the java agent is slightly different from that of a common jar package. For a common jar package, the package needs to be started through a main function of a specified class, but the java agent cannot be started alone and needs to be run attached to a java application program. The Java agent mainly has 2 functions, and the first Java agent can intercept the Java file and modify byte codes of the file before loading the Java file; second, the bytecode of the already-described class can be changed at the run time.
Therefore, java agent can implement non-intrusive deployment, and add "-java agent" command to the starting command line of the server corresponding to the target application, such as tomcat and jetty. Thus, the java program is deployed on the target application to be launched.
It is worth mentioning that if the target application is a distributed application, javaagent needs to be deployed at each node in the distributed application.
The function called by the http response comprises the following steps: service (http request response, http response) method for http servlet subclass.
In internet technology, url (uniform resource locator) is used to uniquely identify the location of a resource. And web page resources are also located through urls.
The process of requesting the web page may include the client sending an http request to the url of the target web page and the web server returning an http response. And the user side can continuously acquire the resources of the target webpage after receiving the http response, so that the content of the target webpage is displayed locally.
In this process, the http request and http response of each url need to go through the service (http request, http response) method of java.
Thus, the embodiment intercepts the function called by the http response by using the java proxy technology. However, acquiring an http response respons parameter passing by the end of the function call and a response header parameter in the respons parameter from the intercepted function.
Furthermore, by judging whether the header parameter is correctly set with the X-Frame-Options parameter, the detection result of whether the header parameter belongs to suspected click hijack attack can be obtained.
Wherein the X-Frame-Options is a mark for controlling whether to display the iframe in the page. The function can be started by the webpage, so that the content of the webpage is not embedded into the webpage of other people, and the attack of click hijacking is avoided.
The X-Frame-Options has three values:
DENY: indicating that the page is not allowed to be exposed in the iframe, and nesting in the page even for the same domain name is not allowed.
SAMEORIGIN: indicating that the page can be exposed in the iframe of the same domain name page.
ALLOW-FROM URL: indicating that the page can be exposed in an iframe that specifies the source.
However, although X-Frame-Options were originally used to prevent the click-hijacking attack, with the development of Internet technology, means have appeared to be available to implement the click-hijacking attack even if X-Frame-Options are provided. To this end, the following strategies are proposed in the present specification:
in an embodiment, the step 230 of determining whether the X-Frame-Options parameter in the header parameter is correct may include:
and traversing the header parameter and judging whether an X-Frame-Options parameter exists or not.
In the first case, if the X-Frame-Options parameter does not exist, it indicates that the X-Frame-Options function is not started in the corresponding webpage. As mentioned above, X-Frame-Options is a mark for controlling whether an iframe exists in a page or not, and if the function is not turned on, the website cannot resist the click hijack attack; therefore, such websites are likely to be implanted with click-hijacking malicious code, so that it can be determined that the X-Frame-Options parameter in the header parameter is incorrect.
And in the second situation, if the X-Frame-Options parameter exists, the corresponding webpage starts the X-Frame-Options function. As mentioned previously, X-Frame-Options has three values, each corresponding to a different iframe policy.
Therefore, when the X-Frame-Options parameter exists, whether the X-Frame-Options parameter is correct needs to be further judged. Thus, there are 3 branches:
1. if the X-Frame-Options parameter is DENY, the website is not allowed to embed the iframe, and the code in the iframe is not allowed to run. Therefore, the website with DENY is set, and no malicious code based on click hijacking of iframe can be considered to exist; and then the X-Frame-Options parameter in the header parameter can be determined to be correct.
2. If the X-Frame-Options parameter is SAMEORIGIN, the website can only be embedded into the iframe by the website page. Although the iframe embedding is available and allowed, the embedding can only be the page of the website, so that malicious codes for realizing click hijacking based on the iframe embedding external url do not exist, and the X-Frame-Options parameter in the header parameter can be determined to be correct.
3. If the X-Frame-Options parameter is an ALLOW-FROM URL, it indicates that the page can be embedded in the iframe by the specified URL. If the iframe is allowed to be embedded, the external url can be embedded, namely, the page of the non-local website can be embedded; therefore, malicious codes based on iframe click hijacking exist in the situation, and the X-Frame-Options parameter in the header parameter can be determined to be incorrect.
In conclusion, when the X-Frame-Options parameter exists, whether the X-Frame-Options parameter is an ALLOW-FROM URL is judged;
if yes, determining that the X-Frame-Options parameter in the header parameter is incorrect.
If not, determining that the X-Frame-Options parameter in the header parameter is correct.
In this embodiment, a function called by an http response of a target application is intercepted by a java agent, a header parameter of the http response corresponding to the function is analyzed, if an X-Frame-Options parameter set in the header parameter is incorrect, suspicious urls corresponding to the http response are output, and the output suspicious urls are suspected to be a url hijacked by clicking. Therefore, all urls with the possibility of click hijacking are subjected to full coverage detection based on the java agent technology, and the problem of missed detection is avoided.
On the basis of the embodiment shown in fig. 1, the method may further include:
and outputting the suspicious url to an auditing platform, and processing the suspicious url according to an auditing result returned by the auditing platform.
In this embodiment, since the suspected url determined in step 240 is a url suspected of being click-hijacked, it may be further determined whether the suspected url is click-hijacked. Therefore, the suspicious url can be output to an auditing platform, and the auditing platform judges the suspicious url.
In an embodiment, the review platform may determine whether the suspected url is a click hijack based on review rules.
For example, a pre-trained recognition model may be deployed on the audit platform. The identification model is used for automatically identifying the input suspicious url.
In general, by setting reasonable functions, rules can be found from the big data by means of the existing big data processing technology. Machine learning methods such as logistic regression (logistic regression), GBDT (Gradient Boosting Decision Tree), and even deep learning can be used for modeling the big data, so that coefficients of all parameters in the function are obtained, and further a unified equation or a calculation formula can be obtained.
In this embodiment, a large amount of sample data (part of url marked as click hijacking and part of url marked as non-click hijacking) may be collected and the risk model is trained based on a machine learning algorithm; the risk model can be continuously refined through continuous learning, and when the risk model reaches the forecast (for example, the identification accuracy meets the business requirement), the risk model can be brought online and used. During the operation of the auditing platform, for the input suspicious url, a risk probability can be calculated by using the risk model. The risk probability generally lies at a value between 0 and 1. For example, closer to 1 indicates greater risk, and closer to 0 indicates less risk. When the risk probability is larger than a threshold value, the suspicious url can be considered as click hijacking; when the risk probability is less than the threshold, the suspect url may be considered a non-click hijack.
And after obtaining the output result of the risk model, the auditing platform returns the auditing result to the detection end. So that the detection end processes the suspicious url based on the audit result.
For example, when the audit result indicates click hijacking, the suspicious url is not executed; and when the auditing result shows non-click hijacking, executing the suspicious url normally.
By the embodiment, most normal urls can be released through quick detection, and the suspicious urls obtained through quick detection are further determined to be click hijacking through deep detection. So, through short-term test and degree of depth detection cooperation, guaranteed promptly and detected the rate of accuracy, improved detection efficiency again (need not to carry out degree of depth detection to a large amount of normal urls, reduced the detection volume of degree of depth detection).
In practical application, part of unidentifiable suspicious urls can exist in the auditing platform, and aiming at the unidentifiable suspicious urls, the auditing platform can display the suspicious urls in a visual mode so as to perform manual auditing. Of course, in some embodiments, the suspicious url determined by the detecting end may also be all reviewed manually.
For example, for a risk model, when the risk probability is in the middle probability range, the result cannot be accurately obtained. For example, when the current position is [0.4-0.6], the system can be click hijacking or non-click hijacking.
During manual review, the suspicious url can be displayed on a visual interface through a visualization technology, and a worker can position a webpage corresponding to the suspicious url on the visual interface to acquire a webpage source code, so as to determine whether click hijacking exists according to the webpage source code.
In one embodiment, the visualization platform also has a function of false alarm marking, and when the staff confirms that the suspicious url is non-click hijacking, the staff can mark the suspicious url. With continuous iteration of the version, the false alarm suspicious url is less and less, so that the consumption of deep detection is reduced.
Accordingly, the detection end can locally maintain the history suspicious url which is falsely reported, and the history suspicious url which is falsely reported is called as the false-report url. The detection end can regularly acquire the latest false alarm url from the server end so as to update the locally maintained false alarm url; or the server can issue the latest false alarm url to the detection end, so that the detection end updates the locally maintained false alarm url.
After the detecting end determines the suspicious url in step 240, the method may further include:
comparing the suspicious url with a locally maintained false-positive url; and when any suspicious url is the same as the false alarm url, modifying the suspicious url into a normal url.
Through false alarm marking, the detection end can filter out suspicious url which is proved to be non-click hijack attack, so that repeated depth detection is not needed when the suspicious url is subsequently a false alarm url.
Corresponding to the embodiment of the method for detecting the click hijacking, the specification also provides an embodiment of a device for detecting the click hijacking. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. The software implementation is taken as an example, and as a logical device, the device is formed by reading corresponding computer business program instructions in the nonvolatile memory into the memory for operation through the processor of the device in which the device is located. From a hardware aspect, as shown in fig. 2, a hardware structure diagram of a device for detecting click hijacking according to this description is shown, except for the processor, the network interface, the memory, and the nonvolatile memory shown in fig. 2, the device in the embodiment may also include other hardware according to an actual function of detecting click hijacking, which is not described herein again.
Referring to fig. 3, a block diagram of an apparatus for detecting click hijacking according to an embodiment of the present disclosure is shown, where the apparatus corresponds to the embodiment shown in fig. 1, and the apparatus includes:
the intercepting unit 310 is used for intercepting a function called by an http response of a target application based on a java agent deployed on the target application;
the obtaining unit 320 is used for obtaining the header parameter of the http response according to the intercepted function;
the determining unit 330 determines whether the X-Frame-Options parameter in the header parameter is correct;
the determining unit 340 is configured to determine, when an X-Frame-Options parameter in the header parameter is incorrect, a url corresponding to the http response as a suspicious url; and the suspicious url is a suspected click hijacking url.
Optionally, the java agent is deployed on the target application through the following subunits:
and deploying the subunit, and adding a Java command in a starting command line of the server corresponding to the target application.
Optionally, the function called by the http response includes: service (http request response, http response) method for http servlet subclass.
Optionally, the determining unit 330 includes:
traversing the subunit, and traversing the header parameter;
the first judging subunit judges whether an X-Frame-Options parameter exists or not;
and the determining subunit determines that the X-Frame-Options parameter in the header parameter is incorrect when the first judging unit outputs that the X-Frame-Options parameter does not exist.
Optionally, the apparatus further comprises:
the second judging subunit judges whether the X-Frame-Options parameter is an ALLOW-FROM URL or not when the X-Frame-Options parameter exists in the output of the first judging subunit;
and the determining subunit determines that the X-Frame-Options parameter in the header parameter is incorrect when the output of the second judging subunit is an ALLOW-FROM URL.
Optionally, the apparatus further comprises:
and the processing unit outputs the suspicious url to an auditing platform and processes the suspicious url according to an auditing result returned by the auditing platform.
Optionally, the auditing platform determines whether the suspicious url belongs to a click hijacking attack based on auditing rules; and if the audit platform cannot identify the suspicious url, displaying the suspicious url in a visual mode.
Optionally, the apparatus further comprises:
the screening unit is used for comparing the suspicious url with a local maintenance false alarm url after the suspicious url is determined; the false alarm url is a historical suspicious url determined to be a non-click hijacking attack; and when any suspicious url is the same as the false alarm url, modifying the suspicious url into a normal url.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. A typical implementation device is a computer, which may be in the form of a personal computer, laptop, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email messaging device, game console, tablet computer, wearable device, or a combination of any of these devices.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the solution in the specification. One of ordinary skill in the art can understand and implement it without inventive effort.
In the above embodiments of the electronic device, it should be understood that the Processor may be a Central Processing Unit (CPU), other general-purpose processors, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), etc. The general-purpose processor may be a microprocessor, or the processor may be any conventional processor, and the aforementioned memory may be a read-only memory (ROM), a Random Access Memory (RAM), a flash memory, a hard disk, or a solid state disk. The steps of a method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware processor, or may be implemented by a combination of hardware and software modules in a processor.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the embodiment of the electronic device, since it is substantially similar to the embodiment of the method, the description is simple, and for relevant points, reference may be made to part of the description of the embodiment of the method.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This specification is intended to cover any variations, uses, or adaptations of the specification following, in general, the principles of the specification and including such departures from the present disclosure as come within known or customary practice within the art to which the specification pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the specification being indicated by the following claims.
It will be understood that the present description is not limited to the precise arrangements that have been described above and shown in the drawings, and that various modifications and changes may be made without departing from the scope thereof. The scope of the present description is limited only by the appended claims.

Claims (9)

1. A method of detecting click hijacking, the method comprising:
intercepting a function called by an http response of a target application based on a java agent program deployed on the target application;
acquiring a header parameter of the http response according to the intercepted function;
judging whether the header parameters have X-Frame-Options parameters or not;
if the X-Frame-Options parameter exists, further judging whether the X-Frame-Options parameter is an ALLOW-FROM URI;
if the answer is the ALLOW-FROM URI, determining the url corresponding to the http response as a suspicious url; and the suspicious url is a suspected click hijacking url.
2. The method of claim 1, wherein the java agent is deployed on the target application by:
and adding a java agent command to the starting command line of the server corresponding to the target application.
3. The method of claim 1, wherein the http responding to the called function comprises:
service (http request response, http response) method for http servlet subclass.
4. The method of claim 1, further comprising:
and if the X-Frame-Options parameter does not exist, determining that the X-Frame-Options parameter in the header parameter is incorrect.
5. The method of claim 1, further comprising:
and outputting the suspicious url to an auditing platform, and processing the suspicious url according to an auditing result returned by the auditing platform.
6. The method of claim 5, wherein the auditing platform determines whether the suspected url is of a click hijacking attack based on auditing rules; and if the audit platform cannot identify the suspicious url, displaying the suspicious url in a visual mode.
7. The method according to claim 1 or 5, characterized in that the method further comprises:
after the suspicious url is determined, comparing the suspicious url with a false alarm url maintained locally; the false alarm url is a historical suspicious url determined to be a non-click hijacking attack;
and when any suspicious url is the same as the false alarm url, modifying the suspicious url into a normal url.
8. An apparatus to detect click hijacking, the apparatus comprising:
the intercepting unit is used for intercepting a function called by an http response of the target application based on a java agent program deployed on the target application;
the acquisition unit is used for acquiring the header parameter of the http response according to the intercepted function;
a judging unit, which judges whether the header parameter has an X-Frame-Options parameter, if so, further judges whether the X-Frame-Options parameter is an ALLOW-FROM URI;
the determining unit is used for determining the url corresponding to the http response as a suspicious url when the X-Frame-Options parameter is an ALLOW-FROM URI; and the suspicious url is a suspected click hijacking url.
9. An electronic device, comprising:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured as the method of any of the preceding claims 1-7.
CN202110328616.1A 2021-03-26 2021-03-26 Method and device for detecting click hijacking and electronic equipment Active CN113158187B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110328616.1A CN113158187B (en) 2021-03-26 2021-03-26 Method and device for detecting click hijacking and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110328616.1A CN113158187B (en) 2021-03-26 2021-03-26 Method and device for detecting click hijacking and electronic equipment

Publications (2)

Publication Number Publication Date
CN113158187A CN113158187A (en) 2021-07-23
CN113158187B true CN113158187B (en) 2022-12-23

Family

ID=76885647

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110328616.1A Active CN113158187B (en) 2021-03-26 2021-03-26 Method and device for detecting click hijacking and electronic equipment

Country Status (1)

Country Link
CN (1) CN113158187B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115695050B (en) * 2022-12-31 2023-04-07 北京仁科互动网络技术有限公司 Method and device for preventing click hijacking attack, electronic equipment and storage medium

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104767747A (en) * 2015-03-30 2015-07-08 微梦创科网络科技(中国)有限公司 Click jacking safety detection method and device
CN110278207B (en) * 2019-06-21 2023-04-07 深圳前海微众银行股份有限公司 Click hijacking vulnerability detection method and device and computer equipment
CN111131223B (en) * 2019-12-20 2022-12-20 苏州浪潮智能科技有限公司 Test method and device for click hijacking

Also Published As

Publication number Publication date
CN113158187A (en) 2021-07-23

Similar Documents

Publication Publication Date Title
US11570211B1 (en) Detection of phishing attacks using similarity analysis
US10069856B2 (en) System and method of comparative evaluation for phishing mitigation
US10708302B2 (en) Systems and methods for identifying phishing web sites
US8424090B2 (en) Apparatus and method for detecting obfuscated malicious web page
US10262132B2 (en) Model-based computer attack analytics orchestration
US9229844B2 (en) System and method for monitoring web service
CN108183900B (en) Method, server, system, terminal device and storage medium for detecting mining script
CN111737692B (en) Application program risk detection method and device, equipment and storage medium
CN106548075B (en) Vulnerability detection method and device
CN111818011A (en) Abnormal access behavior recognition method and device, computer equipment and storage medium
CN104143008A (en) Method and device for detecting phishing webpage based on picture matching
CN104956372A (en) Determining coverage of dynamic security scans using runtime and static code analyses
CN111641588A (en) Webpage analog input detection method and device, computer equipment and storage medium
CN110868378A (en) Phishing mail detection method and device, electronic equipment and storage medium
WO2014131306A1 (en) Method and system for detecting network link
CN113158187B (en) Method and device for detecting click hijacking and electronic equipment
CN114065204A (en) File-free Trojan horse searching and killing method and device
CN111177727A (en) Vulnerability detection method and device
CN105391860A (en) Method and apparatus for processing communication request
Dam et al. Large-scale analysis of pop-up scam on typosquatting urls
CN109711149B (en) Dynamic updating mechanism judging method and application full life cycle behavior monitoring method
CN112395603B (en) Vulnerability attack identification method and device based on instruction execution sequence characteristics and computer equipment
CN111131166A (en) User behavior prejudging method and related equipment
CN110955894A (en) Malicious content detection method and device, electronic equipment and readable storage medium
CN112351009B (en) Network security protection method and device, electronic equipment and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant