CN113965366A - Defense method, system and computer equipment for reverse proxy phishing attack - Google Patents
Defense method, system and computer equipment for reverse proxy phishing attack Download PDFInfo
- Publication number
- CN113965366A CN113965366A CN202111205024.7A CN202111205024A CN113965366A CN 113965366 A CN113965366 A CN 113965366A CN 202111205024 A CN202111205024 A CN 202111205024A CN 113965366 A CN113965366 A CN 113965366A
- Authority
- CN
- China
- Prior art keywords
- domain name
- information
- name information
- browser
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 55
- 230000007123 defense Effects 0.000 title claims abstract description 15
- 238000012795 verification Methods 0.000 claims abstract description 40
- 230000004044 response Effects 0.000 claims abstract description 38
- 238000012545 processing Methods 0.000 claims description 19
- 230000006870 function Effects 0.000 claims description 18
- 238000004590 computer program Methods 0.000 claims description 9
- 238000005516 engineering process Methods 0.000 abstract description 7
- 238000012216 screening Methods 0.000 abstract description 4
- 230000008569 process Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 238000003672 processing method Methods 0.000 description 6
- 230000005540 biological transmission Effects 0.000 description 2
- 230000009191 jumping Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1483—Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application relates to a defense method, a defense system and computer equipment for reverse proxy phishing attack, wherein the method comprises the following steps: after sending an access request to a server, a browser receives response information returned by the server, wherein the response information comprises domain name verification information; the domain name checking information comprises first domain name information; the browser side obtains second domain name information based on the first domain name information, and matches the second domain name information with third domain name information corresponding to the access request of the browser side; and when the matching fails, determining that the browser end is attacked by reverse proxy phishing. By the method, the reverse proxy phishing attack aiming at the server can be comprehensively and accurately identified, the problems of limited identification range and low accuracy rate of the reverse proxy phishing attack in the related technology are solved, the screening risk is transferred from the browser end, and the phishing risk of a terminal user is reduced.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method, a system, and a computer device for defending against reverse proxy phishing attacks.
Background
Reverse proxy phishing attacks are a common method of cyber attack that has emerged in recent years. The fundamental difference between reverse proxy phishing and traditional phishing attacks is that reverse proxy phishing no longer provides a similar HTML page of the reverse proxy phishing itself, but establishes a reverse proxy for a target server, each data packet from a victim browser is intercepted, modified and forwarded to a real website, and a response data packet from the website is processed as well and sent back to the victim browser. The reverse proxy phishing attack method not only reduces the environment construction cost of an attacker, but also ensures that the page is more real and credible for a victim.
The existing method for defending reverse proxy phishing attack mainly comprises the steps of capturing packets by using a tool to obtain domain name and certificate information, and then analyzing and discriminating the domain name. For technologies based on an HTTP website, such as packet capturing and unpacking, the defect is that domain name information is difficult to obtain for an HTTPS website which is transmitted in an encrypted manner; after the domain name information is acquired, the domain name information needs to be judged by comparing the domain name information with a domain name black-and-white list, and the judgment accuracy is influenced by the real-time property of updating the domain name black-and-white list; the certificate verification mode has the problems that an attacker deliberately cultivates the domain name to bypass the method and the like. These problems result in limited recognition range and low recognition accuracy for reverse proxy phishing attacks by packet capture for domain name analysis and discrimination.
Aiming at the problems of limited identification range and low accuracy rate of the prior art in the reverse proxy phishing attack, no effective solution is provided at present.
Disclosure of Invention
The embodiment provides a defense method, a defense system and a computer device for reverse proxy phishing attack, and aims to solve the problems of limited identification range and low accuracy in the related art.
In a first aspect, in this embodiment, there is provided a method for defending against reverse proxy phishing attacks, the method comprising:
after sending an access request to a server, a browser receives response information returned by the server, wherein the response information comprises domain name verification information; the domain name checking information comprises first domain name information; the first domain name information is obtained by processing a real domain name corresponding to the server side;
the browser side obtains second domain name information based on the first domain name information, wherein the second domain name information is a real domain name corresponding to the server side; matching the second domain name information with third domain name information corresponding to the access request of the browser end;
and when the second domain name information and the third domain name information are failed to be matched, determining that the browser end is attacked by reverse proxy phishing, and skipping to a page corresponding to the second domain name information.
In some embodiments, the matching, by the browser end, the second domain name information with third domain name information corresponding to the access request of the browser end includes:
the browser side obtains third domain name information corresponding to the access request based on the domain name verification information, wherein the third domain name information is domain name information displayed in an address bar of the browser side; and the third domain name information and the second domain name information are matched through character string comparison.
In some embodiments, the processing the first domain name information to obtain the real domain name corresponding to the server side includes:
encrypting a real domain name corresponding to the server side to obtain first domain name information; the encryption processing algorithm is obtained by random selection based on two or more specific encryption algorithms before encryption operation is executed each time.
In some embodiments, the obtaining, by the browser side, second domain name information based on the first domain name information includes:
the domain name verification information comprises decryption information, first domain name information and an encryption seed, wherein the first domain name information is a first random character string obtained by encrypting the second domain name information by the server side based on the encryption processing algorithm through the encryption seed; the browser side decrypts the first domain name information into the second domain name information by using the encryption seed based on the decryption information; the encryption seed is a random number that is regenerated before each encryption operation is performed.
In some of these embodiments, the decryption information includes a decryption function, the function name of the decryption function is a second random string, and the second random string is a random number that is regenerated before each generation of the response information.
In some embodiments, the domain name checking information is described in JavaScript.
In some embodiments, the domain name checking information is obfuscated from information described in the response information except for the domain name checking information by using a JavaScript language, and then the obfuscated information is sent to a browser.
In a second aspect, there is provided in this embodiment a defense system against reverse proxy phishing attacks, the system comprising: the system comprises a browser end and a server end, wherein the browser end comprises:
the receiving module is used for receiving response information returned by the server after sending an access request to the server, wherein the response information comprises domain name verification information; the domain name checking information comprises first domain name information; the first domain name information is obtained by processing a real domain name corresponding to the server side;
the matching module is used for obtaining second domain name information based on the first domain name information, and the second domain name information is a real domain name corresponding to the server side; matching the second domain name information with third domain name information corresponding to the access request of the browser end;
and the determining module is used for determining that the browser end is attacked by reverse proxy phishing when the second domain name information and the third domain name information are unsuccessfully matched, and the browser end jumps to a page corresponding to the second domain name information.
In a third aspect, in the present embodiment, there is provided a computer device, including a memory and a processor, the memory storing a computer program, and the processor being configured to execute the computer program to perform any one of the above-mentioned methods for defending against reverse proxy phishing attacks.
In a fourth aspect, in the present embodiment, there is provided a computer-readable storage medium having a computer program stored thereon, the computer program, when executed by a processor, implementing any of the above-described methods for defending against reverse proxy phishing attacks.
Compared with the related art, the defense method for reverse proxy phishing attack provided in the embodiment adds the domain name verification information at the server end and sends the domain name verification information to the browser end for execution, the browser end obtains the real domain name of the server end based on the domain name verification information, matches the real domain name with the domain name currently accessed by the browser, and if the matching fails, the reverse proxy phishing attack is confirmed and the current access is blocked. The method directly transmits the real domain name to the browser end to automatically compare with the domain name accessed by the browser, does not need to acquire domain name information through a third-party path, does not need to use a domain name black-and-white list or a certificate to judge, can effectively judge both an HTTP server and an HTTPS server, and solves the problems of limited identification range and low accuracy rate of reverse proxy phishing attack in the related technology.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a schematic diagram of an application system of a defense method for reverse proxy phishing attack according to an embodiment of the present application.
Fig. 2 is a flowchart of a method for defending against reverse proxy phishing attacks according to an embodiment of the present application.
Fig. 3 is a flowchart of a method for defending against reverse proxy phishing attacks in accordance with a preferred embodiment of the present application.
Fig. 4 is a block diagram of a defense system for reverse proxy phishing attack according to an embodiment of the present application.
Detailed Description
For a clearer understanding of the objects, aspects and advantages of the present application, reference is made to the following description and accompanying drawings.
Unless defined otherwise, technical or scientific terms used herein shall have the same general meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The use of the terms "a" and "an" and "the" and similar referents in the context of this application do not denote a limitation of quantity, either in the singular or the plural. The terms "comprises," "comprising," "has," "having," and any variations thereof, as referred to in this application, are intended to cover non-exclusive inclusions; for example, a process, method, and system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or modules, but may include other steps or modules (elements) not listed or inherent to such process, method, article, or apparatus. Reference throughout this application to "connected," "coupled," and the like is not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. Reference to "a plurality" in this application means two or more. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. In general, the character "/" indicates a relationship in which the objects associated before and after are an "or". The terms "first," "second," "third," and the like in this application are used for distinguishing between similar items and not necessarily for describing a particular sequential or chronological order.
The defense method for reverse proxy phishing attack provided by the embodiment of the application can be applied to the application environment shown in fig. 1. The browser 102 communicates with the server 104 via a network. The browser 102 may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, and portable wearable devices, and the server 104 may be implemented by an independent server or a server cluster formed by a plurality of servers. It will be understood by those of ordinary skill in the art that the structure shown in fig. 1 is merely an illustration and is not intended to limit the structure of the terminal described above. For example, the browser-side and server-side may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
In the present embodiment, a method for defending against reverse proxy phishing attack is provided, and fig. 2 is a flowchart of the method for defending against reverse proxy phishing attack of the present embodiment. The embodiment is a process of performing domain name verification and determining whether a reverse proxy phishing attack is performed according to response information returned by a server after a browser sends an access request to the server. Taking the application of the method to the browser side in fig. 1 as an example for explanation, the method includes the following steps:
A common way of accessing the internet is that a user terminal accesses a website server through a browser, and the accessing process is a process in which the browser sends an access request to the server and obtains a response. The response message has a fixed format and consists of 4 parts, namely a status line, a response header, a null line and response data. The response data is used for storing data information required to be returned to the browser side. And adding domain name checking information in the returned response data by the server, wherein the domain name checking information comprises the processed real domain name of the server and a reverse processing method of the real domain name, and sending the domain name checking information to the browser.
The browser end obtains the response information and automatically executes the response information, and after the domain name verification information is executed, second domain name information, namely the real domain name of the server end, is obtained. The domain name verification information also comprises a method for acquiring a domain name corresponding to the access request sent by the browser, and after execution, third domain name information, namely the domain name corresponding to the access request sent by the browser, is acquired. And matching the real domain name of the server with the domain name corresponding to the access request sent by the browser to obtain a matching result.
If the second domain name information and the third domain name information are failed to be matched, the target domain name of the access request sent by the browser end is replaced, the domain name is not the domain name corresponding to the server end, but the domain names of other relays or reverse proxy phishing attackers, so that the browser end is judged to be attacked by reverse proxy phishing, the access of the browser to the replaced domain name is interrupted, and the page corresponding to the second domain name information, namely the real domain name, is jumped to.
Through the steps S201 to S203, in this embodiment, by adding domain name verification information to the server and sending the domain name verification information to the browser for execution, the browser obtains the real domain name of the server based on the domain name verification information, matches the real domain name with the domain name currently accessed by the browser, and if the matching fails, confirms that the reverse proxy phishing attack is received and blocks the current access. According to the method, the real domain name is directly transmitted to the browser end to be automatically compared with the domain name accessed by the browser, domain name information does not need to be obtained through a third-party path, a domain name black-and-white list or a certificate does not need to be used for judging, both HTTP and HTTPS servers can be effectively judged, and the problems that the identification range of reverse proxy phishing attacks is limited and the accuracy is low in the related technology are solved.
In some of these embodiments, a specific process is involved in matching the second domain name information with the third domain name information. Optionally, the matching, in the step S202, the second domain name information and third domain name information corresponding to the access request of the browser end includes:
the browser side obtains third domain name information corresponding to the access request based on the domain name verification information, wherein the third domain name information is domain name information displayed in an address bar of the browser side; and the third domain name information and the second domain name information are matched through character string comparison.
The domain name verification information also comprises a method for acquiring a domain name corresponding to an access request sent by a browser, and the method is to set and acquire a current domain name code in the domain name verification information and operate the domain name code at the browser, for example, a var domain is a domain; or var domain ═ window. And after the browser executes the full domain name information, the full domain name information corresponding to the access request is obtained, and the full domain name information is the domain name information displayed in the access address bar of the browser, namely the third domain name information. And then extracting a top-level domain name according to the full domain name information, and comparing the top-level domain name with the server-side real domain name corresponding to the second domain name information.
By the matching method of the embodiment, the currently accessed domain name and the real domain name of the server side can be automatically acquired at the browser side and compared, so that whether the currently accessed address is replaced or modified is accurately judged.
In some embodiments, the present invention relates to a processing method for first domain name information in domain name verification information. Optionally, the obtaining, by processing, the first domain name information in S201 for the real domain name corresponding to the server side includes:
encrypting a real domain name corresponding to a server side to obtain first domain name information; the encryption processing algorithm is obtained by random selection based on two or more specific encryption algorithms before encryption operation is executed each time.
Before the server side carries out encryption operation each time, an encryption processing algorithm of the first domain name information is randomly selected. The encryption processing algorithm can be md5, Hash, aes256 and other encryption algorithms.
By the processing method of the embodiment, the real domain name corresponding to the server side can be transmitted to the browser side in a ciphertext mode. And the non-tamper-ability of the data is enhanced by randomly selecting the encryption algorithm. Under the condition that a reverse proxy exists between the server and the browser, the processing method can prevent the reverse proxy from replacing or modifying the real domain name corresponding to the server, and guarantee the feasibility of subsequent domain name verification work.
In some embodiments, the specific process of the browser side obtaining the second domain name information according to the first domain name information is involved. Optionally, the obtaining, by the browser, the second domain name information based on the first domain name information includes:
the domain name verification information comprises decryption information, first domain name information and an encryption seed, wherein the first domain name information is a first random character string obtained by encrypting second domain name information by using the encryption seed based on an encryption processing algorithm at a server side; the browser side decrypts the first domain name information into the second domain name information by using the encryption seed based on the decryption information; the encryption seed is a random number that is regenerated before each encryption operation is performed.
When the server side encrypts, based on the randomly determined encryption algorithm and encryption seeds, the real domain name is converted into a string of random character strings, namely first domain name information, and then the decryption algorithm, the first domain name information and the encryption seeds corresponding to the encryption algorithm are put into domain name check information to be sent to the browser side. When the browser end executes, the first random character string is decrypted into a real domain name of a plaintext, namely second domain name information, based on a decryption algorithm and matched with the encryption seed.
The embodiment provides a method for decrypting an encrypted server-side real domain name at a browser side. Under the condition that a reverse proxy exists between the server side and the browser side, the method can decrypt the encrypted data into a real domain name of a plaintext, and provides a matching object for subsequent domain name verification work.
In some of these embodiments, processing of decryption information in domain name verification information is involved. Optionally, the decryption information includes:
and a decryption function, wherein the function name of the decryption function is a second random character string, and the second random character string is a random number which is regenerated before each generation of the response information.
The decryption information in the domain name verification information is embodied by codes of a decryption algorithm. The decryption algorithm itself is a function, and therefore the decryption information includes the function name information of the decryption function. In this embodiment, the function name of the decryption function is a randomly generated character string, and the character string is generated before the server sends the response information each time.
By the decryption information processing method, the position of the decryption algorithm can be hidden, and under the condition that a reverse proxy exists between the server side and the browser side, a reverse proxy attacker can not locate the decryption algorithm and intercept or modify the decryption algorithm, so that smooth execution of domain name decryption and verification is guaranteed.
In some of these embodiments, a description language for domain name verification information is involved. Optionally, the domain name checking information is described by using JavaScript language.
The information described by the JavaScript language can be automatically run when the browser loads the response information.
By the description language of the embodiment, the browser can automatically run the domain name verification information to obtain the domain name matching result, and determine whether the reverse proxy phishing attack is performed, without performing other operations on the browser. The screening risk is transferred from the browser end, and the risk that the end user is phished is reduced.
In some embodiments, the method relates to a method for processing information described in the response information by using a JavaScript language. Optionally, the domain name checking information is confused with information described by the JavaScript language except the domain name checking information in the response information and then sent to the browser.
Information described by the JavaScript language can be obfuscated by using an obfuscation tool such as js-obfuscator at the server side and then sent to the browser side. The obfuscated information does not affect the execution of the browser side.
By the processing method of the embodiment, the obfuscated JavaScript code becomes unreadable and even cannot be replaced, and the risk that the domain name verification information is identified, intercepted or deleted is further reduced.
The present embodiment is described and illustrated below by means of preferred embodiments.
Fig. 3 is a flowchart of the defense method of the reverse proxy phishing attack of the present preferred embodiment. As shown in fig. 3, the method comprises the steps of:
step S301, the user receives the malicious link and accesses the malicious domain name through the browser according to the link.
And step S302, relaying the request of the browser end by the reverse proxy phishing attacker by using a tool, and accessing the server corresponding to the real domain name.
Step S303, the server randomly selects one based on two or more specific encryption algorithms, and encrypts the real domain name by combining the encryption seeds to obtain a first random character string; converting a decryption algorithm function name corresponding to the encryption algorithm into a second random string; and describing the first random character string, the encryption seed and the decryption function by using a JavaScript language to generate domain name verification information.
And step S304, after the server side confuses the domain name verification information with other information described by the JavaScript language in the response information, the server side sends the response information to the browser side.
Step S305, the reverse proxy phishing attacker receives the response information, and the domain name verification information is encrypted and confused and cannot be identified and tampered by the attacker, so that the attacker returns the response information to the browser end;
step S306, the browser end receives the response information and automatically runs domain name verification information, and the first random character string is converted into a real domain name of the server end based on a decryption function and the encryption seed;
step S307, the browser side runs domain name verification information to obtain domain name information corresponding to the access request;
step S308, comparing the domain name corresponding to the access request with the real domain name through a character string for matching;
step S309, if the matching fails, the browser pops up a warning "phishing attack is underway! And jumping to a page corresponding to the real domain name of the server side.
Through the steps S301 to S309, the reverse proxy phishing attack aiming at the server can be comprehensively and accurately identified, the problems that the identification range of the reverse proxy phishing attack is limited and the accuracy is low in the related technology are solved, the screening risk is transferred from the browser end, and the phishing risk of the end user is reduced.
It should be noted that the steps illustrated in the above-described flow diagrams or in the flow diagrams of the figures may be performed in a computer system, such as a set of computer-executable instructions, and that, although a logical order is illustrated in the flow diagrams, in some cases, the steps illustrated or described may be performed in an order different than here.
In some embodiments, the present application further provides a defense system for reverse proxy phishing attack, which is used for implementing the above embodiments and preferred embodiments, and the description of which is already given is omitted. The terms "module," "unit," "subunit," and the like as used below may implement a combination of software and/or hardware for a predetermined function.
Fig. 4 is a block diagram of the configuration of the defense system against reverse proxy phishing attack according to the present embodiment, and as shown in fig. 4, the system includes: a browser end 41 and a server end 43. The browser end of the system comprises:
the receiving module 42 is configured to receive response information returned by the server after sending the access request to the server, where the response information includes domain name verification information; the domain name checking information comprises first domain name information; the first domain name information is obtained by processing a real domain name corresponding to the server side;
the matching module 44 is configured to obtain second domain name information based on the first domain name information, where the second domain name information is a real domain name corresponding to the server; matching the second domain name information with third domain name information corresponding to the access request of the browser end;
the determining module 46 is configured to determine that the browser end is attacked by reverse proxy phishing when the second domain name information fails to match the third domain name information, and the browser end jumps to a page corresponding to the second domain name information.
In the system in this embodiment, domain name verification information is set at the server side and sent to the receiving module 42 of the browser side to automatically operate, the matching module 44 of the browser side obtains the real domain name of the server side and the domain name corresponding to the browser access request, matches the real domain name of the server side and the domain name corresponding to the browser access request, and the determining module 46 determines whether the browser side is attacked by reverse proxy phishing according to the matching result. And if the matching fails, determining that the browser end is attacked, interrupting the current access and jumping to a page corresponding to the real domain name of the server end. The system in the embodiment can comprehensively and accurately identify the reverse proxy phishing attack aiming at the server, solves the problems of limited identification range and low accuracy rate of the reverse proxy phishing attack in the related technology, transfers the screening risk from the browser end and reduces the phishing risk of a terminal user.
There is also provided in this embodiment a computer device comprising a memory having a computer program stored therein and a processor arranged to run the computer program to perform the steps of any of the method embodiments described above.
Optionally, the computer device may further include a transmission device and an input/output device, wherein the transmission device is connected to the processor, and the input/output device is connected to the processor.
It should be noted that, for specific examples in this embodiment, reference may be made to the examples described in the foregoing embodiments and optional implementations, and details are not described again in this embodiment.
It should be understood that the specific embodiments described herein are merely illustrative of this application and are not intended to be limiting. All other embodiments, which can be derived by a person skilled in the art from the examples provided herein without any inventive step, shall fall within the scope of protection of the present application.
It is obvious that the drawings are only examples or embodiments of the present application, and it is obvious to those skilled in the art that the present application can be applied to other similar cases according to the drawings without creative efforts. Moreover, it should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another.
The term "embodiment" is used herein to mean that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the present application. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is to be expressly or implicitly understood by one of ordinary skill in the art that the embodiments described in this application may be combined with other embodiments without conflict.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the patent protection. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present application shall be subject to the appended claims.
Claims (10)
1. A method of defending against reverse proxy phishing attacks, comprising:
after sending an access request to a server, a browser receives response information returned by the server, wherein the response information comprises domain name verification information; the domain name checking information comprises first domain name information; the first domain name information is obtained by processing a real domain name corresponding to the server side;
the browser side obtains second domain name information based on the first domain name information, wherein the second domain name information is a real domain name corresponding to the server side; matching the second domain name information with third domain name information corresponding to the access request of the browser end;
and when the second domain name information and the third domain name information are failed to be matched, determining that the browser end is attacked by reverse proxy phishing, and skipping to a page corresponding to the second domain name information.
2. The method of claim 1, wherein the matching, by the browser end, the second domain name information with third domain name information corresponding to the access request of the browser end comprises:
the browser side obtains third domain name information corresponding to the access request based on the domain name verification information, wherein the third domain name information is domain name information displayed in an address bar of the browser side; and the third domain name information and the second domain name information are matched through character string comparison.
3. The method according to claim 1, wherein the processing of the first domain name information for the real domain name corresponding to the server side to obtain the first domain name information comprises:
encrypting a real domain name corresponding to the server side to obtain first domain name information; the encryption processing algorithm is obtained by random selection based on two or more specific encryption algorithms before encryption operation is executed each time.
4. The method of claim 3, wherein the obtaining, by the browser side, second domain name information based on the first domain name information comprises:
the domain name verification information comprises decryption information, first domain name information and an encryption seed, wherein the first domain name information is a first random character string obtained by encrypting the second domain name information by the server side based on the encryption processing algorithm through the encryption seed; the browser side decrypts the first domain name information into the second domain name information by using the encryption seed based on the decryption information; the encryption seed is a random number that is regenerated before each encryption operation is performed.
5. The method of claim 4, wherein the decryption information comprises a decryption function, wherein the decryption function has a function name of a second random string, and wherein the second random string is a random number that is regenerated before each generation of the response information.
6. The method of claim 1, wherein the domain name checking information is described using a JavaScript language.
7. The method of claim 6, wherein the domain name checking information is confused with information described in JavaScript language except the domain name checking information in the response information and then sent to a browser.
8. A defense system against reverse proxy phishing attacks, comprising: the system comprises a browser end and a server end, wherein the browser end comprises:
the receiving module is used for receiving response information returned by the server after sending an access request to the server, wherein the response information comprises domain name verification information; the domain name checking information comprises first domain name information; the first domain name information is obtained by processing a real domain name corresponding to the server side;
the matching module is used for obtaining second domain name information based on the first domain name information, and the second domain name information is a real domain name corresponding to the server side; matching the second domain name information with third domain name information corresponding to the access request of the browser end;
and the determining module is used for determining that the browser end is attacked by reverse proxy phishing when the second domain name information and the third domain name information are unsuccessfully matched, and the browser end jumps to a page corresponding to the second domain name information.
9. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, implements the steps of the method of any of claims 1 to 7.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111205024.7A CN113965366B (en) | 2021-10-15 | 2021-10-15 | Method, system and computer equipment for defending reverse proxy phishing attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111205024.7A CN113965366B (en) | 2021-10-15 | 2021-10-15 | Method, system and computer equipment for defending reverse proxy phishing attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113965366A true CN113965366A (en) | 2022-01-21 |
| CN113965366B CN113965366B (en) | 2024-04-09 |
Family
ID=79464116
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111205024.7A Active CN113965366B (en) | 2021-10-15 | 2021-10-15 | Method, system and computer equipment for defending reverse proxy phishing attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113965366B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102110198A (en) * | 2009-12-28 | 2011-06-29 | 北京安码科技有限公司 | Anti-counterfeiting method for web page |
| CN102223316A (en) * | 2011-06-15 | 2011-10-19 | 成都市华为赛门铁克科技有限公司 | Method and device for processing electronic mail |
| CN103209177A (en) * | 2013-03-13 | 2013-07-17 | 深信服网络科技(深圳)有限公司 | Detection method and device for network phishing attacks |
| CN103634317A (en) * | 2013-11-28 | 2014-03-12 | 北京奇虎科技有限公司 | Method and system of performing safety appraisal on malicious web site information on basis of cloud safety |
| CN106131016A (en) * | 2016-07-13 | 2016-11-16 | 北京知道创宇信息技术有限公司 | Maliciously URL detection interference method, system and device |
| CN108270754A (en) * | 2017-01-03 | 2018-07-10 | 中国移动通信有限公司研究院 | A kind of detection method and device of fishing website |
| CN111556036A (en) * | 2020-04-20 | 2020-08-18 | 杭州安恒信息技术股份有限公司 | Detection method, device and equipment for phishing attack |
| KR20210054580A (en) * | 2020-04-22 | 2021-05-13 | 바이두 온라인 네트웍 테크놀러지 (베이징) 캄파니 리미티드 | Network attack defense methods, devices, devices, systems and storage media |
-
2021
- 2021-10-15 CN CN202111205024.7A patent/CN113965366B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102110198A (en) * | 2009-12-28 | 2011-06-29 | 北京安码科技有限公司 | Anti-counterfeiting method for web page |
| CN102223316A (en) * | 2011-06-15 | 2011-10-19 | 成都市华为赛门铁克科技有限公司 | Method and device for processing electronic mail |
| CN103209177A (en) * | 2013-03-13 | 2013-07-17 | 深信服网络科技(深圳)有限公司 | Detection method and device for network phishing attacks |
| CN103634317A (en) * | 2013-11-28 | 2014-03-12 | 北京奇虎科技有限公司 | Method and system of performing safety appraisal on malicious web site information on basis of cloud safety |
| CN106131016A (en) * | 2016-07-13 | 2016-11-16 | 北京知道创宇信息技术有限公司 | Maliciously URL detection interference method, system and device |
| CN108270754A (en) * | 2017-01-03 | 2018-07-10 | 中国移动通信有限公司研究院 | A kind of detection method and device of fishing website |
| CN111556036A (en) * | 2020-04-20 | 2020-08-18 | 杭州安恒信息技术股份有限公司 | Detection method, device and equipment for phishing attack |
| KR20210054580A (en) * | 2020-04-22 | 2021-05-13 | 바이두 온라인 네트웍 테크놀러지 (베이징) 캄파니 리미티드 | Network attack defense methods, devices, devices, systems and storage media |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113965366B (en) | 2024-04-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Cabaj et al. | Software-defined networking-based crypto ransomware detection using HTTP traffic characteristics | |
| EP3424178B1 (en) | Deterministic reproduction of client/server computer state or output sent to one or more client computers | |
| US10069809B2 (en) | System and method for secure transmission of web pages using encryption of their content | |
| JP5886422B2 (en) | System, apparatus, program, and method for protocol fingerprint acquisition and evaluation correlation | |
| KR101607951B1 (en) | Dynamic cleaning for malware using cloud technology | |
| CN106412024B (en) | A kind of page acquisition methods and device | |
| US10904227B2 (en) | Web form protection | |
| US20170034189A1 (en) | Remediating ransomware | |
| CN113542253B (en) | Network flow detection method, device, equipment and medium | |
| US20150074390A1 (en) | Method and device for classifying risk level in user agent by combining multiple evaluations | |
| CN111756702B (en) | Data security protection method, device, equipment and storage medium | |
| US20050216764A1 (en) | Systems and methods for dynamic threat assessment | |
| EP1999609A2 (en) | Client side attack resistant phishing detection | |
| CN111163095B (en) | Network attack analysis method, network attack analysis device, computing device, and medium | |
| US10757118B2 (en) | Method of aiding the detection of infection of a terminal by malware | |
| CN106850592A (en) | A kind of information processing method, server and terminal | |
| CN113965366A (en) | Defense method, system and computer equipment for reverse proxy phishing attack | |
| WO2015178002A1 (en) | Information processing device, information processing system, and communication history analysis method | |
| CN107463840B (en) | A kind of method and device based on the encrypted defence CC attacks of website and webpage title | |
| CN114697049B (en) | WebShell detection method and device | |
| Ussath et al. | Insights into Encrypted Network Connections: Analyzing Remote Desktop Protocol Traffic | |
| US20230224276A1 (en) | System and method for securing protected host | |
| Rautila et al. | Secure inspection of web transactions | |
| CN117318932A (en) | API tamper-proof and replay-proof system and method based on Nginx plug-in | |
| CN118200008A (en) | Security communication method, device, equipment, medium and product based on firewall |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |