CN115051832A - Traceable reverse system method, device, equipment and medium - Google Patents
Traceable reverse system method, device, equipment and medium Download PDFInfo
- Publication number
- CN115051832A CN115051832A CN202210508521.2A CN202210508521A CN115051832A CN 115051832 A CN115051832 A CN 115051832A CN 202210508521 A CN202210508521 A CN 202210508521A CN 115051832 A CN115051832 A CN 115051832A
- Authority
- CN
- China
- Prior art keywords
- attacker
- host
- preset
- browser
- script
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000000034 method Methods 0.000 title claims abstract description 38
- 230000006870 function Effects 0.000 claims description 29
- 238000004590 computer program Methods 0.000 claims description 17
- 238000004422 calculation algorithm Methods 0.000 claims description 4
- 238000004891 communication Methods 0.000 description 6
- 235000012907 honey Nutrition 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 4
- 238000001028 reflection method Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 201000010099 disease Diseases 0.000 description 2
- 208000037265 diseases, disorders, signs and symptoms Diseases 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1475—Passive attacks, e.g. eavesdropping or listening without modification of the traffic monitored
Abstract
The application discloses a source-tracing reverse system method, a source-tracing reverse system device and a source-tracing reverse system medium, and relates to the technical field of network security. The method comprises the following steps: acquiring a webpage access request aiming at a target webpage, which is initiated by an attacker; sending a preset reverse script embedded into the target webpage to a host of the attacker for storage and local operation, and acquiring personal information on the host of the attacker by using a JSONP (Java Server object Page) vulnerability; and acquiring characteristic information of a host operating system and a browser of the attacker through the locally operated preset counter script, and scanning a local port of the attacker based on the personal information to acquire host open port data of the attacker. By the technical scheme, when the target webpage is illegally accessed by an attacker, the information of the attacker can be automatically acquired through the preset reverse script and the JSONP vulnerability. In conclusion, the information of the attacker can be acquired more accurately and effectively when the source tracing reaction of the attacker is carried out.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a source tracing and countering method, a source tracing and countering device, source tracing and countering equipment and a source tracing and countering medium.
Background
The computer network attack means that a network attacker obtains illegal rights by illegal means and enables the network attacker to carry out unauthorized operation on an attacked host by using the illegal rights. In the field of network security, problems of difficult traceability, accurate traceability and the like generally exist, the difficult traceability problem cannot guarantee network security without being solved, and loss of individuals and even countries is caused, so that the traceability problem is urgently needed to be solved. With the continuous development of computer network technology, the gradual popularization and scale enlargement of network application, frequent network attack events, and the attack flooding becomes serious diseases in the internet industry, and huge network safety hidden dangers are generated. In the prior art, an IP (Internet Protocol) source tracing method is generally used, and IP information of an intruder is obtained through an instant messaging function of accessing a browser webpage of the website by the intruder. However, an attacker generally uses a proxy server or an anonymous network to mask the real IP address of the attacker, and the traditional IP-based tracing method has a very limited acquisition of identity information of the attacker, so that it is difficult to effectively trace and counter the attacker in time, and the time is long. In conclusion, the problem of how to more accurately and effectively acquire attacker information during the source-tracing reaction needs to be further solved.
Disclosure of Invention
In view of the above, an object of the present invention is to provide a method, an apparatus, a device and a medium for source-tracing reaction, which can more accurately and effectively obtain attacker information during source-tracing reaction. The specific scheme is as follows:
in a first aspect, the present application discloses a source-tracing reverse method, including:
acquiring a webpage access request aiming at a target webpage, which is initiated by an attacker;
sending a preset reverse script embedded into the target webpage to a host of the attacker for storage and local operation, and acquiring personal information on the host of the attacker by using a JSONP (Java Server object Page) vulnerability;
and acquiring characteristic information of a host operating system and a browser of the attacker through the locally operated preset counter script, and scanning a local port of the attacker based on the personal information to acquire host open port data of the attacker.
Optionally, the method further includes:
and constructing the preset reverse script by utilizing a Hash algorithm based on a JavaScript code, and embedding the preset reverse script into the target webpage.
Optionally, the obtaining, by the preset counter script running locally, the characteristic information of the host operating system and the browser of the attacker includes:
and acquiring a first callback function which is returned by the host of the attacker and corresponds to the locally-operated preset reverse script, and determining the characteristic information of the host operating system and the browser of the attacker based on the first callback function.
Optionally, the obtaining characteristic information of the host operating system and the browser of the attacker includes:
and acquiring any one or combination of several of the operating system type, the operating system time zone, the screen resolution, the browser fingerprint, the browser type and the browser version of the host of the attacker so as to obtain the characteristic information of the operating system and the browser of the host of the attacker.
Optionally, the obtaining, by using the JSONP vulnerability, personal information on the host of the attacker includes:
and acquiring the personal information consisting of any one or more of a user account number, a user name and a mobile phone number on the host of the attacker by utilizing a JSONP vulnerability.
Optionally, the obtaining, by using the JSONP vulnerability, the personal information on the host of the attacker includes:
detecting all requests sent by a browser when the target webpage is accessed, and checking returned data in a callback request when the callback request appears in the requests;
and if the data returned in the callback request contains preset target keywords, judging that the JSONP vulnerability exists at present, and sending a link address of the JSONP vulnerability to a preset server so as to obtain corresponding personal information based on the link address and store the personal information in the preset server.
Optionally, the method further includes:
and acquiring a second callback function corresponding to the callback request constructed through a preset interface so as to return corresponding personal information through the second callback function.
In a second aspect, the present application discloses a traceback contra-system device, including:
the access request acquisition module is used for acquiring a webpage access request aiming at a target webpage and initiated by an attacker;
the system comprises a target webpage, a target script sending module, a JSONP vulnerability obtaining module and a data processing module, wherein the target webpage is used for embedding a target webpage, and the target webpage is used for storing and locally running a preset target webpage;
and the data acquisition module is used for acquiring the characteristic information of the host operating system and the browser of the attacker through the locally operated preset counter script and scanning the local port of the attacker based on the personal information to acquire the host open port data of the attacker.
In a third aspect, the present application discloses an electronic device, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the steps of the traceback method disclosed in the foregoing disclosure.
In a fourth aspect, the present application discloses a computer readable storage medium for storing a computer program; wherein the computer program when executed by a processor implements the steps of the traceback method disclosed in the foregoing disclosure.
When the source tracing reverse system is carried out, a webpage access request aiming at a target webpage and initiated by an attacker is obtained firstly, a preset reverse system script in the target webpage is sent to the host of the attacker for storage and local operation, and the JSONP vulnerability is utilized to obtain personal information on the host of the attacker, then the local operation is carried out, the preset reverse system script is obtained, the characteristic information of the host operating system and the browser of the attacker is obtained, and the personal information is based on the local port of the attacker is scanned to obtain the host open port data of the attacker. Therefore, when the source tracing reverse system is carried out, the preset reverse system script is embedded into the target webpage and automatically sent to the host of the attacker when the webpage access request which is initiated by the attacker and aims at the target webpage is obtained, the characteristic information of the operating system and the browser of the host of the attacker is obtained through local operation, and meanwhile, the personal information of the attacker is obtained through the JSONP vulnerability. Therefore, when the application carries out the reverse tracing, by inserting the preset reverse script into the target webpage, when the attacker accesses the target webpage, the preset counter script is automatically downloaded to the host of the attacker and locally operated, meanwhile, the characteristic information of the host operating system and the browser of the attacker and the personal information of the attacker are respectively obtained through the JSONP vulnerability, so that when the target webpage is illegally accessed by an attacker, the information of the attacker can be automatically acquired through the preset reverse script and the JSONP vulnerability, the identity of the attacker can be more accurately positioned, more accurate and effective tracing can be realized, therefore, the problem that when the IP information of the intruder is obtained through the browser webpage instant messaging function of the website accessed by the intruder, the attacker covers the real IP address of the intruder by using the proxy server or the anonymous network, so that the attacker is difficult to effectively trace and control the source of the attacker in time is solved. In conclusion, the information of the attacker can be acquired more accurately and effectively when the source tracing reaction of the attacker is carried out.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the prior art descriptions will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a source-tracing reverse method provided in the present application;
FIG. 2 is a flow chart of a specific traceability reflection method provided in the present application;
fig. 3 is a schematic structural diagram of a traceability reflection system provided in the present application;
fig. 4 is a block diagram of an electronic device provided in the present application.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
With the continuous development of computer network technology, the gradual popularization and scale enlargement of network application, frequent network attack events, and the attack flooding becomes serious diseases in the internet industry, and huge network safety hidden dangers are generated. In the prior art, an IP (Internet Protocol) source tracing method is generally used, and IP information of an intruder is obtained through an instant messaging function of accessing a browser webpage of the website by the intruder. However, an attacker generally uses a proxy server or an anonymous network to mask the real IP address of the attacker, and the traditional IP-based tracing method has a very limited acquisition of identity information of the attacker, so that it is difficult to effectively trace and counter the attacker in time, and the time is long. Therefore, the source tracing reverse method can acquire the attacker information more accurately and effectively during source tracing reverse.
The embodiment of the invention discloses a source tracing reverse method, which is described with reference to fig. 1 and comprises the following steps:
step S11: and acquiring a webpage access request aiming at the target webpage and initiated by an attacker.
In this embodiment, when an attacker illegally browses a target web page, the attacker analyzes an application server of a website and initiates a web page access request for the target web page by the attacker. It is understood that the target WEB page includes, but is not limited to, WEB pages of normal websites and WEB (i.e., World Wide WEB) application WEB pages. After an attacker terminal initiates a webpage access request aiming at a target webpage, the target webpage terminal acquires the webpage access request so as to facilitate subsequent tracing and control operations on an illegal attacker by identifying the webpage access request of the attacker and automatically sending a preset control script in the target webpage to a host of the attacker.
Step S12: and sending a preset reverse script embedded into the target webpage to a host of the attacker for storage and local operation, and acquiring personal information on the host of the attacker by utilizing a JSONP vulnerability.
In this embodiment, a hash algorithm is used based on JavaScript codes to construct the preset reverse script, and the preset reverse script is embedded into the target webpage. When an attacker terminal initiates a webpage access request aiming at a target webpage and the target webpage terminal acquires the webpage access request, a preset reverse script pre-embedded into the target webpage is sent to an attacker host for storage and local operation. Namely, the attacker terminal can automatically download the preset reverse script and run locally when accessing the target webpage. Meanwhile, personal information on the host of the attacker is obtained by utilizing the JSONP vulnerability. Through the technical scheme, when an attacker illegally accesses the target webpage, the preset reverse script is automatically downloaded to the host and automatically runs, so that the preset reverse script can conveniently acquire the characteristic information of the host operating system and the browser of the attacker, and the automatic tracing reverse is realized.
Step S13: and acquiring characteristic information of a host operating system and a browser of the attacker through the locally operated preset counter script, and scanning a local port of the attacker based on the personal information to acquire host open port data of the attacker.
In this embodiment, the acquiring the characteristic information of the host operating system and the browser of the attacker specifically includes: and acquiring a first callback function which is returned by the host of the attacker and corresponds to the locally-operated preset reverse script, and determining the characteristic information of the host operating system and the browser of the attacker based on the first callback function. Namely, the characteristic information of the host operating system and the browser of the attacker is obtained through the first callback function corresponding to the preset reverse script. And acquiring any one or combination of several of the operating system type, the operating system time zone, the screen resolution, the browser fingerprint, the browser type and the browser version of the host of the attacker so as to obtain the characteristic information of the operating system and the browser of the host of the attacker. It can be understood that the first callback function corresponding to the preset reverse-control script is used for acquiring the characteristic information of the host operating system and the browser of the attacker, and when the preset reverse-control script is constructed, the first callback function can be constructed according to actual requirements so as to acquire the required characteristic information of the host operating system and the browser of the attacker.
In this embodiment, the JSONP vulnerability is used to obtain the personal information consisting of any one or more of a user account, a user name, and a mobile phone number on the host of the attacker, and the local port of the attacker is scanned based on the personal information to obtain the characteristic information of the host operating system and the browser of the attacker and the open port data of the host of the attacker. Through the technical scheme, the preset anti-system script and the JSONP bug which are pre-embedded in the target webpage automatically acquire the host information of the attacker when the attacker illegally accesses the target webpage, so that the source tracing anti-system of the attacker is automatically realized, and the problems that the identity information of the attacker is limited to be acquired due to the fact that the browser webpage instant messaging function of the website is accessed to acquire the IP information of the attacker, the attacker is difficult to effectively trace the source and the anti-system of the attacker in time, and the time cost is long are solved, so that the source tracing anti-system is more accurate and effective.
It can be seen that, in the embodiment, when performing source-tracing reverse control, a preset reverse control script is embedded in the target webpage and automatically sent to the attacker host and locally run to obtain the characteristic information of the attacker host operating system and the browser when acquiring a webpage access request initiated by an attacker and directed to the target webpage, and meanwhile, the JSONP vulnerability is utilized to obtain the personal information of the attacker. Therefore, when the application carries out the reverse tracing, by inserting the preset reverse script into the target webpage, when the attacker accesses the target webpage, the preset counter script is automatically downloaded to the host of the attacker and locally operated, meanwhile, the characteristic information of the host operating system and the browser of the attacker and the personal information of the attacker are respectively obtained through the JSONP vulnerability, so that when the target webpage is illegally accessed by an attacker, the information of the attacker can be automatically acquired through the preset reverse script and the JSONP vulnerability, the identity of the attacker can be more accurately positioned, more accurate and effective tracing can be realized, therefore, the problem that when the IP information of the intruder is obtained through the browser webpage instant messaging function of the website accessed by the intruder, the attacker covers the real IP address of the intruder by using the proxy server or the anonymous network, so that the attacker is difficult to effectively trace and control the source of the attacker in time is solved. In conclusion, the information of the attacker can be acquired more accurately and effectively when the source tracing reaction of the attacker is carried out.
Referring to fig. 2, the embodiment of the present invention discloses a specific traceback method, and compared with the previous embodiment, the present embodiment further describes and optimizes the technical solution.
Step S21: and acquiring a webpage access request aiming at the target webpage and initiated by an attacker.
Step S22: and sending the preset counter script embedded into the target webpage to a host of the attacker for storage and local operation.
Step S23: and detecting all requests sent by the browser when the target webpage is accessed, and checking returned data in the callback requests when the callback requests appear in the requests.
In this embodiment, all requests issued by the browser are detected when accessing the target web page, and when finding that a key field of a callback (i.e., a callback) appears in the request, the key field is recorded, and the data returned in the callback request is continuously accessed and checked. By the technical scheme, all requests sent by the browser when the target webpage is accessed are detected, the key callback requests are recorded, the data returned from the attacker side in the callback requests are checked, so that the data returned in the callback requests can be analyzed subsequently, whether the callback requests are suspected to have the JSONP loopholes or not is judged, the personal information acquired through the JSONP loopholes subsequently is stored, and the personal information is used subsequently to acquire the host open port information of the attacker.
Step S24: and if the data returned in the callback request contains preset target keywords, judging that the JSONP vulnerability exists at present, and sending a link address of the JSONP vulnerability to a preset server so as to obtain corresponding personal information based on the link address and store the personal information in the preset server.
In this embodiment, the preset server is an apache server and is configured to receive detailed content information of the JSONP vulnerability. It should be noted that the apache server is different from the honey pot server, and the deploying the honey pot server includes: deploying a honey server based on the nginx server, and generating a WEB static webpage corresponding to the honey server, namely a first deployment module, which is used for deploying the honey server and generating the static webpage corresponding to the honey server; the WEB counter technology used in the embodiment is different from a honeypot, a preset counter script is embedded into a normal website or a WEB application page in WEB, the counter script can be automatically downloaded to an attacker to run locally to obtain traceability information when the attacker accesses the honeypot, the honeypot induces the attacker to access and download files by constructing a scene, when the attacker downloads and opens the files locally, an embedded code is triggered, characteristic information of an attack host and the attacker is recorded and returned to realize traceability and counter, and a network deception technology is used. In this embodiment, a preset server is set so as to store the personal information of the attacker acquired through the JSONP vulnerability.
In this embodiment, a second callback function corresponding to the callback request constructed through a preset interface is obtained, so that the corresponding personal information is returned through the second callback function. It can be understood that a second callback function corresponding to the callback request is constructed through a preset interface according to the preset target keyword, where the second callback function is used to obtain personal information of the attacker, where the personal information includes, but is not limited to, a user account, a user name, and a mobile phone number. And when the data returned in the callback request contains preset target keywords, judging that the JSONP vulnerability exists at present, and sending a link address of the JSONP vulnerability to a preset server so as to obtain corresponding personal information based on the link address and store the personal information in the preset server. Through the technical scheme, the personal information of the attacker returned by the second callback function is stored in the preset server, so that the personal information can be conveniently searched when the personal information of the attacker is used in the subsequent steps, and the local port of the attacker is scanned through the personal information to obtain the host open port data of the attacker.
Step S25: and acquiring characteristic information of a host operating system and a browser of the attacker through the locally operated preset counter script, and scanning a local port of the attacker based on the personal information to acquire host open port data of the attacker.
It can be seen that, in this embodiment, by checking all requests sent by a browser and checking returned data in the callback request, when a preset target keyword exists in the returned data in the callback request, it is determined that a JSONP vulnerability is suspected to exist at present, and a link address of the JSONP vulnerability is sent to a preset server, so that corresponding personal information is obtained based on the link address and is stored in the preset server. Therefore, the link address of the JSONP vulnerability is stored by setting a preset server, so that personal information of an attacker in the link address can be recorded conveniently.
Referring to fig. 3, an embodiment of the present application discloses a source-tracing reverse system, including:
the access request acquisition module 11 is configured to acquire a web page access request for a target web page, which is initiated by an attacker;
the anti-script sending module 12 is configured to send a preset anti-script embedded in the target webpage to the host of the attacker for storage and local operation, and obtain personal information on the host of the attacker by using a JSONP vulnerability;
the data obtaining module 13 is configured to obtain characteristic information of the host operating system and the browser of the attacker through the locally run preset counter script, and scan the local port of the attacker based on the personal information to obtain host open port data of the attacker.
It can be seen that, in the embodiment, when performing source-tracing reverse control, a preset reverse control script is embedded in the target webpage and automatically sent to the attacker host and locally run to obtain the characteristic information of the attacker host operating system and the browser when acquiring a webpage access request initiated by an attacker and directed to the target webpage, and meanwhile, the JSONP vulnerability is utilized to obtain the personal information of the attacker. Therefore, when the application carries out the reverse tracing, by inserting the preset reverse script into the target webpage, when the attacker accesses the target webpage, the preset counter script is automatically downloaded to the host of the attacker and locally operated, meanwhile, the characteristic information of the host operating system and the browser of the attacker and the personal information of the attacker are respectively obtained through the JSONP vulnerability, so that when the target webpage is illegally accessed by an attacker, the information of the attacker can be automatically acquired through the preset reverse script and the JSONP vulnerability, the identity of the attacker can be more accurately positioned, more accurate and effective tracing can be realized, therefore, the problem that when the IP information of the intruder is obtained through the browser webpage instant messaging function of the website accessed by the intruder, the attacker can cover the real IP address of the intruder by using a proxy server or an anonymous network, so that the attacker is difficult to effectively trace the source and control in time is solved. In conclusion, the information of the attacker can be acquired more accurately and effectively when the source tracing reaction of the attacker is carried out.
In some embodiments, the source reversal device further includes:
and the reverse script building module is used for building the preset reverse script by utilizing a Hash algorithm based on JavaScript codes and embedding the preset reverse script into the target webpage.
In some specific embodiments, the data obtaining module 13 is specifically configured to: and acquiring a first callback function which is returned by the host of the attacker and corresponds to the locally-operated preset reverse script, and determining the characteristic information of the host operating system and the browser of the attacker based on the first callback function.
In some specific embodiments, the data obtaining module 13 is specifically configured to: and acquiring any one or combination of several of the operating system type, the operating system time zone, the screen resolution, the browser fingerprint, the browser type and the browser version of the host of the attacker so as to obtain the characteristic information of the operating system and the browser of the host of the attacker.
In some specific embodiments, the data obtaining module 13 is specifically configured to: and acquiring the personal information consisting of any one or more of a user account number, a user name and a mobile phone number on the host of the attacker by utilizing the JSONP vulnerability.
In some specific embodiments, the data obtaining module 13 specifically includes:
the data checking unit is used for detecting all requests sent by the browser when the target webpage is accessed, and checking returned data in the callback requests when the callback requests appear in the requests;
and the link storage unit is used for judging that the JSONP vulnerability exists at present if the preset target keyword exists in the data returned in the callback request, and sending a link address of the JSONP vulnerability to a preset server so as to obtain corresponding personal information based on the link address and store the personal information into the preset server.
In some embodiments, the source reversal device further includes:
and the second callback function construction module is used for acquiring a second callback function corresponding to the callback request constructed through a preset interface so as to return the corresponding personal information through the second callback function.
Fig. 4 illustrates an electronic device 20 according to an embodiment of the present disclosure. The electronic device 20 may further include: at least one processor 21, at least one memory 22, a power supply 23, a communication interface 24, an input output interface 25, and a communication bus 26. The memory 22 is configured to store a computer program, and the computer program is loaded and executed by the processor 21 to implement the relevant steps in the traceability reflection method disclosed in any one of the foregoing embodiments. In addition, the electronic device 20 in the present embodiment may be specifically an electronic computer.
In this embodiment, the power supply 23 is used to provide voltage for each hardware device on the electronic device 20; the communication interface 24 can create a data transmission channel between the electronic device 20 and an external device, and a communication protocol followed by the communication interface is any communication protocol applicable to the technical solution of the present application, and is not specifically limited herein; the input/output interface 25 is configured to obtain external input data or output data to the outside, and a specific interface type thereof may be selected according to specific application requirements, which is not specifically limited herein.
In addition, the memory 22 is used as a carrier for resource storage, and may be a read-only memory, a random access memory, a magnetic disk or an optical disk, etc., and the resources stored thereon may include an operating system 221, a computer program 222, etc., and the storage manner may be a transient storage manner or a permanent storage manner.
The operating system 221 is used for managing and controlling each hardware device on the electronic device 20, and the computer program 222 may be Windows Server, Netware, Unix, Linux, or the like. The computer program 222 may further include a computer program that can be used to perform other specific tasks in addition to the computer program that can be used to perform the traceability reflection method disclosed by any of the foregoing embodiments and executed by the electronic device 20.
Further, the present application also discloses a computer-readable storage medium for storing a computer program; wherein the computer program when executed by a processor implements the traceback reaction method disclosed in the foregoing. For the specific steps of the method, reference may be made to the corresponding contents disclosed in the foregoing embodiments, which are not described herein again.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The source-tracing reverse control method, device, equipment and medium provided by the invention are described in detail, specific examples are applied in the text to explain the principle and the implementation mode of the invention, and the description of the above embodiments is only used for helping to understand the method and the core idea of the invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
Claims (10)
1. A source-tracing reverse system method is characterized by comprising the following steps:
acquiring a webpage access request aiming at a target webpage, which is initiated by an attacker;
sending a preset reverse script embedded into the target webpage to a host of the attacker for storage and local operation, and acquiring personal information on the host of the attacker by utilizing a JSONP vulnerability;
and acquiring characteristic information of a host operating system and a browser of the attacker through the locally operated preset counter script, and scanning a local port of the attacker based on the personal information to acquire host open port data of the attacker.
2. The traceback method of claim 1, further comprising:
and constructing the preset reverse script by utilizing a Hash algorithm based on JavaScript codes, and embedding the preset reverse script into the target webpage.
3. The source-tracing reaction method according to claim 1, wherein the obtaining of the characteristic information of the host operating system and the browser of the attacker through the locally run preset reaction script includes:
and acquiring a first callback function which is returned by the host of the attacker and corresponds to the locally-operated preset reverse script, and determining the characteristic information of the host operating system and the browser of the attacker based on the first callback function.
4. The source-tracing reverse system method of claim 1, wherein the obtaining of the characteristic information of the host operating system and the browser of the attacker comprises:
and acquiring any one or combination of several of the operating system type, the operating system time zone, the screen resolution, the browser fingerprint, the browser type and the browser version of the host of the attacker so as to obtain the characteristic information of the operating system and the browser of the host of the attacker.
5. The source-tracing reverse system method of claim 1, wherein the obtaining personal information on the host of the attacker by using a JSONP vulnerability comprises:
and acquiring the personal information consisting of any one or more of a user account number, a user name and a mobile phone number on the host of the attacker by utilizing the JSONP vulnerability.
6. The source-tracing reverse system method according to any one of claims 1 to 5, wherein the obtaining personal information on the host of the attacker by using the JSONP vulnerability includes:
detecting all requests sent by a browser when the target webpage is accessed, and checking returned data in a callback request when the callback request appears in the requests;
and if the data returned in the callback request contains preset target keywords, judging that the JSONP vulnerability exists at present, and sending a link address of the JSONP vulnerability to a preset server so as to obtain corresponding personal information based on the link address and store the personal information in the preset server.
7. The traceback method of claim 6, further comprising:
and acquiring a second callback function corresponding to the callback request constructed through a preset interface so as to return corresponding personal information through the second callback function.
8. A traceability anti-reverse apparatus, comprising:
the access request acquisition module is used for acquiring a webpage access request aiming at a target webpage and initiated by an attacker;
the anti-script sending module is used for sending a preset anti-script embedded into the target webpage to the host of the attacker for storage and local operation, and acquiring personal information on the host of the attacker by utilizing a JSONP vulnerability;
and the data acquisition module is used for acquiring the characteristic information of the host operating system and the browser of the attacker through the locally operated preset counter script and scanning the local port of the attacker based on the personal information to acquire the host open port data of the attacker.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the steps of the traceback method of any of claims 1 to 7.
10. A computer-readable storage medium for storing a computer program; wherein the computer program when executed by a processor implements the steps of the traceback method of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210508521.2A CN115051832A (en) | 2022-05-11 | 2022-05-11 | Traceable reverse system method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210508521.2A CN115051832A (en) | 2022-05-11 | 2022-05-11 | Traceable reverse system method, device, equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115051832A true CN115051832A (en) | 2022-09-13 |
Family
ID=83157892
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210508521.2A Withdrawn CN115051832A (en) | 2022-05-11 | 2022-05-11 | Traceable reverse system method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115051832A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR101672791B1 (en) * | 2015-10-26 | 2016-11-07 | 고려대학교 산학협력단 | Method and system for detection of vulnerability on html5 mobile web application |
| ITUB20155056A1 (en) * | 2015-09-28 | 2017-03-28 | Minded Security S R L | METHOD FOR IDENTIFICATION AND PREVENTION OF CLIENT SIDE WEB ATTACKS |
| CN108134797A (en) * | 2017-12-28 | 2018-06-08 | 广州锦行网络科技有限公司 | System and method is realized in attack counter based on Honeypot Techniques |
| CN110839039A (en) * | 2019-11-20 | 2020-02-25 | 成都知道创宇信息技术有限公司 | Intruder countercheck method and device |
| CN113645253A (en) * | 2021-08-27 | 2021-11-12 | 杭州安恒信息技术股份有限公司 | Attack information acquisition method, device, equipment and storage medium |
-
2022
- 2022-05-11 CN CN202210508521.2A patent/CN115051832A/en not_active Withdrawn
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| ITUB20155056A1 (en) * | 2015-09-28 | 2017-03-28 | Minded Security S R L | METHOD FOR IDENTIFICATION AND PREVENTION OF CLIENT SIDE WEB ATTACKS |
| KR101672791B1 (en) * | 2015-10-26 | 2016-11-07 | 고려대학교 산학협력단 | Method and system for detection of vulnerability on html5 mobile web application |
| CN108134797A (en) * | 2017-12-28 | 2018-06-08 | 广州锦行网络科技有限公司 | System and method is realized in attack counter based on Honeypot Techniques |
| CN110839039A (en) * | 2019-11-20 | 2020-02-25 | 成都知道创宇信息技术有限公司 | Intruder countercheck method and device |
| CN113645253A (en) * | 2021-08-27 | 2021-11-12 | 杭州安恒信息技术股份有限公司 | Attack information acquisition method, device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6624771B2 (en) | Client-based local malware detection method | |
| US10728274B2 (en) | Method and system for injecting javascript into a web page | |
| US11196746B2 (en) | Whitelisting of trusted accessors to restricted web pages | |
| CN101304418B (en) | Client side protection method and system against drive-by pharming via referrer checking | |
| US9742774B2 (en) | Method and apparatus for determining phishing website | |
| KR101672791B1 (en) | Method and system for detection of vulnerability on html5 mobile web application | |
| US20130263263A1 (en) | Web element spoofing prevention system and method | |
| CN109768992B (en) | Webpage malicious scanning processing method and device, terminal device and readable storage medium | |
| US20080301766A1 (en) | Content processing system, method and program | |
| CN101964025A (en) | XSS (Cross Site Scripting) detection method and device | |
| CN111783096B (en) | Method and device for detecting security hole | |
| US11503072B2 (en) | Identifying, reporting and mitigating unauthorized use of web code | |
| CN113518077A (en) | Malicious web crawler detection method, device, equipment and storage medium | |
| CN103986731A (en) | Method and device for detecting phishing web pages through picture matching | |
| US10778687B2 (en) | Tracking and whitelisting third-party domains | |
| CN106250761B (en) | Equipment, device and method for identifying web automation tool | |
| CN112118238B (en) | Method, device, system, equipment and storage medium for authenticating login | |
| US8127033B1 (en) | Method and apparatus for accessing local computer system resources from a browser | |
| CN113645253A (en) | Attack information acquisition method, device, equipment and storage medium | |
| CN113190838A (en) | Web attack behavior detection method and system based on expression | |
| CN114024728A (en) | Honeypot building method and application method | |
| CN114285626B (en) | Honeypot attack chain construction method and honeypot system | |
| CN107103243B (en) | Vulnerability detection method and device | |
| CN112016096A (en) | XSS vulnerability auditing method and device | |
| CN111131166A (en) | User behavior prejudging method and related equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20220913 |