CN113965366B - Method, system and computer equipment for defending reverse proxy phishing attack - Google Patents
Method, system and computer equipment for defending reverse proxy phishing attack Download PDFInfo
- Publication number
- CN113965366B CN113965366B CN202111205024.7A CN202111205024A CN113965366B CN 113965366 B CN113965366 B CN 113965366B CN 202111205024 A CN202111205024 A CN 202111205024A CN 113965366 B CN113965366 B CN 113965366B
- Authority
- CN
- China
- Prior art keywords
- domain name
- information
- name information
- browser
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 53
- 238000012795 verification Methods 0.000 claims abstract description 59
- 230000004044 response Effects 0.000 claims abstract description 38
- 238000012545 processing Methods 0.000 claims description 21
- 230000006870 function Effects 0.000 claims description 16
- 238000004590 computer program Methods 0.000 claims description 9
- 230000009191 jumping Effects 0.000 claims description 4
- 238000005516 engineering process Methods 0.000 abstract description 6
- 238000012216 screening Methods 0.000 abstract description 6
- 230000007123 defense Effects 0.000 abstract description 4
- 230000008569 process Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 238000003672 processing method Methods 0.000 description 5
- 230000008901 benefit Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 3
- 238000004519 manufacturing process Methods 0.000 description 2
- 108010001267 Protein Subunits Proteins 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1483—Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The application relates to a defense method, a system and computer equipment for reverse proxy phishing attack, wherein the method comprises the following steps: after sending an access request to a server, the browser receives response information returned by the server, wherein the response information comprises domain name verification information; the domain name verification information comprises first domain name information; the browser end obtains second domain name information based on the first domain name information, and matches the second domain name information with third domain name information corresponding to the access request of the browser end; and when the matching fails, determining that the browser end is attacked by reverse proxy phishing. By the method, the reverse proxy phishing attack aiming at the server can be comprehensively and accurately identified, the problems that the identification range of the reverse proxy phishing attack is limited and the accuracy is low in the related technology are solved, the screening risk is transferred from the browser end, and the risk that the terminal user is phished is reduced.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method, a system, and a computer device for defending against a reverse proxy phishing attack.
Background
Reverse proxy phishing attacks are a common approach to network attacks that have emerged in recent years. The fundamental difference between reverse proxy phishing and traditional phishing attacks is that reverse proxy phishing does not provide own similar HTML pages, but builds a reverse proxy for the target server, each data packet from the victim browser is intercepted, modified and forwarded to the real website, and the response data packet from the website is also processed and sent back to the victim browser. The reverse proxy phishing attack method not only reduces the environment construction cost of the attacker, but also is more true and reliable for the victim.
The existing main method for defending against reverse proxy phishing attacks comprises the steps of capturing packets by means of tools to obtain domain name and certificate information, and then analyzing and screening the domain name. For the technology based on HTTP websites such as packet capturing and unpacking, the technology has the defect that domain name information is difficult to obtain for the HTTPS websites with encrypted transmission; after the domain name information is obtained, the domain name information needs to be judged by comparison with a domain name black-and-white list, and the real-time property of updating the domain name black-and-white list can influence the judgment accuracy; the certificate verification mode has the problems that an attacker deliberately cultivates the domain name to bypass and the like. These problems result in limited recognition range and low recognition accuracy for reverse proxy phishing attacks by packet-grabbing for domain name analysis and screening.
Aiming at the problems of limited recognition range and low accuracy of the reverse proxy phishing attack, no effective solution is proposed at present.
Disclosure of Invention
The embodiment provides a defense method, a system and computer equipment for reverse proxy phishing attack, which are used for solving the problems of limited recognition range and low accuracy in the related technology.
In a first aspect, in this embodiment, there is provided a method for defending against a reverse proxy phishing attack, where the method includes:
after sending an access request to a server, a browser receives response information returned by the server, wherein the response information comprises domain name verification information; the domain name verification information comprises first domain name information; the first domain name information is obtained by processing a real domain name corresponding to the server side;
the browser end obtains second domain name information based on the first domain name information, wherein the second domain name information is a real domain name corresponding to the server end; matching the second domain name information with third domain name information corresponding to the access request of the browser end;
when the matching of the second domain name information and the third domain name information fails, determining that the browser end is attacked by reverse proxy phishing, and jumping to a page corresponding to the second domain name information by the browser end.
In some embodiments, the matching, by the browser side, the second domain name information with third domain name information corresponding to the access request of the browser side includes:
the browser end obtains third domain name information corresponding to the access request based on the domain name verification information, wherein the third domain name information is displayed in an address bar of the browser end; and the third domain name information is matched with the second domain name information through character string comparison.
In some embodiments, the processing the first domain name information to obtain the true domain name corresponding to the server side includes:
the real domain name corresponding to the server side is encrypted to obtain first domain name information; the encryption processing algorithm is obtained by randomly selecting two or more specific encryption algorithms before each encryption operation is executed.
In some embodiments, the obtaining, by the browser side, second domain name information based on the first domain name information includes:
the domain name verification information comprises decryption information, first domain name information and encryption seeds, wherein the first domain name information is a first random string obtained by encrypting the second domain name information by the server based on the encryption processing algorithm through the encryption seeds; the browser end decrypts the first domain name information into the second domain name information by utilizing the encryption seeds based on the decryption information; the encryption seed is a random number regenerated before each encryption operation is performed.
In some of these embodiments, the decryption information includes a decryption function having a function name of a second random string that is a random number regenerated before each response information generation.
In some of these embodiments, the domain name verification information is described using JavaScript language.
In some embodiments, the domain name verification information is mixed with information described in JavaScript language except the domain name verification information in the response information and then sent to the browser side.
In a second aspect, in this embodiment, there is provided a defense system for a reverse proxy phishing attack, the system including: the browser comprises a browser end and a server end, wherein the browser end comprises:
the receiving module is used for receiving response information returned by the server after sending an access request to the server, wherein the response information comprises domain name verification information; the domain name verification information comprises first domain name information; the first domain name information is obtained by processing a real domain name corresponding to the server side;
the matching module is used for obtaining second domain name information based on the first domain name information, wherein the second domain name information is a real domain name corresponding to the server side; matching the second domain name information with third domain name information corresponding to the access request of the browser end;
and the determining module is used for determining that the browser end is attacked by reverse proxy phishing when the second domain name information fails to be matched with the third domain name information, and the browser end jumps to a page corresponding to the second domain name information.
In a third aspect, in this embodiment there is provided a computer device comprising a memory storing a computer program and a processor arranged to run the computer program to perform the method of defending against a reverse proxy phishing attack described in any of the above.
In a fourth aspect, in this embodiment, there is provided a computer readable storage medium having stored thereon a computer program that, when executed by a processor, implements a method of defending against a reverse proxy phishing attack as described in any of the above.
Compared with the related art, the method for defending against the reverse proxy phishing attack provided in the embodiment adds domain name verification information at the server side and sends the domain name verification information to the browser side for execution, the browser side obtains the real domain name at the server side based on the domain name verification information, matches the real domain name with the domain name currently accessed by the browser, and confirms that the client is attacked by the reverse proxy phishing attack and blocks the current access if the matching fails. According to the method, the real domain name is directly transmitted to the browser end to be automatically compared with the browser access domain name, the domain name information is not required to be acquired through a third-party path, a domain name black-and-white list or a certificate is not required to be used for judging, and the HTTP server and the HTTPS server can be effectively judged, so that the problems of limited recognition range and low accuracy of reverse proxy phishing attack in the related art are solved.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of the other features, objects, and advantages of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute an undue limitation to the application. In the drawings:
fig. 1 is an application system schematic diagram of a method for defending against a reverse proxy phishing attack according to an embodiment of the present application.
Fig. 2 is a flowchart of a method of defending against a reverse proxy phishing attack in accordance with an embodiment of the present application.
Fig. 3 is a flow chart of a method of defending against a reverse proxy phishing attack in accordance with a preferred embodiment of the present application.
Fig. 4 is a block diagram of the defense system of the reverse proxy phishing attack according to the embodiment of the present application.
Detailed Description
For a clearer understanding of the objects, technical solutions and advantages of the present application, the present application is described and illustrated below with reference to the accompanying drawings and examples.
Unless defined otherwise, technical or scientific terms used herein shall have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terms "a," "an," "the," "these," and the like in this application are not intended to be limiting in number, but rather are singular or plural. The terms "comprising," "including," "having," and any variations thereof, as used in the present application, are intended to cover a non-exclusive inclusion; for example, a process, method, and system, article, or apparatus that comprises a list of steps or modules (units) is not limited to the list of steps or modules (units), but may include other steps or modules (units) not listed or inherent to such process, method, article, or apparatus. The terms "connected," "coupled," and the like in this application are not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. Reference to "a plurality" in this application means two or more. "and/or" describes an association relationship of an association object, meaning that there may be three relationships, e.g., "a and/or B" may mean: a exists alone, A and B exist together, and B exists alone. Typically, the character "/" indicates that the associated object is an "or" relationship. The terms "first," "second," "third," and the like, as referred to in this application, merely distinguish similar objects and do not represent a particular ordering of objects.
The method for defending against the reverse proxy phishing attack, provided by the embodiment of the application, can be applied to an application environment shown in fig. 1. Wherein the browser side 102 communicates with the server side 104 via a network. The browser side 102 may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, and portable wearable devices, and the server side 104 may be implemented by a stand-alone server or a server cluster formed by a plurality of servers. It will be appreciated by those skilled in the art that the structure shown in fig. 1 is merely illustrative and is not intended to limit the structure of the terminal. For example, the browser side and server side may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
In this embodiment, a method for defending against a reverse proxy phishing attack is provided, and fig. 2 is a flowchart of the method for defending against a reverse proxy phishing attack in this embodiment. The embodiment is a process that after a browser sends an access request to a server, the browser performs domain name verification according to response information returned by the server and determines whether the client is attacked by reverse proxy phishing. The application of the method to the browser end in fig. 1 is exemplified, and the method comprises the following steps:
step 201, after sending an access request to a server, a browser receives response information returned by the server, wherein the response information comprises domain name verification information; the domain name verification information comprises first domain name information; the first domain name information is obtained by processing the real domain name corresponding to the server side.
The common mode of internet access is that a user terminal accesses a website server through a browser, and the access process is that the browser sends an access request to the server and obtains a response. The response information has a fixed format and consists of 4 parts of a status line, a response head, a blank line and response data. The response data are used for storing data information which needs to be returned to the browser side. The server adds domain name verification information in the returned response data, wherein the domain name verification information comprises the processed real domain name of the server and a reverse processing method of the real domain name, and the processed real domain name is sent to the browser.
Step 202, the browser end obtains second domain name information based on the first domain name information, wherein the second domain name information is a real domain name corresponding to the server end; and matching the second domain name information with third domain name information corresponding to the access request of the browser end.
The browser obtains the response information and automatically executes the response information, and obtains second domain name information, namely the real domain name of the server after executing the domain name verification information. The method for acquiring the domain name corresponding to the access request sent by the browser side is further included in the domain name verification information, and third domain name information, namely the domain name corresponding to the access request sent by the browser side, is acquired after the method is executed. And matching the real domain name of the server side with the domain name corresponding to the access request sent by the browser side to obtain a matching result.
Step 203, when the matching of the second domain name information and the third domain name information fails, determining that the browser end is attacked by reverse proxy phishing, and the browser end jumps to the page corresponding to the second domain name information.
If the second domain name information and the third domain name information fail to be matched, the fact that the access request target domain name sent by the browser end is replaced is indicated, and the domain name is not the domain name corresponding to the server end but the domain name of other relay or reverse proxy phishing attacker, so that the browser end is judged to be attacked by reverse proxy phishing, access of the browser to the replaced domain name is interrupted, and the browser jumps to the page corresponding to the second domain name information, namely the real domain name.
Through the steps S201 to S203, in this embodiment, by adding domain name verification information at the server side and sending the domain name verification information to the browser side for execution, the browser side obtains the real domain name at the server side based on the domain name verification information, matches the real domain name with the domain name currently accessed by the browser, and if the matching fails, confirms that the client is attacked by reverse proxy phishing and blocks the current access. According to the method, the real domain name is directly transmitted to the browser side to automatically compare with the browser access domain name, the domain name information does not need to be acquired through a third-party path, a domain name black-and-white list or a certificate does not need to be used for judging, and the HTTP server and the HTTPS server can be effectively judged, so that the problems that the identification range of the reverse proxy phishing attack is limited and the accuracy is low in the related art are solved.
In some embodiments, the specific process of matching the second domain name information with the third domain name information is involved. Optionally, matching the second domain name information with the third domain name information corresponding to the access request at the browser end in S202 includes:
the browser end obtains third domain name information corresponding to the access request based on the domain name verification information, wherein the third domain name information is displayed in an address bar of the browser end; the third domain name information is matched with the second domain name information through character string comparison.
The method is that the current domain name code is set in the domain name verification information and is operated at the browser end, for example, var domain=document; or var domain = window. After the browser side executes the request, global name information corresponding to the access request is obtained, wherein the information is domain name information displayed in an access address bar of the browser side, namely third domain name information. And then extracting a top-level domain name according to the global domain name information, and comparing the character strings with the real domain name of the server side corresponding to the second domain name information.
The matching method of the embodiment can automatically acquire the currently accessed domain name from the browser side and the real domain name from the server side, and compare the currently accessed domain name with the real domain name, so as to accurately judge whether the currently accessed address is replaced or modified.
In some embodiments, the method involves processing the first domain name information in the domain name verification information. Optionally, the processing of the first domain name information in S201 to obtain the true domain name corresponding to the server side includes:
the method comprises the steps that a real domain name corresponding to a server side is encrypted to obtain first domain name information; the encryption processing algorithm is obtained by randomly selecting two or more specific encryption algorithms before each encryption operation is performed.
Before each encryption operation, the server side should randomly select the encryption processing algorithm of the first domain name information. The encryption processing algorithm may be an encryption algorithm such as md5, hash, aes256, etc.
By the processing method of the embodiment, the real domain name corresponding to the server side can be transmitted to the browser side in a ciphertext mode. And enhancing the non-tamper ability of the data by randomly selecting the encryption algorithm. Under the condition that a reverse proxy exists between the server side and the browser side, the processing method can prevent the reverse proxy from replacing or modifying the real domain name corresponding to the server side, and ensure the feasibility of the follow-up domain name verification work.
In some embodiments, the specific process of obtaining the second domain name information by the browser side according to the first domain name information is involved. Optionally, the browser end group obtaining the second domain name information based on the first domain name information includes:
the domain name verification information comprises decryption information, first domain name information and encryption seeds, wherein the first domain name information is a first random character string obtained by encrypting second domain name information by a server end based on an encryption processing algorithm through the encryption seeds; the browser end decrypts the first domain name information into the second domain name information by utilizing the encryption seed based on the decryption information; the encryption seed is a random number regenerated before each encryption operation is performed.
When the server side encrypts, based on the encryption algorithm and the encryption seed which are determined randomly, the real domain name is converted into a string of random character strings, namely first domain name information, and then the decryption algorithm, the first domain name information and the encryption seed corresponding to the encryption algorithm are put into domain name verification information and are sent to the browser side. When the browser end executes, the first random character string is decrypted into the true domain name of the plaintext, namely the second domain name information, on the basis of a decryption algorithm and in combination with an encryption seed.
The embodiment provides a method for decrypting the encrypted server-side real domain name at the browser side. Under the condition that a reverse proxy exists between the server side and the browser side, the method can decrypt the encrypted data into the plaintext real domain name, and provide a matching object for the follow-up domain name verification work.
In some of these embodiments, the processing of decryption information in domain name verification information is involved. Optionally, the decryption information includes:
and a decryption function, wherein the function name of the decryption function is a second random character string, and the second random character string is a random number regenerated before each response information generation.
The decryption information in the domain name verification information is a code representation of the decryption algorithm. The decryption algorithm itself is a function and thus the decryption information includes function name information of the decryption function. The function name of the decryption function in this embodiment is a randomly generated character string, which is generated before the server side transmits the response information each time.
The decryption information processing method of the embodiment can hide the position of the decryption algorithm, and can ensure that a reverse proxy attacker cannot position the decryption algorithm and intercept or modify the decryption algorithm under the condition that a reverse proxy exists between a server side and a browser side, thereby ensuring smooth execution of domain name decryption and verification.
In some of these embodiments, the descriptive language of the domain name verification information is involved. Optionally, the domain name verification information is described using JavaScript language.
The information described by the JavaScript language is used, and the browser can automatically run when the response information is loaded.
Through the description language of the embodiment, the browser end can automatically run the domain name verification information to obtain a domain name matching result, and whether the domain name matching result is attacked by reverse proxy phishing is determined, so that other operations are not required by the browser end. And screening risks are transferred from the browser side, so that the risk that the terminal user is phished is reduced.
In some of these embodiments, a method of processing information described in JavaScript language in response information is involved. Optionally, the domain name verification information is mixed with the information described by using JavaScript language except the domain name verification information in the response information and then sent to the browser side.
The information described in JavaScript language can be obfuscated at the server side using an obfuscating tool such as js-obfuscator, and then sent to the browser side. The confusing information does not affect the execution of the browser end.
By the processing method of the embodiment, the confused JavaScript code becomes unreadable and cannot be replaced, and the risk that domain name verification information is identified, intercepted or deleted is further reduced.
The present embodiment is described and illustrated below by way of preferred embodiments.
Fig. 3 is a flowchart of a defending method of the reverse proxy phishing attack of the preferred embodiment. As shown in fig. 3, the method comprises the steps of:
in step S301, the user receives the malicious link and accesses the malicious domain name through the browser according to the link.
In step S302, the reverse proxy phishing attacker uses the tool to relay the request of the browser end, and accesses the server corresponding to the real domain name.
Step S303, the server side randomly selects one type based on two or more specific encryption algorithms, and carries out encryption processing on the real domain name by combining an encryption seed to obtain a first random character string; converting the function name of the decryption algorithm corresponding to the encryption algorithm into a second random string; and describing the first random character string, the encryption seed and the decryption function by using JavaScript language to generate domain name verification information.
Step S304, the server side sends the response information to the browser side after the domain name verification information is mixed with other information described by using JavaScript language in the response information.
Step S305, the reverse proxy phishing attacker receives the response information, and the attacker returns the response information to the browser end because the domain name verification information is encrypted and confused and cannot be identified and tampered by the attacker;
step S306, the browser receives the response information and automatically runs the domain name verification information, and converts the first random character string into a real domain name of the server based on the decryption function and the encryption seeds;
step S307, the browser runs the domain name verification information to obtain the domain name information corresponding to the access request;
step S308, matching the domain name corresponding to the access request with the real domain name through character string comparison;
step S309, if the matching fails, the browser pops up a warning "being under fishing attack-! And jumping to a page corresponding to the real domain name of the server side.
Through the steps S301 to S309, the reverse proxy phishing attack aiming at the server can be comprehensively and accurately identified, the problems that the identification range of the reverse proxy phishing attack is limited and the accuracy is not high in the related art are solved, the screening risk is transferred from the browser end, and the risk that the terminal user is phished is reduced.
It should be noted that the steps illustrated in the above-described flow or flow diagrams of the figures may be performed in a computer system, such as a set of computer-executable instructions, and that, although a logical order is illustrated in the flow diagrams, in some cases, the steps illustrated or described may be performed in an order other than that illustrated herein.
In some embodiments, the present application further provides a system for defending against a reverse proxy phishing attack, where the system is used to implement the foregoing embodiments and preferred embodiments, and the description is omitted herein. The terms "module," "unit," "sub-unit," and the like as used below may refer to a combination of software and/or hardware that performs a predetermined function.
Fig. 4 is a block diagram of the defending system of the reverse proxy phishing attack of the present embodiment, and as shown in fig. 4, the system includes: a browser side 41 and a server side 43. The browser side of the system comprises:
a receiving module 42, configured to receive response information returned by the server after sending the access request to the server, where the response information includes domain name verification information; the domain name verification information comprises first domain name information; the first domain name information is obtained by processing a real domain name corresponding to the server side;
the matching module 44 is configured to obtain second domain name information based on the first domain name information, where the second domain name information is a real domain name corresponding to the server side; matching the second domain name information with third domain name information corresponding to the access request of the browser end;
and the determining module 46 is configured to determine that the browser side is attacked by reverse proxy phishing when the second domain name information fails to match with the third domain name information, and the browser side jumps to a page corresponding to the second domain name information.
The system in this embodiment sets domain name verification information at the server side and sends the domain name verification information to the receiving module 42 at the browser side to automatically operate, the matching module 44 at the browser side obtains the real domain name at the server side and the domain name corresponding to the browser access request, matches the real domain name at the server side and the domain name corresponding to the browser access request, and the determining module 46 determines whether the browser side is attacked by reverse proxy phishing according to the matching result. If the matching fails, determining that the browser end is attacked, interrupting the current access and jumping to a page corresponding to the real domain name of the server end. The system in the embodiment can comprehensively and accurately identify the reverse proxy phishing attack aiming at the server, solves the problems of limited identification range and low accuracy of the reverse proxy phishing attack in the related technology, transfers the screening risk from the browser end, and reduces the risk of phishing of the terminal user.
There is also provided in this embodiment a computer device comprising a memory in which a computer program is stored and a processor arranged to run the computer program to perform the steps of any of the method embodiments described above.
Optionally, the computer device may further include a transmission device and an input/output device, where the transmission device is connected to the processor, and the input/output device is connected to the processor.
It should be noted that, specific examples in this embodiment may refer to examples described in the foregoing embodiments and alternative implementations, and are not described in detail in this embodiment.
It should be understood that the specific embodiments described herein are merely illustrative of this application and are not intended to be limiting. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present application, are within the scope of the present application in light of the embodiments provided herein.
It is evident that the drawings are only examples or embodiments of the present application, from which the present application can also be adapted to other similar situations by a person skilled in the art without the inventive effort. In addition, it should be appreciated that while the development effort might be complex and lengthy, it would nevertheless be a routine undertaking of design, fabrication, or manufacture for those of ordinary skill having the benefit of this disclosure, and thus should not be construed as an admission of insufficient detail.
The term "embodiment" in this application means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the application. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive. It will be clear or implicitly understood by those of ordinary skill in the art that the embodiments described in this application can be combined with other embodiments without conflict.
The above examples only represent a few embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the patent. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present application shall be subject to the appended claims.
Claims (10)
1. A method of defending against a reverse proxy phishing attack, comprising:
after sending an access request to a server, a browser receives response information returned by the server, wherein the response information comprises domain name verification information; the domain name verification information comprises first domain name information; the first domain name information is obtained by processing a real domain name corresponding to the server side;
the browser end obtains second domain name information based on the first domain name information, wherein the second domain name information is a real domain name corresponding to the server end; matching the second domain name information with third domain name information corresponding to the access request of the browser end;
when the matching of the second domain name information and the third domain name information fails, determining that the browser end is attacked by reverse proxy phishing, and jumping to a page corresponding to the second domain name information by the browser end.
2. The method of claim 1, wherein the matching the second domain name information with third domain name information corresponding to the access request of the browser comprises:
the browser end obtains third domain name information corresponding to the access request based on the domain name verification information, wherein the third domain name information is displayed in an address bar of the browser end; and the third domain name information is matched with the second domain name information through character string comparison.
3. The method of claim 1, wherein the processing the first domain name information to obtain the true domain name corresponding to the server side includes:
the real domain name corresponding to the server side is encrypted to obtain first domain name information; the encryption processing algorithm is obtained by randomly selecting two or more encryption algorithms before each encryption operation is executed.
4. The method of claim 3, wherein the browser side obtaining second domain name information based on the first domain name information comprises:
the domain name verification information comprises decryption information, first domain name information and encryption seeds, wherein the first domain name information is a first random string obtained by encrypting the second domain name information by the server based on the encryption processing algorithm through the encryption seeds; the browser end decrypts the first domain name information into the second domain name information by utilizing the encryption seeds based on the decryption information; the encryption seed is a random number regenerated before each encryption operation is performed.
5. The method of claim 4, wherein the decryption information includes a decryption function having a function name of a second random string, the second random string being a random number regenerated before each response information generation.
6. The method of claim 1, wherein the domain name verification information is described using JavaScript language.
7. The method according to claim 6, wherein the domain name verification information is mixed with information described in JavaScript language except the domain name verification information in the response information and then sent to a browser side.
8. A system for defending against a reverse proxy phishing attack, comprising: the browser comprises a browser end and a server end, wherein the browser end comprises:
the receiving module is used for receiving response information returned by the server after sending an access request to the server, wherein the response information comprises domain name verification information; the domain name verification information comprises first domain name information; the first domain name information is obtained by processing a real domain name corresponding to the server side;
the matching module is used for obtaining second domain name information based on the first domain name information, wherein the second domain name information is a real domain name corresponding to the server side; matching the second domain name information with third domain name information corresponding to the access request of the browser end;
and the determining module is used for determining that the browser end is attacked by reverse proxy phishing when the second domain name information fails to be matched with the third domain name information, and the browser end jumps to a page corresponding to the second domain name information.
9. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any of claims 1 to 7 when the computer program is executed.
10. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111205024.7A CN113965366B (en) | 2021-10-15 | 2021-10-15 | Method, system and computer equipment for defending reverse proxy phishing attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111205024.7A CN113965366B (en) | 2021-10-15 | 2021-10-15 | Method, system and computer equipment for defending reverse proxy phishing attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113965366A CN113965366A (en) | 2022-01-21 |
| CN113965366B true CN113965366B (en) | 2024-04-09 |
Family
ID=79464116
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111205024.7A Active CN113965366B (en) | 2021-10-15 | 2021-10-15 | Method, system and computer equipment for defending reverse proxy phishing attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113965366B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102110198A (en) * | 2009-12-28 | 2011-06-29 | 北京安码科技有限公司 | Anti-counterfeiting method for web page |
| CN102223316A (en) * | 2011-06-15 | 2011-10-19 | 成都市华为赛门铁克科技有限公司 | Method and device for processing electronic mail |
| CN103209177A (en) * | 2013-03-13 | 2013-07-17 | 深信服网络科技(深圳)有限公司 | Detection method and device for network phishing attacks |
| CN103634317A (en) * | 2013-11-28 | 2014-03-12 | 北京奇虎科技有限公司 | Method and system of performing safety appraisal on malicious web site information on basis of cloud safety |
| CN106131016A (en) * | 2016-07-13 | 2016-11-16 | 北京知道创宇信息技术有限公司 | Maliciously URL detection interference method, system and device |
| CN108270754A (en) * | 2017-01-03 | 2018-07-10 | 中国移动通信有限公司研究院 | A kind of detection method and device of fishing website |
| CN111556036A (en) * | 2020-04-20 | 2020-08-18 | 杭州安恒信息技术股份有限公司 | Detection method, device and equipment for phishing attack |
| KR20210054580A (en) * | 2020-04-22 | 2021-05-13 | 바이두 온라인 네트웍 테크놀러지 (베이징) 캄파니 리미티드 | Network attack defense methods, devices, devices, systems and storage media |
-
2021
- 2021-10-15 CN CN202111205024.7A patent/CN113965366B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102110198A (en) * | 2009-12-28 | 2011-06-29 | 北京安码科技有限公司 | Anti-counterfeiting method for web page |
| CN102223316A (en) * | 2011-06-15 | 2011-10-19 | 成都市华为赛门铁克科技有限公司 | Method and device for processing electronic mail |
| CN103209177A (en) * | 2013-03-13 | 2013-07-17 | 深信服网络科技(深圳)有限公司 | Detection method and device for network phishing attacks |
| CN103634317A (en) * | 2013-11-28 | 2014-03-12 | 北京奇虎科技有限公司 | Method and system of performing safety appraisal on malicious web site information on basis of cloud safety |
| CN106131016A (en) * | 2016-07-13 | 2016-11-16 | 北京知道创宇信息技术有限公司 | Maliciously URL detection interference method, system and device |
| CN108270754A (en) * | 2017-01-03 | 2018-07-10 | 中国移动通信有限公司研究院 | A kind of detection method and device of fishing website |
| CN111556036A (en) * | 2020-04-20 | 2020-08-18 | 杭州安恒信息技术股份有限公司 | Detection method, device and equipment for phishing attack |
| KR20210054580A (en) * | 2020-04-22 | 2021-05-13 | 바이두 온라인 네트웍 테크놀러지 (베이징) 캄파니 리미티드 | Network attack defense methods, devices, devices, systems and storage media |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113965366A (en) | 2022-01-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10069809B2 (en) | System and method for secure transmission of web pages using encryption of their content | |
| US8694467B2 (en) | Random number based data integrity verification method and system for distributed cloud storage | |
| US10904227B2 (en) | Web form protection | |
| KR101607951B1 (en) | Dynamic cleaning for malware using cloud technology | |
| US11335213B2 (en) | Method and apparatus for encrypting data, method and apparatus for decrypting data | |
| CN106412024B (en) | A kind of page acquisition methods and device | |
| US20170034189A1 (en) | Remediating ransomware | |
| US20150074390A1 (en) | Method and device for classifying risk level in user agent by combining multiple evaluations | |
| CN113542253B (en) | Network flow detection method, device, equipment and medium | |
| CN111163095B (en) | Network attack analysis method, network attack analysis device, computing device, and medium | |
| CN106919811B (en) | File detection method and device | |
| JP2014119486A (en) | Secret retrieval processing system, secret retrieval processing method, and secret retrieval processing program | |
| US20150271186A1 (en) | Method, client terminal device and system for verifying page information | |
| CN111163094A (en) | Network attack detection method, network attack detection device, electronic device, and medium | |
| WO2019134276A1 (en) | Method and system for protecting web page code, storage medium, and electronic device | |
| CN106789008B (en) | Method, device and system for decrypting sharable encrypted data | |
| CN113507482A (en) | Data secure transmission method, secure transaction method, system, medium, and device | |
| CN111475690B (en) | Character string matching method and device, data detection method and server | |
| CN113965366B (en) | Method, system and computer equipment for defending reverse proxy phishing attack | |
| CN109343971B (en) | Browser data transmission method and device based on cache technology | |
| CN113595982B (en) | Data transmission method and device, electronic equipment and storage medium | |
| CN115412271A (en) | Data watermark adding method and data security analysis method and device | |
| CN112565156B (en) | Information registration method, device and system | |
| CN113556333A (en) | Computer network data secure transmission method and device | |
| Banga et al. | Protecting User Credentials against SQL Injection through Cryptography and Image Steganography |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |