CN115208577A - Random token generation method based on online interactive WEB dynamic defense - Google Patents
Random token generation method based on online interactive WEB dynamic defense Download PDFInfo
- Publication number
- CN115208577A CN115208577A CN202210746467.5A CN202210746467A CN115208577A CN 115208577 A CN115208577 A CN 115208577A CN 202210746467 A CN202210746467 A CN 202210746467A CN 115208577 A CN115208577 A CN 115208577A
- Authority
- CN
- China
- Prior art keywords
- token
- request
- client
- random
- access request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000002452 interceptive effect Effects 0.000 title claims abstract description 34
- 238000000034 method Methods 0.000 title claims abstract description 24
- 230000007123 defense Effects 0.000 title claims abstract description 17
- 230000004044 response Effects 0.000 claims abstract description 21
- 235000014510 cooky Nutrition 0.000 claims description 48
- 230000002159 abnormal effect Effects 0.000 claims description 3
- 238000001514 detection method Methods 0.000 claims description 3
- 230000008569 process Effects 0.000 claims description 3
- 238000012545 processing Methods 0.000 abstract description 6
- 230000006399 behavior Effects 0.000 abstract description 5
- 238000010586 diagram Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000012795 verification Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000007689 inspection Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000010276 construction Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000005484 gravity Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/108—Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a random token generation method based on online interactive WEB dynamic defense, which comprises the following steps: the client sends an access request to the dynamic security protection system; verifying the random token carried in the access request, if the random token is legal, forwarding the access request to the web server, and turning to the next step; if the random token is illegal, intercepting the access request and returning a state code to the client; when the access request does not carry the random token, the random token is issued to the client; the server returns a request response result; and the dynamic security protection system updates the random token and sends a request response result carrying the updated random token to the client. The invention ensures the normal operation of the service plane processing flow by verifying the validity of the access request carrying the token, intercepts the malicious request, and can effectively prevent the malicious intrusion behaviors of horizontal override, vertical override, seventh-layer model distributed denial of service attack, request replay and the like.
Description
Technical Field
The invention relates to the technical field of internet information security, in particular to a random token generation method based on online interactive WEB dynamic defense.
Background
With the further development of information-based construction in China, the threat situation of the network space assets is continuously evolving. The security vulnerability exposure of the current internet application is increased, and many illegal persons use vulnerability technology to attack network security. Moreover, the vulnerability technology is continuously and rapidly copied, so that the network attack cost is low, the attack efficiency and the damage are rapidly improved, and larger-scale service loss and data loss are caused. On one hand, with the difficulty of starting attack by utilizing the traditional security loophole being improved continuously, the gravity center of an attacker starts to be changed from the traditional system layer attack to the application layer attack and the business layer attack, and the attack mode is also changed from a single manual mode to a mode taking a tool as a main manual mode and a manual mode as an auxiliary mode. The wide adoption of the attack tool accelerates the intrusion speed of attackers, improves the intrusion efficiency, weakens the technical adherence of the attackers, and can launch professional attacks aiming at the application system as long as the tool can be used, thereby providing higher challenges for effectively carrying out the safety protection of the application system for enterprises, having obvious unbalanced attack and defense phenomena, and being incapable of effectively preventing malicious intrusion behaviors such as horizontal override, vertical override, seventh-layer model distributed denial of service attack, request replay and the like. On the other hand, the national level pays attention to the problem of information security, and the network security law and the basic requirements for network security level protection propose different security requirements for enterprises from the prior art. In addition, since various security inspection and attack and defense exercise activities of the Ministry of industry and telecommunication, the Central network and office, and group companies are increasingly frequent, security threats from the Internet become important concerns and problems to be solved in the daily security work of enterprises.
Disclosure of Invention
The invention aims to provide a random token generation method based on online interactive WEB dynamic defense, which can solve the problem that attack of an application layer and a service layer cannot be effectively prevented in the prior art.
The purpose of the invention is realized by the following technical scheme:
the random token generation method based on online interactive WEB dynamic defense comprises the following steps:
s1, a client sends an access request to a dynamic security protection system;
s2, the dynamic security protection system verifies the random token carried in the access request, if the random token is legal, the access request is forwarded to the web server, and the step S3 is switched to; if the random token is illegal, intercepting the access request and returning a state code to the client; when the access request does not carry the random token, the random token is issued to the client;
s3, the server returns a request response result to the dynamic safety protection system;
s4, the dynamic security protection system updates the random token and sends a request response result carrying the updated random token to the client; the updated random token is valid for one time or within a set time period;
and S5, the client accesses to the WEB according to the updated random token carried in the request response result.
Further, the access request comprises an Ajax request, a non-Ajax get request or a non-Ajax post request.
Further, the random token includes a URL token or a Cookie token.
Further, when the access request does not carry the random token, the process of issuing the random token for the client is as follows:
step S201, when a client accesses a web server for the first time, a dynamic security protection system firstly determines the type of an access request of the client;
step S202, the dynamic security protection system determines whether the access request carries a random token, if not, the step S203 is carried out, otherwise, the validity of the random token is verified;
step S203, the dynamic security protection system generates different random tokens for the client according to the type of the access request.
Further, the step S203 includes:
if the access request is an Ajax request and the website entrance which is requested to be accessed is in the white list, forwarding the Ajax request to the Web server; the Web server returns a success status response code; the dynamic security protection system dynamically packages the webpage, generates a URL token, and issues the packaged webpage and the URL token to the client browser;
if the access request is a non-Ajax get request and the website entrance requested to be accessed is in the white list, forwarding the non-Ajax get request to the web server; the web server returns a success status response code; the dynamic security protection system generates a Cookie token and issues the Cookie token to the client browser in a Set-Cookie mode;
and if the access request is a post request which is not Ajax and the website entrance which is requested to be accessed is in the white list, the dynamic security protection system generates a Cookie token and sends the Cookie token to the client.
Further, intercepting the access request and returning the status code to the client if the random token is illegal comprises:
the method comprises the steps of reloading an access request, returning 412 a state code or 202a state code, referring to Core JS in the reloaded code, setting CookieS in the Respose code, generating CookieT by a client by adopting the CookieS, and collecting browser fingerprints, attack detection data and a timestamp of the client by the CookieT;
in the request sent by the client to the WEB server again, the dynamic security protection system decrypts the data of the token to verify whether the data acquisition of the client is abnormal or not, and only the request for verifying the validity of the token is allowed to be forwarded to the WEB server.
Further, the single validity of the updated random token or validity within a set time period includes:
the URL token generated by the Ajax request of the client for accessing the web server is a disposable random token, is effective within 30 minutes and is not allowed to be reused;
the Cookie token generated by a non-Ajax get request and a non-Ajax post request of a client accessing a web server can be reused within 2 minutes; cookie tokens that are not Ajax's post request are not allowed to be reused.
The invention provides a random token generation method based on online interactive WEB dynamic defense, provides application of the random token in a client environment, and assigns a single-use PASSSID (access identity) for a uniform resource positioning address authorized to be accessed by a terminal. The server side is responsible for verifying the validity of the TOKEN associated with the terminal access application and suppressing the intrusion attempts such as unauthorized access. The random token ensures normal operation of a service plane processing flow by checking the validity of the access source URL carrying the token, intercepts malicious requests, and can effectively prevent malicious intrusion behaviors such as horizontal override, vertical override, seventh-layer model distributed denial of service attack, request replay and the like. For example, the attack threshold of the unauthorized access vulnerability of the application is very low, and the traditional security mechanism needs to configure and maintain a complex security policy to protect the unauthorized access vulnerability. No matter the user identification code is modified to carry out horizontal lifting or the management page is directly accessed to carry out vertical lifting, the forced execution of business logic can be ensured through a random token mechanism, and effective protection is carried out.
Drawings
FIG. 1 is a flow chart of a random token generation method based on online interactive WEB dynamic defense according to the present invention;
FIG. 2 is a timing diagram of non-Ajax get request processing;
FIG. 3 is a timing diagram illustrating post request processing for non-Ajax requests;
fig. 4 is a timing diagram of Ajax request processing.
Detailed Description
The embodiments of the present disclosure are described in detail below with reference to the accompanying drawings.
The embodiments of the present disclosure are described below with specific examples, and other advantages and effects of the present disclosure will be readily apparent to those skilled in the art from the disclosure in the specification. It is to be understood that the embodiments described are only a few embodiments of the present disclosure, and not all embodiments. The disclosure may be carried into practice or applied to various other specific embodiments, and various modifications and changes may be made in the details within the description and the drawings without departing from the spirit of the disclosure. It is to be noted that the features in the following embodiments and examples may be combined with each other without conflict. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without inventive step, are intended to be within the scope of the present disclosure.
The invention discloses a random token generation method based on online interactive WEB dynamic defense, which comprises the following steps:
step S1, the client sends an access request to the dynamic security protection system.
The client may be an electronic device such as a desktop personal computer, a notebook computer, a tablet computer, or a smart phone, which may be connected to the server through a network. The access request comprises an Ajax request, a non-Ajax get request or a non-Ajax post request.
S2, the dynamic security protection system verifies the random token carried in the access request, if the random token is legal, the access request is forwarded to the web server, and the step S3 is carried out; if the random token is illegal, intercepting the access request and returning a state code to the client; and when the random token is not carried in the access request, issuing the random token for the client.
Further, the random token in the present application includes a URL token and a Cookie token.
Further, in a preferred embodiment of the present application, when the access request does not carry a random token, the process of issuing the random token for the client is as follows:
step S201, when the client accesses the web server for the first time, the dynamic security protection system determines the type of the access request of the client first.
Step S202, the dynamic security protection system determines whether the access request carries a random token, if not, the step S203 is carried out, otherwise, the validity of the random token is verified.
Step S203, the dynamic security protection system generates different random tokens for the client according to the type of the access request, which specifically includes:
if the access request is an Ajax request and the website entrance which is requested to be accessed is in the white list, forwarding the Ajax request to the Web server; the Web server returns a success status response code indicating that the request was successful. The dynamic security protection system dynamically packages the webpage, generates a URL token, and issues the packaged webpage and the URL token to the client browser;
if the access request is a non-Ajax get request and the website entrance requested to be accessed is in the white list, forwarding the non-Ajax get request to the web server; the web server returns a success status response code indicating that the request is successful; the dynamic security protection system generates a Cookie token and issues the Cookie token to the client browser in a Set-Cookie mode;
if the access request is a post request which is not Ajax and the website entrance which is requested to access is in the white list, the dynamic security protection system generates a Cookie token and sends the Cookie token to the client, and the post request which is not Ajax and does not carry the token of the client does not reach the Web server.
Further, if the random token is illegal, intercepting the access request and returning the status code to the client comprises:
if the URL token or the Cookie token is not legal, the access request is reloaded, a state code (the state code 412 is Precondition Failed, and the Precondition fails to indicate that the client side has an error, which means that the access request to the target resource is refused) or a 202 state code (202 Accepted, the server has Accepted the request but has not processed) is returned 412, core JS is quoted in the code of the Reload, cookie S is set in the code of the Respone, the client side generates Cookie T by adopting the Cookie S, and the Cookie T is used for collecting data such as a browser fingerprint, attack detection data, a timestamp (client _ send _ time) and the like of the client side.
In the request sent by the client to the WEB server again, the token carrying the CookieS and CookieT contents is decrypted by the online interactive dynamic security protection system, then whether the client data acquisition (such as information of browser fingerprints, operation behaviors and the like) is abnormal or not is verified, and only the request for verifying the validity of the token is allowed to be forwarded to the WEB server.
And S3, the server returns a request response result to the dynamic safety protection system.
S4, the dynamic security protection system updates the random token and sends a request response result carrying the updated random token to the client; the updated random token is valid for a single time or for a set period of time.
The method comprises the steps that one-time random token verification is carried out on the URL token aiming at the Ajax request of a client accessing a web server, the token is effective within 30 minutes and is not allowed to be repeatedly used, and the URL token of each request of the client is ensured to be randomly changed.
The Cookie token verification is carried out aiming at the non-Ajax get request and post request of the client accessing the web server, the Cookie token of the get request can be repeatedly used within 2 minutes, random change is needed when the Cookie token exceeds the validity period, the Cookie token of the post request is not allowed to be repeatedly used, and random change of each request of the client is ensured.
And S5, the client accesses to the WEB according to the updated random token carried in the request response result.
The processing procedure of each request is explained in detail with reference to fig. 2 to 4:
as shown in fig. 2, a client accesses a web server and requests a get request of a type other than Ajax. If the access is the first access, the request does not carry the random token. And the online interactive dynamic security protection system checks that the website portal which is not provided with the token but is accessed in the request is in a white list, and forwards the non-Ajax get request to the web server. The web server returns a success status response code (200 OK) indicating that the request has succeeded. And generating a Cookie token by the online interactive dynamic security protection system, and issuing the Cookie token to the client browser in a Set-Cookie mode.
The client side obtains a Cookie token issued by the dynamic security protection system based on the online interactive mode, and accesses the path/abc. And the Cookie token in the request is checked to be legal by the online interactive dynamic security protection system, and the request is forwarded to the application server. And after the server responds, updating the Cookie token based on the online interactive dynamic safety protection system and issuing the Cookie token to the client browser.
The client directly accesses the path/abc, carries the effective Cookie token, and checks that the Cookie token in the request is legal based on the online interactive dynamic security protection system. The request is forwarded to the Web server. And the Web server returns a success status response code (200 OK), generates a new token based on the online interactive dynamic security protection system and issues the new token to the client browser. The client directly accesses the path/xyz but does not carry a valid Cookie token, and the online interactive dynamic security protection system checks that the Cookie token in the request is illegal. And the request is not sent to the application server, and the on-line interactive dynamic security protection system re-issues the Cookie token to the client.
As shown in FIG. 3, a client accesses a web server and requests a post request of a type other than Ajax. If the access is the first access, the request does not carry the random token. The dynamic security protection system based on the online interactive mode checks that the website access which does not have the token but is accessed in the request is in a white list, the dynamic security protection system based on the online interactive mode generates a Cookie token and transmits the Cookie token to the client side, and the client side request does not reach the Web server.
After the browser receives the Cookie token issued by the online interactive dynamic security protection system, the JS control page refreshes and resubmits data without the user noticing.
And submitting the access path/abc in a POST mode, checking that the Cookie token is legal by the online interactive dynamic security protection system, and forwarding to the Web server. And the server returns a success status response code (200 OK) indicating that the request is successful, updates the token based on the online interactive dynamic security protection system and sends the token to the client browser.
As shown in fig. 4, the client accesses the web server and the request type is Ajax request. If the access is the first access, the Ajax request does not carry a random token. At the moment, when the dynamic security protection system detects that the Ajax request does not carry a random token, but the accessed website entrance is in a white list, the Ajax request is forwarded to the Web server; the Web server returns a success status response code (200 OK) indicating that the request has succeeded. And dynamically encapsulating the webpage based on the online interactive dynamic safety protection system, generating a URL token, and issuing the encapsulated webpage and the URL token to the client browser. Loading the packaged webpage by the client browser, and normally opening the webpage; when the client browser has form data to submit, the form data is obfuscated. The client sends a Post/abc request, the URL token in the request is checked to be legal by the online interactive dynamic security protection system, and the request is forwarded to the Web server. After the Web server responds, the webpage is dynamically packaged based on the online interactive dynamic security protection system, and a new token is generated and issued to the client browser.
The online interactive dynamic security protection system can identify the terminal operating environment through random token verification and terminal environment inspection technology, intercept an access request initiated by a non-browser and prevent an attacker from simulating manual access through a client-side plug-in automatic tool.
The method can prevent an attacker from acquiring sensitive client information from an application system one by one in a mode of simulating manual access to the system through a script or an automatic tool after logging in the system by using a normal account, and prevent the attack behavior of batch leakage of sensitive data. And an attacker can be prevented from using the script to drag the database. The safety of the client business system data can be effectively guaranteed.
The above description is for the purpose of illustrating embodiments of the invention and is not intended to limit the invention, and it will be apparent to those skilled in the art that any modification, equivalent replacement, or improvement made without departing from the spirit and principle of the invention shall fall within the protection scope of the invention.
Claims (7)
1. The random token generation method based on online interactive WEB dynamic defense is characterized by comprising the following steps:
s1, a client sends an access request to a dynamic security protection system;
s2, the dynamic security protection system verifies the random token carried in the access request, if the random token is legal, the access request is forwarded to the web server, and the step S3 is carried out; if the random token is illegal, intercepting the access request and returning a state code to the client; when the access request does not carry the random token, the random token is issued to the client;
s3, the server returns a request response result to the dynamic safety protection system;
s4, the dynamic security protection system updates the random token and sends a request response result carrying the updated random token to the client; the updated random token is valid for a single time or within a set time period;
and S5, the client accesses to the WEB according to the updated random token carried in the request response result.
2. The method for generating a random token based on online interactive WEB dynamic defense as claimed in claim 1, wherein the access request comprises an Ajax request, a non-Ajax get request or a non-Ajax post request.
3. The method for generating random tokens based on online interactive WEB dynamic defense according to claim 1, wherein the random tokens comprise URL tokens or Cookie tokens.
4. The method for generating the random token based on the online interactive WEB dynamic defense as claimed in claim 1, wherein when the access request does not carry the random token, the process of issuing the random token to the client comprises:
step S201, when a client accesses a web server for the first time, a dynamic security protection system determines the type of an access request of the client;
step S202, the dynamic security protection system determines whether the access request carries a random token, if not, the step S203 is carried out, otherwise, the validity of the random token is verified;
step S203, the dynamic security protection system generates different random tokens for the client according to the type of the access request.
5. The method for generating random tokens based on online interactive WEB dynamic defense according to claim 4, wherein the step S203 comprises:
if the access request is an Ajax request and the website entrance which is requested to be accessed is in the white list, forwarding the Ajax request to the Web server; the Web server returns a success status response code; the dynamic security protection system dynamically packages the webpage, generates a URL token, and issues the packaged webpage and the URL token to the client browser;
if the access request is a get request which is not Ajax and the website entrance which is requested to be accessed is in the white list, forwarding the get request which is not Ajax to the web server; the web server returns a success status response code; the dynamic security protection system generates a Cookie token and issues the Cookie token to the client browser in a Set-Cookie mode;
and if the access request is a post request which is not Ajax and the website entrance which is requested to be accessed is in the white list, the dynamic security protection system generates a Cookie token and sends the Cookie token to the client.
6. The method of claim 1, wherein intercepting the access request and returning a status code to the client if the random token is illegal comprises:
the method comprises the steps of reloading an access request, returning 412 a state code or 202a state code, referring to Core JS in the reloaded code, setting CookieS in the Respose code, generating CookieT by a client by adopting the CookieS, and collecting browser fingerprints, attack detection data and a timestamp of the client by the CookieT;
in the request sent by the client to the WEB server again, the dynamic security protection system decrypts the data of the token to verify whether the data acquisition of the client is abnormal or not, and only the request for verifying the validity of the token is allowed to be forwarded to the WEB server.
7. The method for generating random tokens based on online interactive WEB dynamic defense according to claim 1, wherein the step of validating the updated random tokens at a single time or within a set time period comprises:
the URL token generated by the Ajax request of the client for accessing the web server is a disposable random token, is effective within 30 minutes and is not allowed to be reused;
the Cookie token generated by a non-Ajax get request and a non-Ajax post request for accessing a web server by a client can be repeatedly used within 2 minutes; cookie tokens that are not Ajax's post request are not allowed to be reused.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210746467.5A CN115208577A (en) | 2022-06-28 | 2022-06-28 | Random token generation method based on online interactive WEB dynamic defense |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210746467.5A CN115208577A (en) | 2022-06-28 | 2022-06-28 | Random token generation method based on online interactive WEB dynamic defense |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115208577A true CN115208577A (en) | 2022-10-18 |
Family
ID=83577974
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210746467.5A Pending CN115208577A (en) | 2022-06-28 | 2022-06-28 | Random token generation method based on online interactive WEB dynamic defense |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115208577A (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102571846A (en) * | 2010-12-23 | 2012-07-11 | 北京启明星辰信息技术股份有限公司 | Method and device for forwarding hyper text transport protocol (HTTP) request |
| CN103067385A (en) * | 2012-12-27 | 2013-04-24 | 深圳市深信服电子科技有限公司 | Defensive method and firewall for session hijacking and attacking |
| US20150350208A1 (en) * | 2014-05-27 | 2015-12-03 | Turgut BAYRAMKUL | Token server-based system and methodology providing user authentication and verification for online secured systems |
| US20160028707A1 (en) * | 2014-07-28 | 2016-01-28 | International Business Machines Corporation | Protecting Network Communication Security |
| CN105491001A (en) * | 2015-05-14 | 2016-04-13 | 瑞数信息技术(上海)有限公司 | Secure communication method and device |
| CN107426181A (en) * | 2017-06-20 | 2017-12-01 | 竞技世界(北京)网络技术有限公司 | The hold-up interception method and device of malice web access request |
| CN108322416A (en) * | 2017-01-16 | 2018-07-24 | 腾讯科技(深圳)有限公司 | A kind of safety certification implementation method, apparatus and system |
| CN112751878A (en) * | 2020-12-30 | 2021-05-04 | 北京天融信网络安全技术有限公司 | Page request processing method and device |
| CN112836204A (en) * | 2021-02-03 | 2021-05-25 | 中国人民财产保险股份有限公司 | Token updating method and device |
-
2022
- 2022-06-28 CN CN202210746467.5A patent/CN115208577A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102571846A (en) * | 2010-12-23 | 2012-07-11 | 北京启明星辰信息技术股份有限公司 | Method and device for forwarding hyper text transport protocol (HTTP) request |
| CN103067385A (en) * | 2012-12-27 | 2013-04-24 | 深圳市深信服电子科技有限公司 | Defensive method and firewall for session hijacking and attacking |
| US20150350208A1 (en) * | 2014-05-27 | 2015-12-03 | Turgut BAYRAMKUL | Token server-based system and methodology providing user authentication and verification for online secured systems |
| US20160028707A1 (en) * | 2014-07-28 | 2016-01-28 | International Business Machines Corporation | Protecting Network Communication Security |
| CN105491001A (en) * | 2015-05-14 | 2016-04-13 | 瑞数信息技术(上海)有限公司 | Secure communication method and device |
| CN108322416A (en) * | 2017-01-16 | 2018-07-24 | 腾讯科技(深圳)有限公司 | A kind of safety certification implementation method, apparatus and system |
| CN107426181A (en) * | 2017-06-20 | 2017-12-01 | 竞技世界(北京)网络技术有限公司 | The hold-up interception method and device of malice web access request |
| CN112751878A (en) * | 2020-12-30 | 2021-05-04 | 北京天融信网络安全技术有限公司 | Page request processing method and device |
| CN112836204A (en) * | 2021-02-03 | 2021-05-25 | 中国人民财产保险股份有限公司 | Token updating method and device |
Non-Patent Citations (3)
| Title |
|---|
| A.X. LIU ET AL.: "A secure cookie protocol", PROCEEDINGS. 14TH INTERNATIONAL CONFERENCE ON COMPUTER COMMUNICATIONS AND NETWORKS, 2005. ICCCN 2005, 31 October 2005 (2005-10-31) * |
| 于通: "基于跨浏览器指纹识别的Web入侵检测系统设计与实现", 信息科技辑, no. 2019, 15 August 2019 (2019-08-15) * |
| 曾伟国等: "基于手机令牌方式的动态身份认证系统", 计算机与数字工程, no. 01, 20 February 2005 (2005-02-20) * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11757641B2 (en) | Decentralized data authentication | |
| Barth et al. | Robust defenses for cross-site request forgery | |
| Jovanovic et al. | Preventing cross site request forgery attacks | |
| US8713705B2 (en) | Application authentication system and method | |
| US9576145B2 (en) | Alternate files returned for suspicious processes in a compromised computer network | |
| US8850526B2 (en) | Online protection of information and resources | |
| AU2006200688B2 (en) | Internet security | |
| US8370899B2 (en) | Disposable browser for commercial banking | |
| JP2009003559A (en) | Computer system for single sign-on server, and program | |
| Toreini et al. | DOMtegrity: ensuring web page integrity against malicious browser extensions | |
| Haber et al. | Indicators of compromise | |
| Sanfilippo et al. | Stride-based threat modeling for mysql databases | |
| Lalia et al. | Implementation of web browser extension for mitigating CSRF attack | |
| JP6842951B2 (en) | Unauthorized access detectors, programs and methods | |
| CN107294994B (en) | CSRF protection method and system based on cloud platform | |
| Odirichukwu et al. | Security concept in Web database development and administration—A review perspective | |
| CN115208577A (en) | Random token generation method based on online interactive WEB dynamic defense | |
| US9253174B1 (en) | Providing a second factor authorization | |
| Jayaraman et al. | Enforcing request integrity in web applications | |
| Yasmeen et al. | The critical analysis of E-Commerce web application vulnerabilities | |
| Alalayah | Pattern Image based Dynamic Framework for Security in Web Application | |
| Eisenhaur et al. | Mobile Malware Madness, and How to Cap the Mad Hatters. A Preliminary Look at Mitigating Mobile Malware | |
| Mooney et al. | Your guide to authenticating mobile devices | |
| Gupta | Web Application Security–What You Need to Know | |
| Hauffman et al. | Assessing the Security of Android Dating Apps |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |