CN115834254B - Network content security protection method and device, storage medium and electronic equipment - Google Patents
Network content security protection method and device, storage medium and electronic equipment Download PDFInfo
- Publication number
- CN115834254B CN115834254B CN202310122656.XA CN202310122656A CN115834254B CN 115834254 B CN115834254 B CN 115834254B CN 202310122656 A CN202310122656 A CN 202310122656A CN 115834254 B CN115834254 B CN 115834254B
- Authority
- CN
- China
- Prior art keywords
- request message
- html
- output stream
- content security
- character string
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Storage Device Security (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network content security protection method and device, a storage medium and electronic equipment, and belongs to the technical field of computer security. The network content security protection method comprises the following steps: acquiring an access request message of a website; identifying the suffix name of the access request message, and intercepting the request message with the suffix name of html; generating a global unique identifier aiming at a request message with a suffix name of html; obtaining an output stream of a request message with a suffix name of html; performing character string conversion on an output stream of the request message with the suffix of html, introducing a global unique identifier, configuring a content security policy, and generating a response message for the access request message. The apparatus, storage medium, and electronic device can be used to implement the method. The method can directly inject and open the content security policy configuration, can realize network content security protection without modifying the front section code, and has simple and convenient implementation scheme.
Description
Technical Field
The present invention relates to the field of computer security technologies, and in particular, to a network content security protection method and apparatus, a storage medium, and an electronic device.
Background
Content security policies are a type of computer security standard that aims to prevent cross-site scripting, click hijacking and other code (or script) injection attacks due to malicious content being executed in the context of trusted web pages. Content security policies are widely supported by modern Web browsers and provide a standard approach for Web site owners to declare approved content sources that allow a browser to be loaded into the Web site. For example, the types of overlays may include JavaScript, cascading Style Sheets (CSS), hyperText markup language (HTML) framework, web workbench, fonts, images, embeddable objects (e.g., java applets, activeX, audio and video messages), HTML functionality, and the like. In general, content security policies provide tools to mitigate many cross-site scripting vulnerabilities. However, to properly benefit from the protection functionality provided by the content security policy, the website operator is required to make significant changes to how scripts (e.g., javaScript) are used in the Web application. This includes, for example, deleting an event handler in an inline JavaScript, such as a hypertext markup language (HTML) attribute. Unfortunately, such efforts have not resulted in complete protection against cross-site scripting attacks. There are still some potential vulnerabilities.
CN107864677a discloses a content access verification system and method, in order to provide a network publisher with verification information indicating the presence of an operative malware protection system on a user computing device, an evaluation system residing on a network publication server may cause network content including verification request data to be transmitted from the publication server to the computing device. A submission system resident on the computing device may analyze the web content for verification request data and may cause verification information to be transmitted from the computing device to the evaluation system based on the analysis. Upon receipt of the verification information, the evaluation system may analyze it to determine the likelihood that the content delivered to the computing device will be viewed by a real user (rather than an automated computer program). However, it can only perform the corresponding operation after receiving the authentication information, and cannot realize the pre-preventive protection of the network content security.
Disclosure of Invention
In view of the above, the present invention provides a network content security protection method, device, storage medium and electronic apparatus, which can directly inject and open content security policy configuration, and can realize network content security protection without modifying a front code, and the implementation scheme is simple and convenient, so that the method is more suitable for practical use.
In order to achieve the first objective, the technical scheme of the network content security protection method provided by the invention is as follows:
the network content security protection method provided by the invention comprises the following steps:
acquiring an access request message of a website;
identifying the suffix name of the access request message, and intercepting the request message with the suffix name of html;
generating a global unique identifier aiming at the request message with the suffix name of html;
obtaining the output flow of the request message with the suffix name of html;
performing character string conversion on the output stream of the request message with the suffix of html, introducing the global unique identifier, configuring a content security policy, and generating a response message for the access request message.
The network content security protection method provided by the invention can be further realized by adopting the following technical measures.
Preferably, the performing the character string conversion on the output stream of the request message with the suffix of html and configuring the content security policy to obtain a response message for the access request message includes the following steps:
converting the output stream of the request message with the suffix name of html into a character string and replacing the character string to obtain a replaced character string corresponding to the output stream of the request message with the suffix name of html;
introducing the global unique identifier into a replaced character string corresponding to the output stream of the html request message, so as to obtain an output stream after first rewriting;
adding a response message header to the output stream after the first rewriting to obtain an output stream after the second rewriting;
and configuring a content security policy for the output stream after the second rewriting to obtain a response message aiming at the access request message.
Preferably, the converting the output stream of the request message with the suffix name of html into a character string and replacing the character string to obtain a replaced character string corresponding to the output stream of the request message with the suffix name of html specifically includes the following steps:
acquiring a main body flow in a response message of an access request message aiming at the website;
converting a message body stream in a response message of the access request message of the website into a first character string;
in the first character string
Replaced by->
And obtaining a replaced character string corresponding to the output stream of the html request message.
Preferably, the adding the response message header to the output stream after the first rewriting to obtain the output stream after the second rewriting specifically includes the following steps:
deleting the first content length data in the header of the request message;
generating second content length data according to the replaced character string corresponding to the output stream of the html request message;
and enabling the second content length data to replace the first content length data to obtain the output stream after the second rewriting.
Preferably, the configuring the content security policy for the output stream after the second rewriting, to obtain a response message for the access request message includes the following steps:
adding the content security policy attribute of the head of the response message, and assigning a first value;
adding a cross-site script precautionary measure attribute of the head of the response message, and giving a second value;
adding the X-content type option attribute of the head of the response message, and giving a third value;
adding the X-frame option attribute of the head of the response message, and assigning a fourth value;
adding the forced safe transmission attribute of the head of the response message, and giving a fifth value;
and obtaining a response message aiming at the access request message.
As a preferred alternative to this,
the first value is script-src 'self' nonce-A;
the second value is 1;
the third value is nosniff;
the fourth value is DENY;
the fifth value is max-age= 31536000, include esubdomains.
Preferably, in the step of identifying the suffix name of the access request message and intercepting the request message with the suffix name of html, other request messages except the request message with the suffix name of html are directly released.
In order to achieve the second objective, the technical scheme of the network content security protection device provided by the invention is as follows:
the network content safety protection device provided by the invention comprises:
the request message acquisition module is used for acquiring an access request message of a website;
the request message identification and interception module is used for identifying the suffix name of the access request message and intercepting the request message with the suffix name of html;
the global unique identifier generation module is used for generating a global unique identifier for the request message with the suffix name of html;
the output flow acquisition module of the request message is used for acquiring the output flow of the request message with the suffix name of html;
and the response message generation module is used for carrying out character string conversion on the output stream of the request message with the suffix of html, introducing the global unique identifier, configuring a content security policy and generating a response message for the access request message.
In order to achieve the third object, the technical solution of the present invention for a computer readable storage medium is as follows:
the computer readable storage medium provided by the invention stores a network content security protection program, and when the network content security protection program is executed by a processor, the steps of the network content security protection method provided by the invention are realized.
The electronic equipment provided by the invention comprises a memory and a processor, wherein the memory is stored with a network content security protection program, and when the network content security protection program is executed by the processor, the steps of the network content security protection method provided by the invention are realized.
The embodiment of the invention provides a network content security protection method, a device, a storage medium and electricityThe sub-equipment firstly acquires an access request message of a website, then identifies the suffix name of the access request message, intercepts the request message with the suffix name of html, and then generates a global unique identifier aiming at the request message with the suffix name of html; and finally, carrying out character string conversion on the output stream of the request message with the suffix of the html, introducing a global unique identifier, configuring a content security policy, and generating a response message for the access request message. It is mainly used for adding content security policies to prevent cross-site scripting attack and js injection problems, and some configurations of the content security policies need to cooperate with rewriting response content, say
The tag is added with the attribute nonce for cooperation use, the configuration of the security policy of the content can be directly injected and started, the security protection of the network content can be realized without modifying the code of the front section, and the realization scheme is simple and convenient.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to designate like parts throughout the figures. In the drawings:
fig. 1 is a flowchart of steps of a network content security protection method according to an embodiment of the present invention;
fig. 2 is a flow chart of steps of a method for performing character string conversion, introducing a global unique identifier, and configuring a content security policy to obtain a response message for an access request message for an output stream of a request message with a suffix of html;
fig. 3 is a flowchart of a method for converting an output stream of an html request message with a suffix name into a character string and replacing the character string to obtain a replaced character string corresponding to the output stream of the html request message with the suffix name, which is related to the network content security protection method provided by the embodiment of the present invention;
fig. 4 is a flowchart of steps of a method for adding a response packet header to an output stream after first rewriting to obtain an output stream after second rewriting according to the network content security protection method provided by the embodiment of the present invention;
FIG. 5 is a flowchart illustrating steps of a method for configuring content security policy for an output stream after a second rewriting to obtain a response message for an access request message according to the network content security protection method provided by the embodiment of the present invention;
fig. 6 is a schematic diagram of a signal flow relationship between functional modules in the network content security protection apparatus according to an embodiment of the present invention;
fig. 7 is a schematic diagram of a network content security protection device in a hardware running environment according to an embodiment of the present invention.
Detailed Description
The invention provides a network content safety protection method, a device, a storage medium and electronic equipment, which can directly inject and open content safety strategy configuration, can realize network content safety protection without modifying a front code, and has simple and convenient implementation scheme, thereby being more practical.
In order to further describe the technical means and effects adopted by the invention to achieve the preset aim, the following description refers to the specific implementation, structure, characteristics and effects of the network content security protection method, device, computer readable storage medium and electronic equipment according to the invention in combination with the accompanying drawings and preferred embodiments. In the following description, different "an embodiment" or "an embodiment" do not necessarily refer to the same embodiment. Furthermore, the described features, structures, or characteristics of one or more embodiments may be combined in any suitable manner.
The term "and/or" is herein merely an association relation describing an associated object, meaning that three relations may exist, e.g. a and/or B, specifically understood as: the composition may contain both a and B, and may contain a alone or B alone, and any of the above three cases may be provided.
Referring to fig. 1, the network content security protection method provided by the embodiment of the invention includes the following steps:
step S1: and obtaining an access request message of the website.
Specifically, the HTTP message of the requesting end (client) is called a request message, and the responding end (server) is called a response message. The HTTP message itself is a string text composed of a plurality of lines (cr+lf as a line feed) of data. HTTP messages can be roughly divided into a message header and a message body, both of which are divided by the empty row (cr+lf) that initially appears.
Step S2: identifying the suffix name of the access request message, and intercepting the request message with the suffix name of html.
In particular, html is known as hypertext markup language, which is a markup language. The document format on the network can be unified through the labels, so that the scattered internet resources are connected into a logic whole. html text is descriptive text composed of html commands that can specify words, graphics, animations, sounds, tables, links, etc. Hypertext is a way of organizing information by associating words, charts in text with other information media by means of hyperlinks. The information media related to each other may be in the same text, other files, or files on a computer that is geographically remote. The information resource distributed at different positions is connected in a random mode by the information organization mode, so that convenience is provided for searching and retrieving information for people.
Step S3: and generating a globally unique identifier for the request message with the suffix name of html.
Specifically, the globally unique identifier (GUID, globally Unique Identifier) is a binary 128-bit long digital identifier generated by an algorithm. GUID is mainly used in a network or system having a plurality of nodes and a plurality of computers. In an ideal case, no computer or cluster of computers would generate two identical GUIDs. The total number of GUIDs reaches2 (2) 128 (3.4×10 38 ) And so the probability of randomly generating two identical GUIDs is very small, but not 0. Therefore, algorithms for generating GUID typically incorporate non-random parameters (e.g., time) to ensure that such duplication does not occur.
Step S4: and obtaining the output stream of the request message with the suffix name of html.
Step S5: performing character string conversion on an output stream of the request message with the suffix of html, introducing a global unique identifier, configuring a content security policy, and generating a response message for the access request message.
Specifically, content-Security-Policy (CSP) is an additional layer of integrity for detecting and attenuating certain specific types of attacks, including cross site scripting attacks (XSS, cross Site Scripting), which generally refer to web page programs that are maliciously manufactured by exploiting vulnerabilities left when web pages are developed, and injecting malicious instruction code into web pages in a smart way that allows users to load and execute the web page programs that are maliciously manufactured by the attacker. These malicious web programs are typically JavaScript, but may in fact include Java, VBScript, activeX, flash or even ordinary HTML. After the attack is successful, the attacker may get various contents including, but not limited to, higher rights (e.g., perform some operations), private web content, sessions, cookies, etc. Configuring the content security policy involves adding a content security policy HTTP header to a page and configuring corresponding values to control which resources a user agent (browser, etc.) can acquire for the page. Such as a page that can upload files and display pictures, should allow pictures to come from anywhere, but limit the behavior of form submission (action) attributes to be assigned only to specified endpoints. An appropriately designed content security policy should be able to effectively protect pages from cross-site scripting attacks.
The network content safety protection device provided by the embodiment of the invention firstly acquires the access request message of the website, then identifies the suffix name of the access request message, intercepts the request message with the suffix name of html, and then acquires the access request messageThen, generating a global unique identifier aiming at the request message with the suffix name of html; and finally, carrying out character string conversion on the output stream of the request message with the suffix of the html, introducing the global unique identifier, configuring a content security policy, and generating a response message for the access request message. It is mainly used for adding content security policies to prevent cross-site scripting attack and js injection problems, and some configurations of the content security policies need to cooperate with rewriting response content, say
The tag is added with the attribute nonce for cooperation use, the configuration of the security policy of the content can be directly injected and started, the security protection of the network content can be realized without modifying the code of the front section, and the realization scheme is simple and convenient.
Referring to fig. 2, step S5 performs character string conversion on an output stream of a request message with a suffix of html, introduces a global unique identifier, configures a content security policy, and obtains a response message for an access request message, where the step includes the following steps:
step S501: converting the output stream of the request message with the suffix name of html into a character string and replacing the character string to obtain a replaced character string corresponding to the output stream of the request message with the suffix name of html;
step S502: introducing the global unique identifier into a character string after replacement corresponding to the output stream of the html request message, so as to obtain an output stream after first rewriting;
step S503: adding a response message header to the output stream after the first rewriting to obtain an output stream after the second rewriting;
step S504: and configuring a content security policy for the output stream after the second rewriting to obtain a response message aiming at the access request message.
Referring to fig. 3, step S501 converts an output stream of a request message with a suffix name of html into a character string and replaces the character string, so as to obtain a replaced character string corresponding to the output stream of the request message with the suffix name of html, and specifically includes the following steps:
step S501a: acquiring a main body flow in a response message of an access request message aiming at a website;
step S501b: converting the message body flow in the response message of the access request message of the website into a first character string;
step S501c: will be in the first character string
Replaced by->
And obtaining a replaced character string corresponding to the output stream of the html request message.
Referring to fig. 4, step S503 adds a response packet header to the output stream after the first overwriting, and the obtaining the output stream after the second overwriting specifically includes the following steps:
step S503a: deleting the first content length data in the header of the request message;
step S503b: generating second content length data according to the replaced character string corresponding to the output stream of the html request message;
step S503c: and enabling the second content length data to replace the first content length data to obtain an output stream after the second rewriting.
The function is to add restrictions in response to the content security policy, many of which may be used, for example, frame-src to restrict
Label and->
Specifying source restrictions, img-src HTTP instructions specifying the available source of images and icons, etc., where script-src is typically js injected, requiring the use of a nonce attribute, the user will generate a unique identifier as the nonce attribute value for each visit, so that the user's website is nonced even with the same contentUnlike this, other people cannot find out the nonce rule to perform js (JavaScript) injection, wherein js injection is to input a section of js code in the browser address bar to change the contents of the js variable and the page tag. When modifying the corresponding message, the Content Length (Content-Length) needs to be rewritten, where the calculated Content-Length needs to be rewritten. Where Nonce, number used or abbreviation of Number once, in cryptography, nonce is an arbitrary or non-repeated random Number that is used only once, both the initial vector and the cryptographic hash function in the cryptographic technique play an important role in ensuring that authentication information is not reused against Replay attacks (Replay attacks) in communication applications of various types of authentication protocols. In information security, nonce is a number that can only be used once in encrypted communications. In authentication protocols, it is often a random or pseudo-random number to avoid replay attacks. Nonces are also used in stream ciphers to ensure security. If more than one message needs to be encrypted using the same key, nonces are needed to ensure that the different messages are different from the key stream encrypted by the key.
Referring to fig. 5, step S504 configures a content security policy for the output stream after the second rewriting, and obtaining a response message for the access request message includes the following steps:
step S504a: adding the content security policy attribute of the head of the response message, and assigning a first value;
step S504b: adding a cross-site script precautionary measure attribute of the head of the response message, and giving a second value;
step S504c: adding the X-content type option attribute of the head of the response message, and giving a third value;
step S504d: adding the X-frame option attribute of the head of the response message, and assigning a fourth value;
step S504e: adding the forced safe transmission attribute of the head of the response message, and giving a fifth value;
step S504f: and obtaining a response message aiming at the access request message.
Wherein, the liquid crystal display device comprises a liquid crystal display device,
the first value is script-src 'self' nonce-A;
the second value is 1;
the third value is nosniff;
the fourth value is DENY;
the fifth value is max-age= 31536000, include esubdomains.
And in the step of identifying the suffix name of the access request message and intercepting the request message with the suffix name of html, other request messages except the request message with the suffix name of html are directly released.
Referring to fig. 6, a network content security protection apparatus provided in an embodiment of the present invention includes:
the request message acquisition module is used for acquiring the access request message of the website.
Specifically, the HTTP message of the requesting end (client) is called a request message, and the responding end (server) is called a response message. The HTTP message itself is a string text composed of a plurality of lines (cr+lf as a line feed) of data. HTTP messages can be roughly divided into a message header and a message body, both of which are divided by the empty row (cr+lf) that initially appears.
The request message identification and interception module is used for identifying the suffix name of the access request message and intercepting the request message with the suffix name of html.
In particular, html is known as hypertext markup language, which is a markup language. The document format on the network can be unified through the labels, so that the scattered internet resources are connected into a logic whole. html text is descriptive text composed of html commands that can specify words, graphics, animations, sounds, tables, links, etc. Hypertext is a way of organizing information by associating words, charts in text with other information media by means of hyperlinks. The information media related to each other may be in the same text, other files, or files on a computer that is geographically remote. The information resource distributed at different positions is connected in a random mode by the information organization mode, so that convenience is provided for searching and retrieving information for people.
And the global unique identifier generation module is used for generating a global unique identifier for the request message with the suffix name of html.
Specifically, the globally unique identifier (GUID, globally Unique Identifier) is a binary 128-bit long digital identifier generated by an algorithm. GUID is mainly used in a network or system having a plurality of nodes and a plurality of computers. In an ideal case, no computer or cluster of computers would generate two identical GUIDs. The total number of GUIDs reaches 2 128 (3.4×10 38 ) And so the probability of randomly generating two identical GUIDs is very small, but not 0. Therefore, algorithms for generating GUID typically incorporate non-random parameters (e.g., time) to ensure that such duplication does not occur.
And the output stream acquisition module is used for acquiring the output stream of the request message with the suffix name of html.
And the response message generation module is used for carrying out character string conversion on the output stream of the request message with the suffix of html, introducing a global unique identifier, configuring a content security policy and generating a response message for the access request message.
Specifically, content-Security-Policy (CSP) is an additional layer of integrity for detecting and attenuating certain specific types of attacks, including cross site scripting attacks (XSS, cross Site Scripting), which generally refer to web page programs that are maliciously manufactured by exploiting vulnerabilities left when web pages are developed, and injecting malicious instruction code into web pages in a smart way that allows users to load and execute the web page programs that are maliciously manufactured by the attacker. These malicious web programs are typically JavaScript, but may in fact include Java, VBScript, activeX, flash or even ordinary HTML. After the attack is successful, the attacker may get various contents including, but not limited to, higher rights (e.g., perform some operations), private web content, sessions, cookies, etc. Configuring the content security policy involves adding a content security policy HTTP header to a page and configuring corresponding values to control which resources a user agent (browser, etc.) can acquire for the page. Such as a page that can upload files and display pictures, should allow pictures to come from anywhere, but limit the behavior of form submission (action) attributes to be assigned only to specified endpoints. An appropriately designed content security policy should be able to effectively protect pages from cross-site scripting attacks.
The network content security protection device provided by the embodiment of the invention firstly acquires an access request message of a website, then identifies the suffix name of the access request message, intercepts the request message with the suffix name of html, and then generates a global unique identifier for the request message with the suffix name of html; and finally, carrying out character string conversion on the output stream of the request message with the suffix of the html, introducing the global unique identifier, configuring a content security policy, and generating a response message for the access request message. It is mainly used for adding content security policies to prevent cross-site scripting attack and js injection problems, and some configurations of the content security policies need to cooperate with rewriting response content, say
The tag is added with the attribute nonce for cooperation use, the configuration of the security policy of the content can be directly injected and started, the security protection of the network content can be realized without modifying the code of the front section, and the realization scheme is simple and convenient.
The computer readable storage medium provided by the invention stores a network content security protection program, and when the network content security protection program is executed by a processor, the steps of the network content security protection method provided by the invention are realized.
The computer readable storage medium provided by the embodiment of the invention firstly acquires an access request message of a website, then identifies a suffix name of the access request message, intercepts a request message with the suffix name of html, and then generates a global unique identifier for the request message with the suffix name of html; obtaining the output stream of the request message with the suffix name of html, and finally aiming at the suffix of htmlPerforming character string conversion on the output stream of the request message, introducing the global unique identifier, configuring a content security policy, and generating a response message aiming at the access request message. It is mainly used for adding content security policies to prevent cross-site scripting attack and js injection problems, and some configurations of the content security policies need to cooperate with rewriting response content, say
The tag is added with the attribute nonce for cooperation use, the configuration of the security policy of the content can be directly injected and started, the security protection of the network content can be realized without modifying the code of the front section, and the realization scheme is simple and convenient.
The electronic equipment provided by the invention comprises a memory and a processor, wherein the memory stores a network content security protection program, and when the network content security protection program is executed by the processor, the steps of the network content security protection method provided by the invention are realized.
The electronic equipment provided by the embodiment of the invention firstly acquires an access request message of a website, then identifies the suffix name of the access request message, intercepts the request message with the suffix name of html, and then generates a global unique identifier aiming at the request message with the suffix name of html; and finally, carrying out character string conversion on the output stream of the request message with the suffix of the html, introducing the global unique identifier, configuring a content security policy, and generating a response message for the access request message. It is mainly used for adding content security policies to prevent cross-site scripting attack and js injection problems, and some configurations of the content security policies need to cooperate with rewriting response content, say
The tag is added with the attribute nonce for cooperation use, the configuration of the security policy of the content can be directly injected and started, the security protection of the network content can be realized without modifying the code of the front section, and the realization scheme is simple and convenient.
Referring to fig. 7, fig. 7 is a schematic structural diagram of a network content security protection device of a hardware running environment according to an embodiment of the present invention.
As shown in fig. 7, the web content security device may include: a processor 1001, such as a central processing unit (Central Processing Unit, CPU), a communication bus 1002, a user interface 1003, a network interface 1004, a memory 1005. Wherein the communication bus 1002 is used to enable connected communication between these components. The user interface 1003 may include a Display, an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may further include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a WIreless interface (e.g., a WIreless-FIdelity (WI-FI) interface). The Memory 1005 may be a high-speed random access Memory (Random Access Memory, RAM) Memory or a stable nonvolatile Memory (NVM), such as a disk Memory. The memory 1005 may also optionally be a storage device separate from the processor 1001 described above.
Those skilled in the art will appreciate that the structure shown in fig. 7 is not limiting of the web content security device and may include more or fewer components than shown, or may combine certain components, or may be a different arrangement of components.
As shown in fig. 7, an operating system, a data storage module, a network communication module, a user interface module, and a web content security protection program may be included in the memory 1005 as one type of storage medium.
In the network content security appliance shown in fig. 7, the network interface 1004 is mainly used for data communication with a network server; the user interface 1003 is mainly used for data interaction with a user; the processor 1001 and the memory 1005 in the web content security protection apparatus of the present invention may be disposed in the web content security protection apparatus, and the web content security protection apparatus invokes the web content security protection program stored in the memory 1005 through the processor 1001, and executes the web content security protection method provided by the embodiment of the present invention.
Examples
One example of the network content security protection method program provided by the implementation of the invention is as follows, and in practice, as long as the algorithm is consistent with the example, the method falls within the protection scope of the claims of the invention.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit or scope of the invention. Thus, it is intended that the present invention also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.
Claims (8)
1. A method for protecting network content security, comprising the steps of:
acquiring an access request message of a website;
identifying the suffix name of the access request message, and intercepting the request message with the suffix name of html;
generating a global unique identifier aiming at the request message with the suffix name of html;
obtaining the output flow of the request message with the suffix name of html;
performing character string conversion on the output stream of the request message with the suffix of html, introducing the global unique identifier, configuring a content security policy, and generating a response message for the access request message;
the method comprises the following steps of carrying out character string conversion on an output stream of the request message with the suffix of html, introducing the global unique identifier, configuring a content security policy, and obtaining a response message aiming at the access request message:
converting the output stream of the request message with the suffix name of html into a character string and replacing the character string to obtain a replaced character string corresponding to the output stream of the request message with the suffix name of html;
introducing the global unique identifier into a replaced character string corresponding to the output stream of the html request message, so as to obtain an output stream after first rewriting;
adding a response message header to the output stream after the first rewriting to obtain an output stream after the second rewriting;
configuring a content security policy for the output stream after the second rewriting to obtain a response message aiming at the access request message;
the configuring the content security policy for the output stream after the second rewriting, to obtain a response message for the access request message includes the following steps:
adding the content security policy attribute of the head of the response message, and assigning a first value;
adding a cross-site script precautionary measure attribute of the head of the response message, and giving a second value;
adding the X-content type option attribute of the head of the response message, and giving a third value;
adding the X-frame option attribute of the head of the response message, and assigning a fourth value;
adding the forced safe transmission attribute of the head of the response message, and giving a fifth value;
and obtaining a response message aiming at the access request message.
2. The network content security protection method according to claim 1, wherein the converting the output stream of the request message with the suffix name of html into a character string and replacing the character string to obtain a replaced character string corresponding to the output stream of the request message with the suffix name of html specifically comprises the following steps:
acquiring a main body flow in a response message of an access request message aiming at the website;
converting a message body stream in a response message of the access request message of the website into a first character string;
and replacing the < script > in the first character string with the < script nonce=' >, so as to obtain a replaced character string corresponding to the output stream of the request message with the suffix name of html.
3. The method for protecting network content security according to claim 1, wherein said adding a response message header to the output stream after the first rewriting to obtain the output stream after the second rewriting specifically includes the following steps:
deleting the first content length data in the header of the request message;
generating second content length data according to the replaced character string corresponding to the output stream of the html request message;
and enabling the second content length data to replace the first content length data to obtain the output stream after the second rewriting.
4. The web content security method of claim 1, wherein,
the first value is script-src 'self' nonce-A;
the second value is 1;
the third value is nosniff;
the fourth value is DENY;
the fifth value is max-age= 31536000, include esubdomains.
5. The network content security protection method according to claim 1, wherein in the step of identifying the suffix name of the access request message and intercepting the request message with the suffix name of html, other request messages except the request message with the suffix name of html are directly released.
6. A web content security device, comprising:
the request message acquisition module is used for acquiring an access request message of a website;
the request message identification and interception module is used for identifying the suffix name of the access request message and intercepting the request message with the suffix name of html;
the global unique identifier generation module is used for generating a global unique identifier for the request message with the suffix name of html;
the output flow acquisition module of the request message is used for acquiring the output flow of the request message with the suffix name of html;
the response message generation module is used for carrying out character string conversion on the output stream of the request message with the suffix of html, introducing the global unique identifier, configuring a content security policy and generating a response message for the access request message;
the method comprises the following steps of carrying out character string conversion on an output stream of the request message with the suffix of html, introducing the global unique identifier, configuring a content security policy, and obtaining a response message aiming at the access request message:
converting the output stream of the request message with the suffix name of html into a character string and replacing the character string to obtain a replaced character string corresponding to the output stream of the request message with the suffix name of html;
introducing the global unique identifier into a replaced character string corresponding to the output stream of the html request message, so as to obtain an output stream after first rewriting;
adding a response message header to the output stream after the first rewriting to obtain an output stream after the second rewriting;
configuring a content security policy for the output stream after the second rewriting to obtain a response message aiming at the access request message;
the configuring the content security policy for the output stream after the second rewriting, to obtain a response message for the access request message includes the following steps:
adding the content security policy attribute of the head of the response message, and assigning a first value;
adding a cross-site script precautionary measure attribute of the head of the response message, and giving a second value;
adding the X-content type option attribute of the head of the response message, and giving a third value;
adding the X-frame option attribute of the head of the response message, and assigning a fourth value;
adding the forced safe transmission attribute of the head of the response message, and giving a fifth value;
and obtaining a response message aiming at the access request message.
7. A computer readable storage medium, wherein a web content security protection program is stored on the computer readable storage medium, which when executed by a processor, implements the steps of the web content security protection method of any of claims 1-5.
8. An electronic device comprising a memory and a processor, the memory having stored thereon a web content security protection program which, when executed by the processor, implements the steps of the web content security protection method of any of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310122656.XA CN115834254B (en) | 2023-02-16 | 2023-02-16 | Network content security protection method and device, storage medium and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310122656.XA CN115834254B (en) | 2023-02-16 | 2023-02-16 | Network content security protection method and device, storage medium and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115834254A CN115834254A (en) | 2023-03-21 |
| CN115834254B true CN115834254B (en) | 2023-04-28 |
Family
ID=85521588
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310122656.XA Active CN115834254B (en) | 2023-02-16 | 2023-02-16 | Network content security protection method and device, storage medium and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115834254B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104468642A (en) * | 2013-09-12 | 2015-03-25 | 腾讯科技(深圳)有限公司 | Browser caching resource forecasting method and system, reverse proxy device and browser |
| CN110417746A (en) * | 2019-07-05 | 2019-11-05 | 平安国际智慧城市科技股份有限公司 | Cross-site scripting attack defence method, device, equipment and storage medium |
| CN111770168A (en) * | 2020-06-28 | 2020-10-13 | 杭州迪普科技股份有限公司 | Webpage redirection protection method and device and electronic equipment |
| CN112235237A (en) * | 2020-09-01 | 2021-01-15 | 广州酷车信息科技有限公司 | Access method, system, device and medium based on multiple security protocols |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016041084A1 (en) * | 2014-09-18 | 2016-03-24 | Immun.io Inc. | Prevention of cross site scripting attacks using automatic generation of content security policy headers and splitting of content to enable content security policy enforcement |
| US9544318B2 (en) * | 2014-12-23 | 2017-01-10 | Mcafee, Inc. | HTML security gateway |
| US10536162B2 (en) * | 2017-01-30 | 2020-01-14 | Dell Products, L.P. | Method and system to convert globally unique identifiers to electronic data interchange document identifiers |
| US20220027486A1 (en) * | 2019-05-10 | 2022-01-27 | Leonard L. Drey | System and Method of Controlling Access to a Document File |
-
2023
- 2023-02-16 CN CN202310122656.XA patent/CN115834254B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104468642A (en) * | 2013-09-12 | 2015-03-25 | 腾讯科技(深圳)有限公司 | Browser caching resource forecasting method and system, reverse proxy device and browser |
| CN110417746A (en) * | 2019-07-05 | 2019-11-05 | 平安国际智慧城市科技股份有限公司 | Cross-site scripting attack defence method, device, equipment and storage medium |
| CN111770168A (en) * | 2020-06-28 | 2020-10-13 | 杭州迪普科技股份有限公司 | Webpage redirection protection method and device and electronic equipment |
| CN112235237A (en) * | 2020-09-01 | 2021-01-15 | 广州酷车信息科技有限公司 | Access method, system, device and medium based on multiple security protocols |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115834254A (en) | 2023-03-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3298490B1 (en) | Security systems for mitigating attacks from a headless browser executing on a client computer | |
| De Keukelaere et al. | Smash: secure component model for cross-domain mashups on unmodified browsers | |
| KR101201003B1 (en) | Tracking the origins of data and controlling data transmission | |
| US8826411B2 (en) | Client-side extensions for use in connection with HTTP proxy policy enforcement | |
| US9213859B2 (en) | Securing user data in cloud computing environments | |
| US11194914B2 (en) | Method and apparatus to detect security vulnerabilities in a web application | |
| US10778687B2 (en) | Tracking and whitelisting third-party domains | |
| US20110289546A1 (en) | Method and apparatus for protecting markup language document against cross-site scripting attack | |
| US8931084B1 (en) | Methods and systems for scripting defense | |
| US20190222587A1 (en) | System and method for detection of attacks in a computer network using deception elements | |
| CN112703496A (en) | Content policy based notification of application users about malicious browser plug-ins | |
| US20170083486A1 (en) | Regulating undesirable webpage code | |
| Hausknecht et al. | May i?-content security policy endorsement for browser extensions | |
| US10498762B1 (en) | Methods for hypertext markup language (HTML) input field obfuscation and devices thereof | |
| EP3518135B1 (en) | Protection against third party javascript vulnerabilities | |
| CN108319822B (en) | Method, storage medium, electronic device and system for protecting webpage code | |
| CN109343971B (en) | Browser data transmission method and device based on cache technology | |
| CN115834254B (en) | Network content security protection method and device, storage medium and electronic equipment | |
| Patil | Isolating malicious content scripts of browser extensions | |
| Kerschbaumer et al. | Towards precise and efficient information flow control in web browsers | |
| Mansfield-Devine | Divide and conquer: the threats posed by hybrid apps and HTML 5 | |
| Shah et al. | A measurement study of the subresource integrity mechanism on real-world applications | |
| Singh | Detecting and prevention cross–site scripting techniques | |
| KR101305755B1 (en) | Appatatus and method for filtering execution of script based on address | |
| Kromann et al. | Secure php programming |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |