CN114745202A - Method for actively defending web attack and web security gateway based on active defense - Google Patents
Method for actively defending web attack and web security gateway based on active defense Download PDFInfo
- Publication number
- CN114745202A CN114745202A CN202210507396.3A CN202210507396A CN114745202A CN 114745202 A CN114745202 A CN 114745202A CN 202210507396 A CN202210507396 A CN 202210507396A CN 114745202 A CN114745202 A CN 114745202A
- Authority
- CN
- China
- Prior art keywords
- request
- security gateway
- web
- client
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 44
- 230000007123 defense Effects 0.000 title claims abstract description 9
- 230000007246 mechanism Effects 0.000 claims abstract description 28
- 238000012545 processing Methods 0.000 claims description 45
- 238000012795 verification Methods 0.000 claims description 21
- 230000005540 biological transmission Effects 0.000 claims description 15
- 238000002347 injection Methods 0.000 claims description 9
- 239000007924 injection Substances 0.000 claims description 9
- 230000002265 prevention Effects 0.000 claims description 6
- 230000006378 damage Effects 0.000 claims description 4
- 230000008569 process Effects 0.000 description 11
- 238000001914 filtration Methods 0.000 description 9
- 230000006870 function Effects 0.000 description 7
- 238000012217 deletion Methods 0.000 description 5
- 230000037430 deletion Effects 0.000 description 5
- 238000011161 development Methods 0.000 description 5
- 238000012216 screening Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 3
- 239000003999 initiator Substances 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000008439 repair process Effects 0.000 description 3
- 239000000243 solution Substances 0.000 description 3
- 238000005336 cracking Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 150000003839 salts Chemical class 0.000 description 2
- 208000003443 Unconsciousness Diseases 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 235000014510 cooky Nutrition 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000004880 explosion Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 210000001503 joint Anatomy 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000002688 persistence Effects 0.000 description 1
- 230000002787 reinforcement Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a method for actively defending web attacks and a web security gateway based on active defense, and relates to the technical field of software security protection, wherein the method comprises the following steps: after receiving a request sent by a client of a service system to a server of the service system, a web security gateway performs security check based on a security chain mechanism on the request; and if the web security gateway passes the security check of the request, forwarding the request to a server side of the service system. The invention can improve the web security.
Description
Technical Field
The invention relates to the technical field of software security protection, in particular to a method for actively defending against web attacks and a web security gateway.
Background
With the rapid development of the ubiquitous internet of things, the information technology of the 'big cloud moving intelligent chain' is continuously and deeply applied, the network basic link is changed, the network structure is complicated, the boundary is fuzzified, the threat forms are diversified, and the serious challenge is brought to the safety protection. With the obvious enhancement of the pertinence, the persistence and the concealment of the attack, the caused danger is larger, and the difficulty of network security protection is increased.
The current web attack solution has the following problems:
1. developers do not synchronously understand and implement the reinforcement scheme, and bug fixing is not thorough, so that system function and performance problems are caused, for example, page playback abnormity or bugs can still be reproduced due to incorrect output coding mode;
2. vulnerability repair schemes lack pertinence and globality. For example, bug response requests such as replay attack and integrity check are processed in a unified manner, and cannot be processed for a single interface, so that the single interface mode is time-consuming and labor-consuming, and the project repair cycle is extremely long; and the code reusability is poor, and the code processing needs to be changed again when the system interface changes.
Disclosure of Invention
The embodiment of the invention provides a method for actively defending web attacks and a web security gateway based on active defense, which at least solve the problem of improving the web security.
The embodiment of the invention provides a method for defending against web attacks, which comprises the following steps: after receiving a request sent by a client of a service system to a server of the service system, a web security gateway performs security check based on a security chain mechanism on the request; and if the web security gateway passes the security check of the request, forwarding the request to a server side of the service system.
Preferably, the security check based on the security chain mechanism for the request includes processing against the following web attacks: SQL injection attacks, XSS attacks, CSRF attacks, plaintext transmission vulnerability attacks, replay attacks, integrity vulnerability attacks, and hacking destruction attacks.
Preferably, the processing against the SQL injection attack comprises: the web security gateway acquires all request parameters in the request; the web security gateway traverses a preset keyword set, searches the keywords in request parameters, and if the keywords are found, deletes the keywords in the request parameters; and traversing a preset special character set by the web security gateway, searching the characters in request parameters, and if the characters are found, replacing or deleting the characters in the request.
Preferably, the processing against the XSS attack comprises: the web security gateway acquires all request parameters in the request; the web security gateway traverses a preset tag set, searches the content of the tag in a request parameter, and if the content of the tag in the request is found, performs html (hypertext markup language) escaping processing on the content of the tag in the request; and traversing a preset sensitive character set by the web security gateway, searching the characters in request parameters, and if the characters are found, replacing or deleting the characters in the request.
Preferably, the processing against the CSRF attack comprises: the web security gateway acquires the Referer head information of the request, and determines the legality of the request according to the Referer head information so as to prohibit illegal requests; and the web security gateway acquires Origin header information of the request, and determines whether the request is a cross-domain access request or not according to the Origin header information so as to prohibit the cross-domain access request.
Preferably, the processing for the plaintext transmission vulnerability attack includes: and the web security gateway completes key operation exchange in advance so as to encrypt and decrypt data transmitted between the server side of the service system and the client side of the service system.
Preferably, the processing against the replay attack comprises: the web security gateway acquires a timestamp, a random number and an anti-replay signature from the header of the request by using an anti-replay attack component, wherein the anti-replay signature is generated by a client of the service system according to the timestamp, the random number and a pre-agreed session unique identifier; the timestamp, the nonce, and the anti-replay signature obtained from the request are each verified to determine whether the request is a valid request.
Preferably, the processing against the integrity vulnerability attack comprises: the web security gateway acquires all parameters and a client integrity signature from the request by using an integrity verification component, wherein the client integrity signature is generated by a client of the service system according to all the parameters and a pre-agreed session unique identifier; generating a server end integrity signature according to all the parameters acquired from the request and a locally-stored pre-agreed session unique identifier; and determining whether the request is a valid request according to whether the client integrity signature and the server integrity signature are consistent.
Preferably, the processing for the knock destruction comprises: the web security gateway verifies the request initiated by the client of the service system by using a verification code mechanism or by using the verification code mechanism and an error prevention mechanism so as to determine whether the request is a valid request.
An embodiment of the present invention further provides a web security gateway based on active defense, which is characterized in that the web security gateway is based on a security chain mechanism, and when a request reaches the gateway, the steps of the method according to any one of claims 1 to 9 are implemented item by item according to the security chain.
According to the method for actively defending web attack and the web security gateway based on active defense, provided by the embodiment of the invention, after a request sent from a client of a service system to a server of the service system is received, security check based on a security chain mechanism is carried out on the request, so that the web security is improved.
Drawings
Fig. 1 is a schematic flowchart of a method for actively defending against a web attack according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a deployment of actively defending against a web attack according to an embodiment of the present invention;
fig. 3 is a flowchart of a detailed solution of key exchange and session unique identification uid provided by an embodiment of the present invention;
fig. 4 is a schematic diagram of a replay attack prevention scheme provided by an embodiment of the present invention.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. In the following description, suffixes such as "module", "part", or "unit" used to denote elements are used only for facilitating the explanation of the present invention, and have no peculiar meaning in itself. Thus, "module", "component" or "unit" may be used mixedly.
Example one
Fig. 1 is a schematic flowchart of a method for actively defending against a web attack according to an embodiment of the present invention, and as shown in fig. 1, the method may include:
step S101: after receiving a request sent by a client of a business system to a server of the business system, a web security gateway (hereinafter referred to as a security gateway) performs security check based on a security chain mechanism on the request;
step S102: and if the security gateway passes the security check of the request, forwarding the request to a server side of the service system.
Performing security check based on a security chain mechanism on the request includes processing against the following web attacks: SQL injection attacks, XSS attacks, CSRF attacks, plaintext transmission vulnerability attacks, replay attacks, integrity vulnerability attacks, and hacking destruction attacks. In practical application, the processing for different web attacks can be selected and the processing sequence can be set according to requirements.
Wherein the processing for the SQL injection attack comprises: the security gateway acquires all request parameters in the request; the security gateway traverses a preset keyword set, searches the keywords in request parameters, and if the keywords are found, deletes the keywords in the request, such as the keywords related to insert, delete and update; the security gateway traverses a preset special character set, searches the characters, such as "#", in request parameters, and if the characters are found, replaces or deletes the characters in the request.
Wherein the processing for the XSS attack comprises: the security gateway acquires all request parameters in the request; the security gateway traverses a preset tag set, searches the content of the tag in a request parameter, if the content of the tag in the request is found, html (hypertext markup language) escaping processing is carried out on the content of the tag in the request, the escaping processing is the prior art and is not repeated here, the security gateway traverses a preset sensitive character set, searches the character in the request parameter, and if the character is found, the character in the request is replaced or deleted.
Where Origin and Referer in the header of the request may represent the source of the request link, Referer indicates which page the request came from, and Origin indicates which site the request came from. Based on this, the processing for the CSRF attack of the present embodiment includes: the security gateway acquires the Referer head information of the request, and determines the legality of the request according to the Referer head information so as to prohibit illegal requests; and the security gateway acquires Origin header information of the request, and determines whether the request is a cross-domain access request or not according to the Origin header information so as to prohibit the cross-domain access request.
The plaintext is a text without encryption, and is easily intercepted in a network due to the lack of encryption, so that the security is poor, and particularly sensitive information such as a user account number, a password and the like is transmitted in the form of plaintext, which greatly influences the security of user information. In this embodiment, a security gateway is used to solve the problem, and the processing for the plaintext transmission vulnerability attack may include: the security gateway provides a key exchange function to encrypt and transmit sensitive information by using an exchanged key, for example, a public key of a server of the service system, a public key of a client of the service system and a symmetric encryption key are exchanged in advance, so that data to be transmitted by the server of the service system and the client of the service system is encrypted and then transmitted to an opposite side for decryption, and thus, a plaintext transmission vulnerability attack is resisted.
Wherein, the replay attack is also called replay attack, and the stolen historical data packet is retransmitted to the receiving party to destroy the correctness of the identity authentication. The present embodiment employs a security gateway to recognize the validity of a request to protect against replay attacks. The processing for the replay attack may include: the security gateway acquires a timestamp, a random number and an anti-replay signature from the header of the request by using an anti-replay attack component, wherein the anti-replay signature is generated by a client of the service system according to the timestamp, the random number and a pre-agreed session unique identifier; the timestamp, the nonce, and the anti-replay signature obtained from the request are each verified to determine whether the request is a valid request. Specifically, the security gateway calculates a difference between the current time of the server and the timestamp, and determines whether the timestamp is valid according to the difference and a preset time difference threshold, for example, if the difference is greater than 60s or less than or equal to 0, it is verified that the timestamp is invalid, which indicates that the request is invalid. And locally inquiring the random number, wherein if the random number exists locally, the request is invalid because the random number is disposable. And generating a server side anti-replay request signature according to the timestamp, the random number and the aid stored locally, and if the anti-replay signature is not consistent with the server side anti-replay request signature, indicating that the request is invalid.
The purpose of judging the integrity of the data is to identify that the data is modified by unauthorized modification, such as unauthorized data addition and deletion. The present embodiment employs the security gateway to determine data integrity to determine the validity of the request. The processing aiming at the integrity vulnerability attack comprises the following steps: the security gateway acquires all parameters and a client integrity signature from the request by using an integrity verification component, wherein the client integrity signature is generated by a client of the service system according to all the parameters and a pre-agreed session unique identifier; and the security gateway generates a server integrity signature according to all the parameters acquired from the request and a locally-stored pre-agreed session unique identifier, then determines whether the request is a valid request according to whether the client integrity signature is consistent with the server integrity signature, and if the client integrity signature is inconsistent with the server integrity signature, the data integrity is damaged, and the request is invalid.
The attack method for attempting to acquire the user password by using a large number of guesses and an exhaustive mode is adopted in the attack method, the security gateway is adopted in the embodiment to defend brute force cracking, and the process aiming at the attack method comprises the following steps: the security gateway verifies a request initiated by a client of the service system by using a verification code mechanism to determine whether the request is a valid request, wherein the provided verification code can carry a large number of interference elements to resist automatic identification and increase the difficulty of brute force attack. Or, the security gateway verifies the request initiated by the client of the service system by using a verification code mechanism to determine whether the request is a valid request, and locks the user account through an error-proof mechanism to increase the difficulty of attack.
After receiving a request sent by a client of a business system to a server of the business system, the security gateway of this embodiment performs security check based on a security chain mechanism on the request, thereby improving web security.
Example two
In order to effectively prevent currently popular web attacks, such as Sql injection attack, Xss attack, CSRF attack, plaintext transmission vulnerability, replay attack, integrity vulnerability attack, brute force cracking attack, and the like, the present embodiment provides a web security gateway based on active defense, hereinafter referred to as a security gateway, which is based on a security chain mechanism, and when a request reaches the gateway, the steps of the foregoing method are implemented one by one according to the security chain, so that active defense against web attacks can be realized, and through the use of the security gateway, web attacks can be effectively and massively recognized and blocked.
Fig. 2 is a schematic deployment diagram of defending against a web attack according to an embodiment of the present invention, as shown in fig. 2, a security gateway is deployed before a service end of a service system, so that all requests from the service system client are first sent to the security gateway, then a screening filter module in the security gateway sequentially performs screening filtering on the requests for replay attack, integrity vulnerability attack, sql injection attack, Xss attack, CSRF attack, plaintext transmission vulnerability, brute force attack, rejects a malicious request of the client, and forwards the screened request to the service system server, the service system server responds to the request, returns the responded data to the security gateway, and finally, the security gateway returns the responded data to the client. In the whole process, the gateway is transparent to the service system client and the service system server, and the same as the way of directly interacting the service system client and the service system server. The security gateway comprises a request screening and filtering module which is used for screening and filtering the received request and intercepting illegal requests. The filtering screening adopts a safety chain mechanism, and all safety checks are carried out on each request. The security chain processing procedure of the security gateway is described below for different web attacks.
1. sql injection attack
The reason why the vulnerability is injected by the sql (Structured Query Language) is that the background sql statements are spliced with the input of the user, the web application program does not judge and filter the legality of the data input by the user, the parameters transmitted from the front end to the back end are controllable by an attacker, the attacker can construct different sql statements to realize any operation on the database, such as increasing, deleting, modifying and checking, and if the user authority of the database is large enough, the attacker can also execute operation on an operating system.
The security gateway processing procedure may be: after a request sent by a client reaches a security gateway, if the request is in a form format, the security gateway filters parameters in the request in the form format one by one, deletion processing is carried out on the keywords of sql, and replacement or deletion processing is carried out on special characters; if the request is in the json format, when the security gateway processes the request in the json format, instead of uniformly processing the json as a character string, the json data is analyzed, each value in the json is filtered one by one, and the filtering processing rule is consistent with the filtering processing rule of the parameters in the request in the json format and is not described again.
2. XSS attack
XSS (Cross Site scripting) cross-Site scripting is a computer security hole that often occurs in web applications. Because the web application does not fully check and filter the parameters of the request submitted by the user, the user is allowed to add HTML and JS codes into the submitted data and output the data to the browser of the third-party user without coding, and a malicious attacker can send the malicious codes to another user by using vulnerabilities of JS, activeX, HTML and even flash application. Because the browser cannot identify whether the script is credible or not, the cross-site vulnerability script can be operated and an attacker can obtain other user information.
The security gateway processing procedure may be: after a request sent by a client side reaches a security gateway, if the request is in a form format, the security gateway filters parameters in the request in the form format one by one, performs escape processing on tag contents, performs deletion processing on dangerous tag attributes, and performs replacement or deletion processing on sensitive characters; if the request is in the json format, when the security gateway processes the request in the json format, instead of uniformly processing the json as a character string, the json data is analyzed, each value in the json is filtered one by one, and the filtering processing rule is consistent with the filtering processing rule of the parameter in the request in the json format and is not repeated.
3. CSRF attack
The CSRF (Cross-Site Request Forgery ) means that the identity authentication information (cookie, session, etc.) of the victim who has not failed is utilized to trick the victim into clicking malicious links or accessing pages containing attack codes, and the victim sends a Request to a server (corresponding to the identity authentication information) according to the identity of the victim under the condition of unconsciousness, so as to complete illegal operations, such as transfer, secret change, etc.
The security gateway may process: after a request sent by a client reaches a security gateway, the security gateway verifies the contents of an Http Referer header, the header records the source address of the request, and the legality of the request is determined by judging whether the request is an allowed domain name; the Http Origin header is checked and cross-domain access is prohibited.
The scheme of this embodiment further includes a security component client (or called client security component), where the security component client may add security parameters in the request, so that the security gateway may recognize and block the web attack by checking the security parameters. The following web attacks and processes involve security component clients and security parameters.
4. Plaintext transmission loophole
The plaintext transmission loophole refers to plaintext transmission of sensitive information such as account numbers and passwords in the data transmission process.
The security gateway may process: the security gateway provides a secure key exchange function. The user may encrypt and decrypt the sensitive data using an encryption and decryption algorithm provided by the security component client and keys obtained through key exchange.
A detailed solution flow of the key exchange and the session unique identification uid is shown in fig. 3, and the steps may include:
step S201: after a user accesses a service system for the first time, a security component client requests to acquire a public key and server time;
step S202: the security gateway generates a public and private key (valid in a session period) related to the session, and sends the public key _ server of the server and the server time to the client of the security component;
step S203: after the security component client receives the server time, calculating a difference value between the local time and the server time, and storing the difference value locally; the security component client generates a public and private key pair, encrypts public key _ client to client public key public _ client by using server public key public _ server as RSA, encrypt (public _ client, public _ server), and sends encrypted client public key public _ client;
step S204: after receiving the request, the security gateway decrypts the encrypted public key _ client by using the private key _ server of the server side, and acquires a public key public _ client of the client side as RSA (encrypted public _ client, private _ server);
step S205: the security gateway generates a random string uid (session period valid) related to the session, encrypts the uid by using a client public key public _ client as rsa.
Symmetric encryption keys and vector operations are consistent with uid.
Step S206: after the security component client obtains the response data, the privacy is decrypted by using the client private key _ client to obtain the plaintext uid, which is RSA.
Symmetric encryption keys and vector operations are consistent with uid.
In this embodiment, a security gateway located at a server side of the service system and a security component client located at a client side of the service system exchange keys, so that security of key exchange is ensured, and thus, a plaintext (for example, sensitive data such as a mobile phone number) that needs to be sent by the server side of the service system and the client side of the service system is encrypted by using the key of the security exchange, and a ciphertext obtained after encryption is sent to an opposite side for decryption, so that the plaintext (for example, sensitive data such as the mobile phone number) is obtained.
5. Replay attacks
Replay attacks (ReplayAttacks) refer to an attacker sending a packet that a destination host has received to achieve the purpose of deceiving a system. Host a sends a data request to server B and a replay attack may be initiated by either initiator a or attacker C. If the initiator A initiates, the initiator A can maliciously and repeatedly send data requests; if the request is initiated by the attacker C, the attacker can steal the data request by using network monitoring or other modes, and then resends the request to the server.
The security gateway may process: the security gateway introduces a replay attack prevention component, and the replay attack is identified and prevented by adopting a scheme of time stamp + random number (nonce) + signature verification. As shown in fig. 4, the security component client introduced when the client of the business system initiates a request adds a timestamp in the request, the timestamp is obtained by subtracting a time difference from the current time of the client, and generates a nonce, and the signature is used to prevent the session from being hijacked, and the timestamp and nonce parameter are tampered. And the security gateway verifies the timestamp, the nonce and the signature in the request by using the replay attack prevention component, and if the timestamp, the nonce and the signature are verified, the request is confirmed to be a valid request, otherwise, the request is regarded as an invalid request.
When calculating the signature, the session unique identifier uid obtained after the key exchange is completed needs to be used as a salt value. The uid will only be transmitted at key exchange, the transmission of the uid will not be involved in other requests, and the uids for different sessions are different.
6. Integrity vulnerability attacks
The system does not judge the data integrity of the data submitted by the front end at the server end, so that the tampered data can be normally stored and read in the request sending process, and potential safety hazards exist. Similarly, the client side does not judge the integrity of the data returned by the server side, so that the client side is subjected to unauthorized operation when the returned data is tampered.
The security gateway processing procedure may be: the security gateway introduces an integrity checking component that identifies and blocks tampered requests by employing a request parameter signature verification scheme. When the client initiates a request, a client security component is utilized to calculate signatures for all parameters in the current request. And the security gateway verifies the signature by using the integrity verification component, if the signature is consistent with the signature, the signature is confirmed to be a valid request, otherwise, the signature is regarded as an invalid request.
When calculating the signature, the session unique identifier uid obtained after the key exchange is completed is used as a salt value. The uid is transmitted only when its key is exchanged, and the transmission of the uid is not involved in other requests, and the uids of different sessions are different.
7. Brute force attack
Brute force attacks refer to attack that uses a large number of guesses and exhaustive approaches to attempt to obtain a user's password.
The security gateway may process: the anti-explosion mechanism frequently used is a picture verification code mechanism, the security gateway can provide a picture verification code function, and a generated picture verification code contains a large number of interference elements to resist robot identification; on the basis, the security gateway also adds an error-proof mechanism, an account number which exceeds the specified number of times of error login is locked, and login can be attempted again only after waiting for a period of time or seeking to be unlocked by an administrator.
Considering that the picture verification code mechanism adds extra operation of a user, the use experience of the system is reduced, the security gateway can also provide a brute force prevention mechanism for reducing the input of the verification code, for example, a browser fingerprint, dynamic verification code and verification code signature mode is adopted, the effect consistent with the picture verification code is achieved, and therefore the operation of the user is reduced on the premise of ensuring the safety.
During specific implementation, a client security component is introduced into a client of the service system, a server of the service system introduces a server security component and a security gateway, and after security configuration is started, the security gateway feeds back relevant error information, such as an error code, to the client of the service system when receiving an attack request: 474, error prompt: an illegal request. When used in the development process, the method specifically comprises the use steps of a client side of the business system and a server side of the business system. The method comprises the following steps of developing a client of the business system: (1) introducing a js package of security components; (2) opening a security configuration, specifically comprising: different security functions are started in the global configuration file of the client through the security configuration items, namely the client can be in butt joint with the security gateway and has the function of preventing web attack, and the file for starting the security configuration by the client is as follows: the files/requests/settings.js contain various safety configuration switches, true represents the opening configuration, and false represents the closing configuration. The service end of the business system is developed by the following steps: (1) an integrated security component, comprising in particular: introducing a jar package of a security component; adding a security component to the scan path; assigning SpringContext to the SecurityAPI; property is put under the resource directory; (2) the session starting component specifically comprises: starting a SessionToolFilter provided by a security component server; configuring a specific session component help class provided by a security component used by an ESAPI.sessionToolHelper in ESAPI.properties according to whether a session or token authentication mechanism is selected by the service microservice; (3) and releasing the deployment security gateway.
In summary, the invention has the following advantages:
1. the invention provides a security gateway and a security protection component of a set of system, which improves the web security and the repair efficiency;
2. the security gateway realizes application level filtering and protection, develops a specific security component aiming at a specific security problem, has independent and uncoupled components, can be independently started or closed by configuring the security component through a configuration file, greatly improves the flexibility and the expansibility of the application gateway, and enables business system developers to keep the original development style at the same time because users cannot feel the existence of the security gateway;
3. the invention can be packaged into a client security component and a security gateway, has the characteristics of strong universality, high compatibility and the like, and enables a business system developer to focus on the development of business functions rather than the modification of security problems, thereby reducing the code intrusion, reducing the influence on an application system, reducing the difficulty of security development and reducing the workload of the business developer.
The preferred embodiments of the present invention have been described above with reference to the accompanying drawings, and are not to be construed as limiting the scope of the invention. Any modifications, equivalents and improvements which may occur to those skilled in the art without departing from the scope and spirit of the present invention are intended to be within the scope of the claims.
Claims (10)
1. A method of proactively defending against web attacks, the method comprising the steps of:
after receiving a request sent from a client of a service system to a server of the service system, a web security gateway performs security check based on a security chain mechanism on the request;
and if the web security gateway passes the security check of the request, forwarding the request to a server side of the service system.
2. The method of claim 1, wherein the security checking the request based on a security chain mechanism comprises processing for the following web attacks: SQL injection attacks, XSS attacks, CSRF attacks, plaintext transmission vulnerability attacks, replay attacks, integrity vulnerability attacks, and hacking destruction attacks.
3. The method of claim 2, wherein the processing for the SQL injection attack comprises:
the web security gateway acquires all request parameters in the request;
the web security gateway traverses a preset keyword set, searches the keywords in request parameters, and if the keywords are found, deletes the keywords in the request parameters;
and traversing a preset special character set by the web security gateway, searching the characters in the request parameters, and if the characters are found, replacing or deleting the characters in the request parameters.
4. The method of claim 2, wherein processing for the XSS attack comprises:
the web security gateway acquires all request parameters in the request;
the web security gateway traverses a preset tag set, searches the content of the tag in a request parameter, and if the content of the tag in the request parameter is found, performs html (hypertext markup language) escaping processing on the content of the tag in the request parameter;
and traversing a preset sensitive character set by the web security gateway, searching the characters in request parameters, and if the characters are found, replacing or deleting the characters in the request.
5. The method of claim 2, wherein the processing for the CSRF attack comprises:
the web security gateway acquires the Referer head information of the request, and determines the legality of the request according to the Referer head information so as to prohibit illegal requests;
and the web security gateway acquires Origin header information of the request, and determines whether the request is a cross-domain access request or not according to the Origin header information so as to prohibit the cross-domain access request.
6. The method of claim 2, wherein the processing for the plaintext transmission vulnerability attack comprises:
and the web security gateway completes key exchange operation in advance so as to encrypt and decrypt data transmitted between the server side of the service system and the client side of the service system.
7. The method of claim 2, wherein processing for the replay attack comprises:
the web security gateway acquires a timestamp, a random number and an anti-replay signature from the header of the request by utilizing an anti-replay attack component, wherein the anti-replay signature is generated by a client of the service system according to the timestamp, the random number and a pre-agreed session unique identifier;
the timestamp, the nonce, and the anti-replay signature obtained from the request are each verified to determine whether the request is a valid request.
8. The method of claim 2, wherein processing for the integrity vulnerability attack comprises:
the web security gateway acquires all parameters and a client integrity signature from the request by using an integrity verification component, wherein the client integrity signature is generated by a client of the service system according to all the parameters and a pre-agreed session unique identifier;
generating a server end integrity signature according to all the parameters acquired from the request and a locally stored pre-agreed session unique identifier;
and determining whether the request is a valid request according to whether the client integrity signature and the server integrity signature are consistent.
9. The method of claim 2, wherein the processing for the blast breaking comprises:
the web security gateway verifies the request initiated by the client of the service system by using a verification code mechanism or by using the verification code mechanism and an error prevention mechanism so as to determine whether the request is a valid request.
10. A web security gateway based on active defense, characterized in that the web security gateway is based on a security chain mechanism, and when a request arrives at the gateway, the steps of the method of any one of claims 1-9 are implemented one by one according to the security chain.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210507396.3A CN114745202A (en) | 2022-05-10 | 2022-05-10 | Method for actively defending web attack and web security gateway based on active defense |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210507396.3A CN114745202A (en) | 2022-05-10 | 2022-05-10 | Method for actively defending web attack and web security gateway based on active defense |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114745202A true CN114745202A (en) | 2022-07-12 |
Family
ID=82285446
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210507396.3A Pending CN114745202A (en) | 2022-05-10 | 2022-05-10 | Method for actively defending web attack and web security gateway based on active defense |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114745202A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116094748A (en) * | 2022-11-23 | 2023-05-09 | 紫光云技术有限公司 | Message signature interception system based on bloom filter |
| CN116861439A (en) * | 2023-06-21 | 2023-10-10 | 三峡高科信息技术有限责任公司 | Method for realizing SQL injection prevention of service system in modular manner |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20070061017A (en) * | 2005-12-08 | 2007-06-13 | 한국전자통신연구원 | Apparatus and method for blocking attack into web-application |
| US20070136809A1 (en) * | 2005-12-08 | 2007-06-14 | Kim Hwan K | Apparatus and method for blocking attack against Web application |
| US20100146291A1 (en) * | 2008-12-08 | 2010-06-10 | Oracle International Corporation | Secure framework for invoking server-side apis using ajax |
| US20170109534A1 (en) * | 2015-10-16 | 2017-04-20 | Sap Se | Dynamic Analysis Security Testing of Multi-Party Web Applications Via Attack Patterns |
| CN112699374A (en) * | 2020-12-28 | 2021-04-23 | 山东鲁能软件技术有限公司 | Integrity checking vulnerability security protection method and system |
| CN112711759A (en) * | 2020-12-28 | 2021-04-27 | 山东鲁能软件技术有限公司 | Method and system for preventing replay attack vulnerability security protection |
-
2022
- 2022-05-10 CN CN202210507396.3A patent/CN114745202A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20070061017A (en) * | 2005-12-08 | 2007-06-13 | 한국전자통신연구원 | Apparatus and method for blocking attack into web-application |
| US20070136809A1 (en) * | 2005-12-08 | 2007-06-14 | Kim Hwan K | Apparatus and method for blocking attack against Web application |
| US20100146291A1 (en) * | 2008-12-08 | 2010-06-10 | Oracle International Corporation | Secure framework for invoking server-side apis using ajax |
| US20170109534A1 (en) * | 2015-10-16 | 2017-04-20 | Sap Se | Dynamic Analysis Security Testing of Multi-Party Web Applications Via Attack Patterns |
| CN112699374A (en) * | 2020-12-28 | 2021-04-23 | 山东鲁能软件技术有限公司 | Integrity checking vulnerability security protection method and system |
| CN112711759A (en) * | 2020-12-28 | 2021-04-27 | 山东鲁能软件技术有限公司 | Method and system for preventing replay attack vulnerability security protection |
Non-Patent Citations (1)
| Title |
|---|
| 高岩;保永武;: "基于DOM型跨站脚本攻击防御的设计与实现", 网络安全技术与应用, no. 01 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116094748A (en) * | 2022-11-23 | 2023-05-09 | 紫光云技术有限公司 | Message signature interception system based on bloom filter |
| CN116861439A (en) * | 2023-06-21 | 2023-10-10 | 三峡高科信息技术有限责任公司 | Method for realizing SQL injection prevention of service system in modular manner |
| CN116861439B (en) * | 2023-06-21 | 2024-04-12 | 三峡高科信息技术有限责任公司 | Method for realizing SQL injection prevention of service system in modular manner |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8904558B2 (en) | Detecting web browser based attacks using browser digest compute tests using digest code provided by a remote source | |
| US20190354709A1 (en) | Enforcement of same origin policy for sensitive data | |
| US20210014245A1 (en) | In-stream malware protection | |
| US20150082424A1 (en) | Active Web Content Whitelisting | |
| US20080037791A1 (en) | Method and apparatus for evaluating actions performed on a client device | |
| Kienzle et al. | Security patterns repository version 1.0 | |
| Atashzar et al. | A survey on web application vulnerabilities and countermeasures | |
| CN114745202A (en) | Method for actively defending web attack and web security gateway based on active defense | |
| Bugliesi et al. | Provably sound browser-based enforcement of web session integrity | |
| CN117155716B (en) | Access verification method and device, storage medium and electronic equipment | |
| Philippaerts et al. | OAuch: Exploring security compliance in the OAuth 2.0 ecosystem | |
| Chimuco et al. | Secure cloud-based mobile apps: attack taxonomy, requirements, mechanisms, tests and automation | |
| Khandelwal et al. | Frontline techniques to prevent web application vulnerability | |
| KR100695489B1 (en) | Web service preservation system based on profiling and method the same | |
| Alanazi et al. | The history of web application security risks | |
| Joseph et al. | Cookie based protocol to defend malicious browser extensions | |
| Almi | Web Server Security and Survey on Web Application Security | |
| Desai et al. | The web: a hacker's heaven and an on-line system | |
| Madhusudhan | Cross channel scripting (XCS) attacks in web applications: detection and mitigation approaches | |
| US11356415B2 (en) | Filter for suspicious network activity attempting to mimic a web browser | |
| Thangavel et al. | Threats and vulnerabilities of mobile applications | |
| Harrison et al. | A protocol layer survey of network security | |
| CN113765859A (en) | Network security filtering method and device | |
| Vinay et al. | The Demonstration of Android Vulnerabilities | |
| CN117318932A (en) | API tamper-proof and replay-proof system and method based on Nginx plug-in |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |