CN113364815B - Cross-site scripting vulnerability attack defense method and device - Google Patents

Cross-site scripting vulnerability attack defense method and device Download PDF

Info

Publication number
CN113364815B
CN113364815B CN202110917933.7A CN202110917933A CN113364815B CN 113364815 B CN113364815 B CN 113364815B CN 202110917933 A CN202110917933 A CN 202110917933A CN 113364815 B CN113364815 B CN 113364815B
Authority
CN
China
Prior art keywords
attack
strategy
cross
input parameter
matching
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110917933.7A
Other languages
Chinese (zh)
Other versions
CN113364815A (en
Inventor
赵文浩
商帆
王金明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Feihu Information Technology Tianjin Co Ltd
Original Assignee
Feihu Information Technology Tianjin Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Feihu Information Technology Tianjin Co Ltd filed Critical Feihu Information Technology Tianjin Co Ltd
Priority to CN202110917933.7A priority Critical patent/CN113364815B/en
Publication of CN113364815A publication Critical patent/CN113364815A/en
Application granted granted Critical
Publication of CN113364815B publication Critical patent/CN113364815B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

According to the cross-site scripting vulnerability attack defense method and device, a data request sent by a sender can be intercepted; obtaining at least one input parameter which can be called by an application program interface in the data request; according to at least one pre-configured cross-site script vulnerability attack identification strategy, respectively carrying out attack mode identification matching processing on each input parameter, and identifying whether each input parameter is matched with at least one attack mode; for the input parameters which are successfully matched with any attack mode, the identification method comprises the following steps: and processing the input parameters according to the defense processing strategy corresponding to the attack mode to obtain a processing result. According to the method and the device, the data request is intercepted, the attack mode identification is carried out on the input parameters in the data request by using at least one pre-configured cross-site script vulnerability attack identification strategy, the legality verification can be carried out on the input parameters in time, and the attack mode corresponding to the input parameters can be accurately identified.

Description

Cross-site scripting vulnerability attack defense method and device
Technical Field
The disclosure relates to the technical field of computers, in particular to a cross-site scripting vulnerability attack defense method and device.
Background
With the development and popularization of computer technology, the HTTP protocol becomes a de facto standard for providing business APIs to users by cloud services at present.
Because the functions and parameters provided by the HTTP protocol have complex and diverse characteristics, an attacker can insert malicious codes into input parameters of a data request by utilizing vulnerabilities to carry out cross-site scripting vulnerability attack on a user. Since the illegal contents are hidden in the complex and diversified input parameters, the difficulty of verifying the legality of the input parameters in the data request is improved, and the accuracy of identifying the attack mode is also reduced.
Disclosure of Invention
In view of the foregoing problems, the present disclosure provides a method and an apparatus for defending against cross-site scripting vulnerability attack, which overcome or at least partially solve the above problems, and the technical solution is as follows:
a cross-site scripting vulnerability attack defense method comprises the following steps:
intercepting a data request sent by a sender;
obtaining at least one input parameter which can be called by an application program interface in the data request;
according to at least one pre-configured cross-site script vulnerability attack identification strategy, respectively carrying out attack mode identification matching processing on each input parameter, and identifying whether each input parameter is matched with at least one attack mode;
for the input parameters which are identified to be successfully matched with any attack mode: and processing the input parameters according to the defense processing strategy corresponding to the attack mode to obtain a processing result.
Optionally, after the processing the input parameter according to the defense processing policy corresponding to the attack mode and obtaining a processing result, the method further includes:
and generating monitoring index data corresponding to the input parameter, wherein the monitoring index data comprises a source address of the data request, a parameter item of the input parameter and a cross-site scripting vulnerability attack identification strategy for identifying that the input parameter is successfully matched with the attack mode, and the parameter item comprises a parameter name and an original parameter value.
Optionally, the cross-site scripting vulnerability identification policy includes: the method comprises the steps of identifying a strategy based on an OWASP class library coding attack, identifying a strategy based on an escape character detection attack and identifying a strategy based on a character string matching attack, wherein the strategy based on the OWASP class library coding attack is used for identifying an illegal character attack mode, the strategy based on the escape character detection attack is used for identifying the escape character attack mode, and the strategy based on the character string matching attack is used for identifying the illegal character string attack mode.
Optionally, the performing attack pattern recognition matching processing on each input parameter according to at least one pre-configured cross-site scripting vulnerability attack recognition strategy, and recognizing whether each input parameter is matched with at least one attack pattern includes:
and under the condition that the cross-site script vulnerability attack identification strategy is the OWASP class library coding-based attack identification strategy, using an OWASP library to perform API coding on the input parameter, obtaining a first target parameter value of the coded input parameter, comparing the first target parameter value with an original parameter value of the input parameter, and if the first target parameter value is not equal to the original parameter value, determining that the input parameter is successfully matched with the illegal character attack mode.
Optionally, the performing attack pattern recognition matching processing on each input parameter according to at least one pre-configured cross-site scripting vulnerability attack recognition strategy, and recognizing whether each input parameter is matched with at least one attack pattern includes:
and under the condition that the cross-site script vulnerability attack identification strategy is the escape character detection based attack identification strategy, API coding is carried out on the input parameter by using common-lang common tool StringEscapeUtils to obtain a second target parameter value of the coded input parameter, the second target parameter value is compared with an original parameter value of the input parameter, and if the second target parameter value is not equal to the original parameter value, the input parameter and the escape character attack mode are successfully matched.
Optionally, the performing attack pattern recognition matching processing on each input parameter according to at least one pre-configured cross-site scripting vulnerability attack recognition strategy, and recognizing whether each input parameter is matched with at least one attack pattern includes:
and under the condition that the cross-site script vulnerability attack identification strategy is the character string matching based attack identification strategy, respectively matching character strings in the input parameters by using at least one character string matching strategy, and determining that the input parameters are successfully matched with the illegal character string attack mode if the character strings in the input parameters are successfully matched in any character string matching strategy, wherein the character string matching strategy comprises a character string prefix matching strategy, a character string suffix matching strategy, a character string regular string matching strategy and a character string containing matching strategy.
Optionally, the defense processing policy includes: the method comprises the steps of carrying out replacement processing on the input parameters, carrying out filtering processing on the input parameters and refusing to execute the input parameters.
Optionally, the cross-site scripting vulnerability attack identification policy is stored in a preset configuration cache region of a memory, where the preset configuration cache region is connected with a configuration center, and the method further includes:
and writing the cross-site script vulnerability attack identification strategy configured in the configuration center into the preset configuration cache region.
Optionally, after the generating of the monitoring index data corresponding to the input parameter, the method further includes:
uploading the monitoring index data to a preset monitoring index buffer area of a memory, wherein the preset monitoring index buffer area is connected with a monitoring center;
and reporting the monitoring index data in the preset monitoring index buffer area to the monitoring center.
A cross-site scripting vulnerability attack defense apparatus, comprising: a request interception unit, a request input parameter acquisition unit, an attack pattern matching unit and a defense processing unit,
the request intercepting unit is used for intercepting a data request sent by a sender;
the request input parameter obtaining unit is used for obtaining at least one input parameter which can be called by an application program interface in the data request;
the attack pattern matching unit is used for respectively carrying out attack pattern recognition matching processing on each input parameter according to at least one pre-configured cross-site script vulnerability attack recognition strategy and recognizing whether each input parameter is matched with at least one attack pattern;
the defense processing unit is used for identifying the input parameters successfully matched with any attack mode: and processing the input parameters according to the defense processing strategy corresponding to the attack mode to obtain a processing result.
By means of the technical scheme, the cross-site scripting vulnerability attack defense method and device can intercept a data request sent by a sender; obtaining at least one input parameter which can be called by an application program interface in the data request; according to at least one pre-configured cross-site script vulnerability attack identification strategy, respectively carrying out attack mode identification matching processing on each input parameter, and identifying whether each input parameter is matched with at least one attack mode; for the input parameters which are successfully matched with any attack mode, the identification method comprises the following steps: and processing the input parameters according to the defense processing strategy corresponding to the attack mode to obtain a processing result. According to the method and the device, the data request is intercepted, the attack mode identification is carried out on the input parameters in the data request by using at least one pre-configured cross-site script vulnerability attack identification strategy, the legality verification can be carried out on the input parameters in time, and the attack mode corresponding to the input parameters can be accurately identified.
The foregoing description is only an overview of the technical solutions of the present disclosure, and the embodiments of the present disclosure are described below in order to make the technical means of the present disclosure more clearly understood and to make the above and other objects, features, and advantages of the present disclosure more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the disclosure. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 is a schematic diagram illustrating an implementation manner of a cross-site scripting vulnerability attack defense method according to an embodiment of the present disclosure;
fig. 2 is a schematic diagram illustrating another implementation manner of a cross-site scripting vulnerability attack defense method provided by an embodiment of the present disclosure;
fig. 3 is a schematic diagram illustrating another implementation manner of a cross-site scripting vulnerability attack defense method provided by an embodiment of the present disclosure;
fig. 4 is a schematic diagram illustrating another implementation manner of a cross-site scripting vulnerability attack defense method provided by an embodiment of the present disclosure;
fig. 5 is a schematic diagram illustrating another implementation manner of a cross-site scripting vulnerability attack defense method provided by an embodiment of the present disclosure;
fig. 6 is a schematic diagram illustrating another implementation manner of a cross-site scripting vulnerability attack defense method according to an embodiment of the present disclosure;
fig. 7 is a schematic diagram illustrating another implementation manner of a cross-site scripting vulnerability attack defense method according to an embodiment of the present disclosure;
FIG. 8 is a schematic diagram illustrating a closed-loop working diagram for cross-site scripting vulnerability attack defense provided by an embodiment of the present disclosure;
fig. 9 is a schematic structural diagram illustrating a cross-site scripting vulnerability attack defense apparatus provided by an embodiment of the present disclosure;
fig. 10 shows a schematic structural diagram of an electronic device provided by an embodiment of the present disclosure.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
As shown in fig. 1, a schematic diagram of an implementation manner of the cross-site scripting vulnerability attack defense method provided by the embodiment of the present disclosure may include:
s100, intercepting a data request sent by a sender.
Cross Site Scripting vulnerability attack (CSS) refers to an attacker using a program vulnerability to insert malicious Script codes into a Web page, and when a user browses the Web page, the Script codes are executed, so as to attack electronic equipment used by the user. In the art, "XSS" is commonly used as an abbreviation for cross-site scripting vulnerability attacks in order to distinguish it from the abbreviations of Cascading Style Sheets (CSS).
The embodiment of the disclosure can intercept all data requests sent by a sender by adding an attack recognition Security Filter (XSS Security Filter) which is non-invasive, independent of a service and ahead of any service process in a data request Filter chain (HTTP Filter) of a service server program of a hypertext transfer protocol application program interface (HTTP API).
The embodiment of the disclosure can add the dependency library of the data request filter chain realized based on Java to the SpringWebMVC project through Maven configuration.
Cross-site scripting vulnerability attacks are divided into reflective XSS, storage-type XSS, and DOM (document Objeet model) -type XSS.
S200, obtaining at least one input parameter which can be called by the application program interface in the data request.
In particular, embodiments of the present disclosure may use input parameters in data requests obtained from standard APIs provided in a serchelt-API class library. Optionally, in the embodiment of the present disclosure, all input parameters that can be called by the application program interface in the data request may be obtained, and the all input parameters are arranged to obtain a parameter list, where a list item of the parameter list at least includes a parameter name and an original parameter value of the input parameter.
S300, according to at least one pre-configured cross-site script vulnerability attack identification strategy, respectively carrying out attack mode identification matching processing on each input parameter, and identifying whether each input parameter is matched with at least one attack mode.
Optionally, in the embodiment of the present disclosure, a plurality of cross-site scripting vulnerability attack identification strategies may be sequentially used for identifying and matching each input parameter in the parameter list.
The cross-site scripting vulnerability attack identification strategy can be configured with an attack mode identification script in advance. Optionally, a defense processing policy corresponding to the identified attack mode may also be configured in advance in the cross-site scripting vulnerability attack identification policy. The method and the device for processing the input parameters can process the input parameters by using the defense processing strategy in any cross-site scripting vulnerability attack identification strategy under the condition that the attack mode of the input parameters is identified by using the cross-site scripting vulnerability attack identification strategy.
Optionally, the cross-site scripting vulnerability identification policy includes: the method comprises the steps of identifying an illegal character attack mode based on an OWASP class library coding attack strategy, an escape character detection attack identification strategy based on an escape character and a character string matching attack identification strategy, wherein the illegal character attack mode is identified based on the OWASP class library coding attack identification strategy, the escape character attack mode is identified based on the escape character detection attack identification strategy, and the illegal character string attack mode is identified based on the character string matching attack identification strategy.
Optionally, the cross-site scripting vulnerability attack identification policy is stored in a preset configuration cache region of the memory, the preset configuration cache region is connected with the configuration center, based on the method shown in fig. 1, as shown in fig. 2, another implementation schematic diagram of the cross-site scripting vulnerability attack defense method provided in the embodiment of the present disclosure is shown, and the cross-site scripting vulnerability attack defense method may further include:
and S01, writing the cross-site script vulnerability attack identification strategy configured in the configuration center into a preset configuration cache region.
It can be understood that, in the embodiment of the present disclosure, attack pattern recognition matching processing may be performed on each input parameter respectively through at least one pre-configured cross-site script vulnerability attack recognition strategy in a preset configuration cache region.
Optionally, in the embodiment of the present disclosure, the cross-site scripting vulnerability identification strategies in the preset configuration cache area may be arranged to obtain the matching list. The cross-site scripting vulnerability attack identification strategy in the matching list can be used one by one, and the input parameters in the parameter list are sequentially identified and matched.
For ease of understanding, the description is made herein by way of example: and assuming that the first input parameter, the second input parameter and the third input parameter in the parameter list are sequentially arranged, wherein the matching list comprises a first cross-site script vulnerability attack identification strategy and a second cross-site script vulnerability attack identification strategy. The method comprises the steps of firstly identifying and matching a first input parameter by using a first cross-site script vulnerability attack identification strategy, and then identifying and matching by using a second cross-site script vulnerability attack identification strategy. And then, identifying and matching the second input parameter by using a first cross-site script vulnerability attack identification strategy, and identifying and matching by using a second cross-site script vulnerability attack identification strategy. And finally, identifying and matching the third input parameter by using a first cross-site script vulnerability attack identification strategy, and identifying and matching by using a second cross-site script vulnerability attack identification strategy.
The configuration center can be a basic service component for uniformly managing various application configurations. For example: an Apollo configuration center, a Nacos configuration center, and a Config configuration center. It can be understood that the user can edit and configure the cross-site scripting vulnerability attack identification strategy on the configuration center. Further, a user can edit and configure the cross-site scripting vulnerability attack identification strategy on the configuration center according to a preset scripting format.
Specifically, the embodiment of the present disclosure may implement a configuration center access point interface in the SpringWebMVC project to access the configuration center. The embodiment of the disclosure can read the configuration data of the cross-site scripting vulnerability attack identification strategy from the configuration query interface realized by the accessed configuration center, and write the cross-site scripting vulnerability attack identification strategy into the preset configuration cache region. After the cross-site scripting vulnerability attack identification strategy is written into a preset configuration cache region, waiting for a preset time length, and then executing the step of reading configuration data of the cross-site scripting vulnerability attack identification strategy in a configuration query interface realized by an accessed configuration center again. The preset time period may be 1 second.
It should be noted that the cross-site scripting vulnerability identification strategy is configured and issued through the configuration center, no operation (such as service restarting) is needed to be performed on the service after the issuance, and the cross-site scripting vulnerability identification strategy is immediately effective after the issuance.
The embodiment of the disclosure can access at least one configuration center through accessing the configuration center in a non-shutdown state, thereby facilitating the user to dynamically adjust and establish a new cross-site scripting vulnerability attack identification strategy on line, and improving the identification capability of an attack mode in time.
It can be understood that, if the attack mode identification and matching of the input parameter by each cross-site script vulnerability attack identification strategy in the preset configuration cache region fails, the input parameter is determined to be a legal input parameter. The embodiment of the invention can not process the legal input parameters.
Optionally, based on the method shown in fig. 1, as shown in fig. 3, in another implementation schematic diagram of the cross-site scripting vulnerability attack defense method provided in the embodiment of the present disclosure, step S300 may include:
s310, under the condition that the cross-site scripting vulnerability attack identification strategy is an OWASP class library coding based attack identification strategy, an OWASP library is used for carrying out API coding on the input parameters, and first target parameter values of the coded input parameters are obtained.
S311, comparing the first target parameter value with the original parameter value of the input parameter, and if the first target parameter value is not equal to the original parameter value, executing the step S312.
S312, determining that the input parameters are successfully matched with the illegal character attack mode.
It is understood that if the first target parameter value is equal to the original parameter value, it is determined that the input parameter does not successfully match the illegal character attack pattern.
According to the method and the device, the OWASP library is used for carrying out API coding on the input parameters, and whether the parameter values of the input parameters change before and after coding, so that whether the input parameters are matched with the illegal character attack mode can be accurately identified.
Optionally, based on the method shown in fig. 1, as shown in fig. 4, in another implementation schematic diagram of the cross-site scripting vulnerability attack defense method provided in the embodiment of the present disclosure, step S300 may include:
s320, under the condition that the cross-site script vulnerability attack identification strategy is an escape character detection based attack identification strategy, API coding is carried out on the input parameters by using common-lang common tool type StringEscapeUtils, and second target parameter values of the coded input parameters are obtained.
S321, comparing the second target parameter value with the original parameter value of the input parameter, and if the second target parameter value is not equal to the original parameter value, executing step S322.
S322, determining that the input parameters are successfully matched with the escape character attack mode.
It will be appreciated that if the second target parameter value is equal to the original parameter value, it is determined that the input parameter did not successfully match the escape character attack pattern.
According to the method and the device, API coding is carried out on the input parameters by using common-lang common tool type StringEscapeUtils, and whether the parameter values of the input parameters before and after coding are changed or not can be accurately identified whether the input parameters are matched with the attack mode of the escape characters or not.
Optionally, based on the method shown in fig. 1, as shown in fig. 5, in another implementation schematic diagram of the cross-site scripting vulnerability attack defense method provided in the embodiment of the present disclosure, step S300 may include:
s330, under the condition that the cross-site scripting vulnerability identification strategy is a character string matching based attack identification strategy, respectively matching character strings in input parameters by using at least one character string matching strategy, and if the character strings in the input parameters are successfully matched in any character string matching strategy, determining that the input parameters are successfully matched with the illegal character string attack mode.
The character string matching strategy comprises a character string prefix matching strategy, a character string suffix matching strategy, a character string regular matching strategy and a character string containing matching strategy.
And the character string prefix matching strategy is used for identifying whether the input parameters contain the target prefix or not, and if so, determining that the input parameters are successfully matched with the illegal character string attack mode.
And the character string suffix matching strategy is used for identifying whether the input parameters contain the target suffix or not, and if so, determining that the input parameters are successfully matched with the illegal character string attack mode.
And the character string regular matching strategy is used for identifying whether the input parameters contain a target regular expression or not, and if so, determining that the input parameters are successfully matched with the illegal character string attack mode.
And the character string containing matching strategy is used for identifying whether the input parameters contain the target character string, and if so, determining that the input parameters are successfully matched with the illegal character string attack mode.
The embodiment of the disclosure can identify whether the input parameter has the illegal character string through at least one character string matching strategy, thereby accurately identifying whether the input parameter is matched with the illegal character string attack mode.
S400, for the input parameters which are successfully matched with any attack mode: and processing the input parameters according to the defense processing strategy corresponding to the attack mode to obtain a processing result.
Optionally, the defense processing policy may include: the method comprises the steps of performing replacement processing on input parameters, performing filtering processing on the input parameters and refusing to execute the input parameters.
It is to be appreciated that an attack pattern may correspond to at least one defense processing strategy and embodiments of the disclosure are not further limited herein.
Optionally, based on the method shown in fig. 1, as shown in fig. 6, in another implementation schematic diagram of the method for defending against a cross-site scripting vulnerability provided in the embodiment of the present disclosure, after step S400, the method for defending against a cross-site scripting vulnerability further includes:
and S500, generating monitoring index data corresponding to the input parameters.
The monitoring index data comprises a source address of the data request, a parameter item of the input parameter and a cross-site scripting vulnerability attack identification strategy for identifying the successful matching of the input parameter and the attack mode, wherein the parameter item comprises a parameter name and an original parameter value.
Optionally, based on the method shown in fig. 6, as shown in fig. 7, in another implementation schematic diagram of the method for defending against a cross-site scripting vulnerability provided in the embodiment of the present disclosure, after step S500, the method for defending against a cross-site scripting vulnerability further includes:
s600, uploading the monitoring index data to a preset monitoring index buffer area of a memory, wherein the preset monitoring index buffer area is connected with a monitoring center.
S700, reporting the monitoring index data in the preset monitoring index buffer area to a monitoring center.
Wherein the monitoring center may be a monitoring system providing a monitoring service. For example: prometheus monitoring center. Optionally, the embodiment of the present disclosure may access a plurality of monitoring centers. The embodiment of the disclosure can realize the access point interface of the monitoring center in the SpringWebMVC engineering to access the monitoring center. And reading out monitoring index data from a preset monitoring index buffer area according to a preset time interval, and reporting the monitoring index data to an accessed monitoring center.
The embodiment of the disclosure can configure the accessed monitoring center. For example: creating a chart, adding a query and configuring monitoring content. The monitored content may be statistics identifying input parameters matching the attack pattern. The statistics may include a frequency of identifying input parameters matching the attack pattern statistically in seconds.
According to the monitoring result of the monitoring center, the attack mode identification script and the defense processing strategy in the cross-site script vulnerability attack identification strategy can be adjusted in real time.
According to the embodiment of the invention, real-time data tracking can be carried out on cross-site scripting vulnerability attacks through the access of the monitoring center, so that reference is provided for improving the defense capacity of the cross-site scripting vulnerability attacks.
According to the cross-site scripting vulnerability attack defense method, a data request sent by a sender can be intercepted; obtaining at least one input parameter which can be called by an application program interface in the data request; according to at least one pre-configured cross-site script vulnerability attack identification strategy, respectively carrying out attack mode identification matching processing on each input parameter, and identifying whether each input parameter is matched with at least one attack mode; for the input parameters which are successfully matched with any attack mode, the identification method comprises the following steps: and processing the input parameters according to the defense processing strategy corresponding to the attack mode to obtain a processing result. According to the method and the device, the data request is intercepted, the attack mode identification is carried out on the input parameters in the data request by using at least one pre-configured cross-site script vulnerability attack identification strategy, the legality verification can be carried out on the input parameters in time, and the attack mode corresponding to the input parameters can be accurately identified.
Optionally, the cross-site scripting vulnerability attack defense method provided by the embodiment of the disclosure can be applied to a service server. As shown in fig. 8, the service end is connected to the configuration center and the monitoring center, respectively. The method comprises the steps that a configuration center provides a cross-site script vulnerability attack identification strategy for a service end, the service end identifies cross-site script vulnerability attacks in a data request by using the cross-site script vulnerability attack identification strategy, and monitoring index data generated by the identified attacks are reported to a monitoring center, so that the monitoring center provides data support for optimizing the cross-site script vulnerability attack identification strategy according to the monitoring index data, and operation and maintenance personnel of the service end optimize the cross-site script vulnerability attack identification strategy in the configuration center according to the data provided by the monitoring center.
According to the cross-site script vulnerability attack defense working closed loop, the cross-site script vulnerability attack defense working closed loop is formed by the service server, the configuration center and the monitoring center and operation and maintenance personnel, diversified cross-site script vulnerability attack means can be flexibly dealt with, and therefore the defense capability of cross-site script vulnerability attack is circularly and continuously improved.
It should be understood that while operations are depicted in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order. Under certain circumstances, multitasking and parallel processing may be advantageous. The various steps recited in method embodiments of the present disclosure may be performed in a different order and/or performed in parallel. Moreover, method embodiments may include additional steps and/or omit performing the illustrated steps. The scope of the present disclosure is not limited in this respect.
Corresponding to the foregoing method embodiment, a cross-site scripting vulnerability attack defense device provided in the embodiment of the present disclosure has a structure as shown in fig. 9, and may include: a request interception unit 100, a request input parameter obtaining unit 200, an attack pattern matching unit 300, and a defense processing unit 400.
A request intercepting unit 100, configured to intercept a data request sent by a sender.
A request input parameter obtaining unit 200, configured to obtain at least one input parameter that can be called by the application program interface in the data request.
And the attack pattern matching unit 300 is configured to perform attack pattern recognition matching processing on each input parameter according to at least one pre-configured cross-site scripting vulnerability attack recognition strategy, and recognize whether each input parameter is matched with at least one attack pattern.
Optionally, the cross-site scripting vulnerability identification policy includes: the method comprises the steps of identifying an illegal character attack mode based on an OWASP class library coding attack strategy, an escape character detection attack identification strategy based on an escape character and a character string matching attack identification strategy, wherein the illegal character attack mode is identified based on the OWASP class library coding attack identification strategy, the escape character attack mode is identified based on the escape character detection attack identification strategy, and the illegal character string attack mode is identified based on the character string matching attack identification strategy.
Optionally, the cross-site scripting vulnerability attack identification strategy is stored in a preset configuration cache region of the memory, and the preset configuration cache region is connected with the configuration center. The defense device for cross-site scripting vulnerability attack provided by the embodiment of the disclosure may further include: and writing the strategy into a unit.
And the strategy writing unit is used for writing the cross-site script vulnerability attack identification strategy configured in the configuration center into a preset configuration cache region.
Optionally, the attack pattern matching unit 300 includes: the first target parameter value obtaining subunit, the first parameter value comparing subunit and the first matching result determining subunit.
And the first target parameter value obtaining subunit is used for carrying out API coding on the input parameter by using the OWASP library under the condition that the cross-site script vulnerability attack identification strategy is an OWASP class library coding-based attack identification strategy, and obtaining the first target parameter value of the coded input parameter.
And the first parameter value comparison subunit is used for comparing the first target parameter value with the original parameter value of the input parameter, and triggering the first matching result determination subunit if the first target parameter value is not equal to the original parameter value.
And the first matching result determining subunit is used for determining that the input parameters are successfully matched with the illegal character attack mode.
Optionally, the attack pattern matching unit 300 includes: the second target parameter value obtaining subunit, the second parameter value comparing subunit and the second matching result determining subunit.
And the second target parameter value obtaining subunit is used for carrying out API coding on the input parameter by using common-lang common tool StringEscapeUtils under the condition that the cross-site script vulnerability attack identification strategy is an escape character detection-based attack identification strategy, and obtaining a second target parameter value of the coded input parameter.
And the second parameter value comparison subunit is used for comparing the second target parameter value with the original parameter value of the input parameter, and triggering a second matching result determination subunit if the second target parameter value is not equal to the original parameter value.
And the second matching result determining subunit is used for determining that the input parameters are successfully matched with the escape character attack mode.
Optionally, the attack pattern matching unit 300 includes: the string matching subunit and the third matching result determining subunit.
And the character string matching subunit is used for respectively matching the character strings in the input parameters by using at least one character string matching strategy under the condition that the cross-site script vulnerability attack identification strategy is a character string matching based attack identification strategy, and triggering a third matching result to determine the subunit if the character strings in the input parameters are successfully matched in any character string matching strategy.
And the third matching result determining subunit is used for determining that the input parameters are successfully matched with the illegal character string attack mode.
The character string matching strategy comprises a character string prefix matching strategy, a character string suffix matching strategy, a character string regular matching strategy and a character string containing matching strategy.
The defense processing unit 400 is used for identifying the input parameters successfully matched with any attack mode: and processing the input parameters according to the defense processing strategy corresponding to the attack mode to obtain a processing result.
Optionally, the defense processing policy includes: the method comprises the steps of performing replacement processing on input parameters, performing filtering processing on the input parameters and refusing to execute the input parameters.
Optionally, the defense apparatus for cross-site scripting vulnerability attack provided by the embodiment of the present disclosure may further include: and a monitoring index data generation unit.
And the monitoring index data generating unit is used for generating monitoring index data corresponding to the input parameter, wherein the monitoring index data comprises a source address of a data request, a parameter item of the input parameter and a cross-site scripting vulnerability identification strategy for identifying that the input parameter is successfully matched with the attack mode, and the parameter item comprises a parameter name and an original parameter value.
Optionally, the defense apparatus for cross-site scripting vulnerability attack provided by the embodiment of the present disclosure may further include: the monitoring system comprises a monitoring index data uploading unit and a monitoring index data reporting unit.
And the monitoring index data uploading unit is used for uploading the monitoring index data to a preset monitoring index buffer area of the memory, and the preset monitoring index buffer area is connected with the monitoring center.
And the monitoring index data reporting unit is used for reporting the monitoring index data in the preset monitoring index buffer area to the monitoring center.
The cross-site scripting vulnerability attack defense device can intercept a data request sent by a sender; obtaining at least one input parameter which can be called by an application program interface in the data request; according to at least one pre-configured cross-site script vulnerability attack identification strategy, respectively carrying out attack mode identification matching processing on each input parameter, and identifying whether each input parameter is matched with at least one attack mode; for the input parameters which are successfully matched with any attack mode, the identification method comprises the following steps: and processing the input parameters according to the defense processing strategy corresponding to the attack mode to obtain a processing result. According to the method and the device, the data request is intercepted, the attack mode identification is carried out on the input parameters in the data request by using at least one pre-configured cross-site script vulnerability attack identification strategy, the legality verification can be carried out on the input parameters in time, and the attack mode corresponding to the input parameters can be accurately identified.
With regard to the apparatus in the above-described embodiment, the specific manner in which each module performs the operation has been described in detail in the embodiment related to the method, and will not be elaborated here.
The cross-site script vulnerability attack defense device comprises a processor and a memory, wherein the request interception unit, the request input parameter acquisition unit, the attack mode matching unit, the defense processing unit and the like are stored in the memory as program units, and the processor executes the program units stored in the memory to realize corresponding functions.
The processor comprises a kernel, and the kernel calls the corresponding program unit from the memory. The kernel can be set to be one or more than one, the data request is intercepted by adjusting kernel parameters, and the attack mode identification is carried out on the input parameters in the data request by using at least one pre-configured cross-site script vulnerability attack identification strategy, so that the legality verification can be carried out on the input parameters in time, and the attack mode corresponding to the input parameters can be accurately identified.
The disclosed embodiments provide a computer-readable storage medium on which a program is stored, which, when executed by a processor, implements the cross-site scripting vulnerability attack defense method.
The embodiment of the disclosure provides a processor, which is used for running a program, wherein the cross-site scripting vulnerability attack defense method is executed when the program runs.
As shown in fig. 10, an embodiment of the present disclosure provides an electronic device 1000, where the electronic device 1000 includes at least one processor 1001, and at least one memory 1002 and a bus 1003 connected to the processor 1001; the processor 1001 and the memory 1002 complete communication with each other through the bus 1003; the processor 1001 is configured to call program instructions in the memory 1002 to execute the cross-site scripting vulnerability attack defense method described above. The electronic device herein may be a server, a PC, a PAD, a mobile phone, etc.
The present disclosure also provides a computer program product adapted to execute a program initialized with the above-mentioned steps of the cross-site scripting vulnerability attack defense method when executed on an electronic device.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus, electronic devices (systems), and computer program products according to embodiments of the disclosure. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, an electronic device includes one or more processors (CPUs), memory, and a bus. The electronic device may also include input/output interfaces, network interfaces, and the like.
The memory may include volatile memory in a computer readable medium, Random Access Memory (RAM) and/or nonvolatile memory such as Read Only Memory (ROM) or flash memory (flash RAM), and the memory includes at least one memory chip. The memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
In the description of the present disclosure, it is to be understood that the directions or positional relationships indicated as referring to the terms "upper", "lower", "front", "rear", "left" and "right", etc., are based on the directions or positional relationships shown in the drawings, and are only for convenience of describing the present invention and simplifying the description, but do not indicate or imply that the positions or elements referred to must have specific directions, be constituted and operated in specific directions, and thus, are not to be construed as limitations of the present disclosure.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.
As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and so forth) having computer-usable program code embodied therein.
The above are merely examples of the present disclosure, and are not intended to limit the present disclosure. Various modifications and variations of this disclosure will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present disclosure should be included in the scope of the claims of the present disclosure.

Claims (9)

1. A cross-site scripting vulnerability attack defense method is characterized by comprising the following steps:
intercepting a data request sent by a sender;
obtaining at least one input parameter which can be called by an application program interface in the data request;
according to at least one pre-configured cross-site script vulnerability attack identification strategy, respectively carrying out attack mode identification matching processing on each input parameter, and identifying whether each input parameter is matched with at least one attack mode; the cross-site scripting vulnerability attack identification strategy comprises the following steps: an attack identification strategy based on OWASP class library coding, an attack identification strategy based on escape character detection and an attack identification strategy based on character string matching;
for the input parameters which are identified to be successfully matched with any attack mode: processing the input parameters according to the defense processing strategy corresponding to the attack mode to obtain a processing result;
the method comprises the following steps of respectively carrying out attack mode identification matching processing on each input parameter according to at least one pre-configured cross-site script vulnerability attack identification strategy, and identifying whether each input parameter is matched with at least one attack mode, wherein the method comprises the following steps:
and under the condition that the cross-site script vulnerability attack identification strategy is the OWASP class library coding-based attack identification strategy, an OWASP library is used for carrying out API coding on the input parameter, a first target parameter value of the coded input parameter is obtained, the first target parameter value is compared with an original parameter value of the input parameter, and if the first target parameter value is not equal to the original parameter value, the input parameter is determined to be successfully matched with an illegal character attack mode.
2. The method according to claim 1, wherein after the processing the input parameter according to the defense processing policy corresponding to the attack mode to obtain a processing result, the method further comprises:
and generating monitoring index data corresponding to the input parameter, wherein the monitoring index data comprises a source address of the data request, a parameter item of the input parameter and a cross-site scripting vulnerability attack identification strategy for identifying that the input parameter is successfully matched with the attack mode, and the parameter item comprises a parameter name and an original parameter value.
3. The method of claim 1, wherein the OWASP-based library-coded attack identification strategy is used for identifying illegal character attack patterns, the escape character-based detection attack identification strategy is used for identifying escape character attack patterns, and the string-based matching attack identification strategy is used for identifying illegal string attack patterns.
4. The method according to claim 3, wherein the performing attack pattern recognition matching processing on each input parameter according to at least one pre-configured cross-site scripting vulnerability attack recognition strategy to recognize whether each input parameter matches at least one attack pattern further comprises:
and under the condition that the cross-site script vulnerability attack identification strategy is the escape character detection based attack identification strategy, API coding is carried out on the input parameter by using common-lang common tool StringEscapeUtils to obtain a second target parameter value of the coded input parameter, the second target parameter value is compared with an original parameter value of the input parameter, and if the second target parameter value is not equal to the original parameter value, the input parameter and the escape character attack mode are successfully matched.
5. The method according to claim 3, wherein the performing attack pattern recognition matching processing on each input parameter according to at least one pre-configured cross-site scripting vulnerability attack recognition strategy to recognize whether each input parameter matches at least one attack pattern further comprises:
and under the condition that the cross-site script vulnerability attack identification strategy is the character string matching based attack identification strategy, respectively matching character strings in the input parameters by using at least one character string matching strategy, and determining that the input parameters are successfully matched with the illegal character string attack mode if the character strings in the input parameters are successfully matched in any character string matching strategy, wherein the character string matching strategy comprises a character string prefix matching strategy, a character string suffix matching strategy, a character string regular string matching strategy and a character string containing matching strategy.
6. The method of claim 1, wherein the defense processing policy comprises: the method comprises the steps of carrying out replacement processing on the input parameters, carrying out filtering processing on the input parameters and refusing to execute the input parameters.
7. The method of claim 1, wherein the cross-site scripting vulnerability identification policy is stored in a preset configuration cache region of a memory, the preset configuration cache region being connected to a configuration center, the method further comprising:
and writing the cross-site script vulnerability attack identification strategy configured in the configuration center into the preset configuration cache region.
8. The method of claim 2, wherein after the generating monitoring metric data corresponding to the input parameter, the method further comprises:
uploading the monitoring index data to a preset monitoring index buffer area of a memory, wherein the preset monitoring index buffer area is connected with a monitoring center;
and reporting the monitoring index data in the preset monitoring index buffer area to the monitoring center.
9. A cross-site scripting vulnerability attack defense device is characterized by comprising: a request interception unit, a request input parameter acquisition unit, an attack pattern matching unit and a defense processing unit,
the request intercepting unit is used for intercepting a data request sent by a sender;
the request input parameter obtaining unit is used for obtaining at least one input parameter which can be called by an application program interface in the data request;
the attack pattern matching unit is used for respectively carrying out attack pattern recognition matching processing on each input parameter according to at least one pre-configured cross-site script vulnerability attack recognition strategy and recognizing whether each input parameter is matched with at least one attack pattern; the cross-site scripting vulnerability attack identification strategy comprises the following steps: an attack identification strategy based on OWASP class library coding, an attack identification strategy based on escape character detection and an attack identification strategy based on character string matching;
the defense processing unit is used for identifying the input parameters successfully matched with any attack mode: processing the input parameters according to the defense processing strategy corresponding to the attack mode to obtain a processing result;
the attack pattern matching unit includes:
and under the condition that the cross-site script vulnerability attack identification strategy is the OWASP class library coding-based attack identification strategy, an OWASP library is used for carrying out API coding on the input parameter, a first target parameter value of the coded input parameter is obtained, the first target parameter value is compared with an original parameter value of the input parameter, and if the first target parameter value is not equal to the original parameter value, the input parameter is determined to be successfully matched with an illegal character attack mode.
CN202110917933.7A 2021-08-11 2021-08-11 Cross-site scripting vulnerability attack defense method and device Active CN113364815B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110917933.7A CN113364815B (en) 2021-08-11 2021-08-11 Cross-site scripting vulnerability attack defense method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110917933.7A CN113364815B (en) 2021-08-11 2021-08-11 Cross-site scripting vulnerability attack defense method and device

Publications (2)

Publication Number Publication Date
CN113364815A CN113364815A (en) 2021-09-07
CN113364815B true CN113364815B (en) 2021-11-23

Family

ID=77522979

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110917933.7A Active CN113364815B (en) 2021-08-11 2021-08-11 Cross-site scripting vulnerability attack defense method and device

Country Status (1)

Country Link
CN (1) CN113364815B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113810418B (en) * 2021-09-18 2023-12-26 土巴兔集团股份有限公司 Method for defending cross-site scripting attack and related equipment thereof

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2223255A1 (en) * 2007-11-05 2010-09-01 Microsoft Corporation Cross-site scripting filter
CN102999723A (en) * 2012-11-20 2013-03-27 焦点科技股份有限公司 Method and device for generating data defense assembly for actively defending XSS (Cross Site Script) attack
CN104182685A (en) * 2014-08-19 2014-12-03 北京京东尚科信息技术有限公司 XSS (cross site script) defense method and component for JAVA WEB applications
CN105049440A (en) * 2015-08-06 2015-11-11 福建天晴数码有限公司 Method and system for detecting cross-site scripting attack injection
CN106506548A (en) * 2016-12-23 2017-03-15 努比亚技术有限公司 The defence installation of cross-site scripting attack and method

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8850589B2 (en) * 2012-09-25 2014-09-30 International Business Machines Corporation Training classifiers for program analysis
CN104348789B (en) * 2013-07-30 2018-04-27 中国银联股份有限公司 For preventing the Web server and method of cross-site scripting attack
US20150082424A1 (en) * 2013-09-19 2015-03-19 Jayant Shukla Active Web Content Whitelisting
US9356955B2 (en) * 2014-03-15 2016-05-31 Kenneth F. Belva Methods for determining cross-site scripting and related vulnerabilities in applications
US11570490B2 (en) * 2019-09-24 2023-01-31 Mux, Inc. Method for on-demand video editing at transcode-time in a video streaming system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2223255A1 (en) * 2007-11-05 2010-09-01 Microsoft Corporation Cross-site scripting filter
CN102999723A (en) * 2012-11-20 2013-03-27 焦点科技股份有限公司 Method and device for generating data defense assembly for actively defending XSS (Cross Site Script) attack
CN104182685A (en) * 2014-08-19 2014-12-03 北京京东尚科信息技术有限公司 XSS (cross site script) defense method and component for JAVA WEB applications
CN105049440A (en) * 2015-08-06 2015-11-11 福建天晴数码有限公司 Method and system for detecting cross-site scripting attack injection
CN106506548A (en) * 2016-12-23 2017-03-15 努比亚技术有限公司 The defence installation of cross-site scripting attack and method

Also Published As

Publication number Publication date
CN113364815A (en) 2021-09-07

Similar Documents

Publication Publication Date Title
US11223637B2 (en) Detecting attacks on web applications using server logs
US20170006046A1 (en) System and method for determining web pages modified with malicious code
JP2021512380A (en) Asset management methods and equipment, as well as electronic devices
US20070180048A1 (en) Caching of private data for a configurable time period
CN112069536A (en) Method and equipment for realizing desensitization access of database data
CN104144419A (en) Identity authentication method, device and system
CN103607385A (en) Method and apparatus for security detection based on browser
WO2017219733A1 (en) Method and device for responding to request
CN113179266A (en) Service request processing method and device, electronic equipment and storage medium
CN113364815B (en) Cross-site scripting vulnerability attack defense method and device
CN104008331A (en) Access method, device and system of malicious web
CN114928484A (en) Honeypot generation method and device, electronic equipment and storage medium
CN110443039A (en) Detection method, device and the electronic equipment of plug-in security
CN112866265B (en) CSRF attack protection method and device
CN114239963A (en) Method and device for detecting directed graph circulation path
CN112637171A (en) Data traffic processing method, device, equipment, system and storage medium
CN112528339A (en) Data desensitization method based on Cach é database and electronic equipment
CN114978691B (en) Camouflage method, device and medium for honeypot
CN112906045A (en) Mobile phone shield access record storage certificate and alarm method and computer system
CN112437036B (en) Data analysis method and equipment
CN116304458B (en) Method, device, equipment and medium for web page real-time notification update
CN112751844B (en) Portal authentication method and device and electronic equipment
CN111695159B (en) Data processing method, device and equipment
CN114866537B (en) Cross-host cross-network file transmission method and system
KR102501227B1 (en) System and Method for detecting money fraud based on volume of Internet address search

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant