WO2018018699A1 - Website scripting attack prevention method and device - Google Patents

Website scripting attack prevention method and device Download PDF

Info

Publication number
WO2018018699A1
WO2018018699A1 PCT/CN2016/097198 CN2016097198W WO2018018699A1 WO 2018018699 A1 WO2018018699 A1 WO 2018018699A1 CN 2016097198 W CN2016097198 W CN 2016097198W WO 2018018699 A1 WO2018018699 A1 WO 2018018699A1
Authority
WO
WIPO (PCT)
Prior art keywords
website
data
script
attack
security
Prior art date
Application number
PCT/CN2016/097198
Other languages
French (fr)
Chinese (zh)
Inventor
赖旭东
杨冠文
Original Assignee
广州市乐商软件科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 广州市乐商软件科技有限公司 filed Critical 广州市乐商软件科技有限公司
Publication of WO2018018699A1 publication Critical patent/WO2018018699A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/306Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications

Definitions

  • the present invention relates to the field of computer and network technologies, and in particular, to a website script attack prevention method and apparatus.
  • an embodiment of the technical solution of the present invention is:
  • a website script attack prevention method which includes the following steps:
  • the check format data is matched and verified, and the security data is output;
  • Core components include the management components and payment components of the website.
  • a website script attack prevention device including:
  • An intercepting unit configured to intercept each request data packet received by the website; and requesting the data packet to be data included in the network request received by the website based on the hypertext transfer protocol;
  • An unpacking unit is configured to unpack the request data packet to obtain data to be verified
  • a matching check unit configured to perform matching check on the data to be verified according to a preset security rule, and output security data
  • the core component includes a management component and a payment component of the website.
  • the website script attack prevention method and device of the invention are applied to j2ee (Java 2 Platform, Enterprise Edition: enterprise application software of java2 platform), and the user accesses the website by using HTTP (HyperText Transfer Protocol) protocol, and finally reaches a specific application.
  • HTTP HyperText Transfer Protocol
  • the interceptor is used to filter the content transmitted by using the HTTP protocol to ensure that the protocol content transmitted to each core component is in a secure state; the present invention can effectively and effectively prevent script attacks on the e-commerce website.
  • Embodiment 1 is a schematic flowchart of Embodiment 1 of a method for defending a website script attack according to the present invention
  • Embodiment 2 is a schematic structural diagram of Embodiment 2 of a website script attack defense method according to the present invention
  • FIG. 3 is a schematic structural diagram of Embodiment 1 of a website script attack defense apparatus according to the present invention.
  • Embodiment 1 of the website script attack defense method of the present invention is a
  • FIG. 1 is a schematic flowchart of Embodiment 1 of a website script attack defense method according to the present invention; As shown, the following steps can be included:
  • Step S110 intercepting each request data packet received by the website; requesting the data packet to be data included in the network request transmitted by the website based on the hypertext transfer protocol;
  • Step S120 Unpacking the request data packet to obtain data to be verified
  • Step S130 Perform matching verification on the data to be checked according to the preset security rule, and output security data.
  • Step S140 Packing the security data, obtaining the security data packet, and transmitting the security data packet to the core component of the website; the core component includes a management component and a payment component of the website.
  • the present invention relates to a website access interceptor that checks and filters harmful scripts through an interceptor to achieve the purpose of protecting a website application.
  • the purpose of the interceptor to unpack the HTTP request data is to split the data packet into a regular data format that can be processed by the validator (ie, the data to be verified).
  • the data packet is originally submitted as a stream to the electronic The business website, the interceptor splits the data stream into a string data format.
  • the purpose of packaging the filtered security data is to restore the data to the original data format.
  • the core components may specifically include a member management component of an e-commerce website, a commodity management component, an order management component, a payment component, a marketing management component, and a report management component.
  • the step of checking the format data to be checked in step S130, the step of outputting the security data may include:
  • the preset security rules may include dangerous characters and dangerous strings;
  • the attack script is filtered, and the filtered format data to be checked is output as security data.
  • the step of filtering the attack script may include:
  • the interceptor's checker can use the regular expression to match the security rules and the unpacked data. If the attack script is found, it is filtered, that is, the characters of the attack script are escaped.
  • step may further include before step S140:
  • An audit log is generated according to the request packet; the audit log may include access address data, access mode data, and access content data of the requesting access to the website.
  • an audit log record can be generated into the storage for inspection by the management personnel.
  • the audit log records the access IP (Internet Protocol), the access method, and the access content.
  • the administrator can perform attack defense analysis and modify and upgrade the security rules based on the audit log.
  • step may further include before step S120:
  • the attack script has characteristics that are quite different from the normal service request parameters, so the security rules can be pre-written according to the characteristics of the attack script.
  • Security rules can include some dangerous characters or dangerous strings, as follows:
  • An example of a security rule can be as follows (separated by spaces between symbols):
  • security rules can be saved in configurable files to facilitate administrators to modify and upgrade security rules.
  • the administrator can enter the e-commerce website back-end web interface, and then click "Security Rule Management Menu" to open the web editor.
  • the web editor reads the security rule file and displays it on the editor to enter the editable mode. After the manager has edited the security rules, click the Save button. The editor will update the data to the security rules file.
  • Embodiment 1 of the website script attack defense method of the present invention provides an efficient and effective method for preventing script attacks in a j2ee application based on the HTTP protocol.
  • the interceptor is used to filter the content transmitted by using the HTTP protocol before the specific application resource is finally obtained, so that the protocol content transmitted to each core component is in a secure state; and the security rule can be continued.
  • Obtaining an upgrade and meeting daily security audits will log the interception logs to the store for webmasters to provide data analysis convenience.
  • Embodiment 2 of the website script attack defense method of the present invention is a
  • FIG. 2 is a schematic structural diagram of the second embodiment of the website script attack defense method according to the present invention.
  • the interceptor can handle the following:
  • the interceptor unpacks the intercepted HTTP request data.
  • the interceptor's checker can use the regular expression to match the security rules and the unpacked data. If the attack script is found, it is filtered.
  • Attack scripts have characteristics that are quite different from normal service request parameters. Therefore, security rules can be set in advance according to the characteristics of the attack script. Security rules can be saved in a configurable file to facilitate the modification of security rules.
  • the filtered security data is packaged and transmitted to each core component.
  • the audit log records the access IP, access method, and access content, and can be analyzed according to the audit log and the security rules are modified and upgraded.
  • the external subsystem may specifically refer to a sub-application that is connected to an e-commerce website.
  • the browser, IOS app, Android APP, and external subsystem are all visitors who send requests for data acquisition or requests for data to the e-commerce website.
  • the core component is the core part of the e-commerce website.
  • the website script attack defense device of the present invention is Embodiment 1:
  • FIG. 3 is a website script of the present invention.
  • the schematic diagram of the structure of the attack defense device embodiment 1, as shown in FIG. 3, may include:
  • the intercepting unit 310 is configured to intercept each request data packet received by the website; and request the data packet to be data included in the network request received by the website based on the hypertext transfer protocol;
  • the unpacking unit 320 is configured to unpack the request data packet to obtain data to be verified;
  • the matching check unit 330 is configured to perform matching check on the data to be checked according to the preset security rule, and output security data.
  • the packet transmission unit 340 is configured to package the security data, obtain the security data packet, and transmit the security data packet to the core component of the website; the core component includes a management component and a payment component of the website.
  • the matching check unit 330 can include:
  • the matching module 332 is configured to match the preset security rule and the to-be-checked format data by using a regular expression to obtain an attack script;
  • the preset security rule may include a dangerous character and a dangerous character string;
  • the filtering module 334 is configured to filter the attack script and use the filtered format data to be verified. Output for secure data.
  • the filtering module 334 is configured to escape the characters of the attack script.
  • the website script attack defense device may further include:
  • the auditing unit 360 is configured to generate an audit log according to the request data packet; the audit log may include access address data, access mode data, and access content data of the requesting website.
  • the website script attack defense device may further include:
  • the preset update unit 350 is configured to generate a preset security rule according to the characteristics of the website attack script, and modify and update the preset security rule according to the content of the audit log.
  • Embodiment 1 of the website script attack defense device of the present invention provides an efficient and effective method for preventing script attacks in a j2ee application based on the HTTP protocol.
  • the interceptor is used to filter the content transmitted by using the HTTP protocol before the specific application resource is finally obtained, so that the protocol content transmitted to each core component is in a secure state; and the security rule can be continued.
  • Obtaining an upgrade and meeting daily security audits will log the interception logs to the store for webmasters to provide data analysis convenience.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Technology Law (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to a website scripting attack prevention method and device. The website scripting attack prevention method comprises the following steps: intercepting request data packets received by a website, the request data packets comprising data contained in network requests which are received by the website and transmitted based on a hypertext transfer protocol; unpacking the request data packets to obtain to-be-checked format data; carrying out a matching check on the to-be-checked format data according to a preset security rule, and outputting security data; and packing the security data to obtain security data packets, and transmitting the security data packets to a core component of the website, the core component comprising a management component and a payment component of the website. According to the present invention, scripting attacks to an e-commerce website can be efficiently and effectively prevented.

Description

网站脚本攻击防范方法及装置Website script attack prevention method and device 技术领域Technical field
本发明涉及计算机及网络技术领域,特别是涉及一种网站脚本攻击防范方法及装置。The present invention relates to the field of computer and network technologies, and in particular, to a website script attack prevention method and apparatus.
背景技术Background technique
目前全球范围内的电子商务交易额大幅上涨,这一现象的背后也伴随着各种针对电子商务及其支付系统的攻击,其中来自于WEB(互联网)的攻击方式给用户在防范或者是修复上都带来了很大的不便。At present, the amount of e-commerce transactions in the world has risen sharply. This phenomenon is also accompanied by various attacks against e-commerce and its payment system. The attack method from WEB (Internet) gives users protection or repair. Both bring a lot of inconvenience.
在实际针对上述攻击进行防范的过程中,发明人发现传统技术中至少存在如下问题:In the process of actually defending against the above attacks, the inventors found that at least the following problems exist in the conventional technology:
传统的攻击防范措施并不完善,攻击的设计者往往可以通过采取一些有针对性地策略来规避现有的攻击防范措施,攻击大多是基于通用WEB应用的一般弱点,如:SQL(结构化查询语言:Structured Query Language)注入或者是导致在客户端浏览器执行任意脚本的跨站点脚本漏洞等等,总之,传统技术无法对网站脚本攻击进行高效且有效的防范。Traditional attack defense measures are not perfect. Attack designers can often evade existing attack defense measures by adopting some targeted strategies. Attacks are mostly based on general weaknesses of common WEB applications, such as: SQL (structured query). Language: Structured Query Language) Injects or cross-site scripting vulnerabilities that cause arbitrary scripts to be executed in the client browser. In short, traditional techniques cannot effectively and effectively prevent website scripting attacks.
发明内容Summary of the invention
基于此,有必要针对传统攻击防范措施效率低、无法有效防范的问题,提供一种网站脚本攻击防范方法及装置。Based on this, it is necessary to provide a website script attack prevention method and device for the problem that the traditional attack prevention measures are inefficient and cannot be effectively prevented.
为了实现上述目的,本发明技术方案的实施例为:In order to achieve the above object, an embodiment of the technical solution of the present invention is:
一方面,提供了一种网站脚本攻击防范方法,包括以下步骤:On the one hand, a website script attack prevention method is provided, which includes the following steps:
拦截网站接收到的各请求数据包;请求数据包为网站接收到的基于超文本传输协议传输的网络请求包含的数据;Intercepting each request data packet received by the website; requesting the data packet to be included in the network request received by the website based on the hypertext transfer protocol;
对请求数据包进行拆包,得到待校验格式数据;Unpacking the request data packet to obtain data in a format to be verified;
根据预设安全规则,对待校验格式数据进行匹配校验,输出安全数据;According to the preset security rules, the check format data is matched and verified, and the security data is output;
对安全数据进行装包,得到安全数据包,并将安全数据包传输给网站的核 心组件;核心组件包括网站的管理组件和支付组件。Packing security data, obtaining secure data packets, and transmitting secure data packets to the core of the website Core components; core components include the management components and payment components of the website.
另一方面,提供了一种网站脚本攻击防范装置,包括:In another aspect, a website script attack prevention device is provided, including:
拦截单元,用于拦截网站接收到的各请求数据包;请求数据包为网站接收到的基于超文本传输协议传输的网络请求包含的数据;An intercepting unit, configured to intercept each request data packet received by the website; and requesting the data packet to be data included in the network request received by the website based on the hypertext transfer protocol;
拆包单元,用于对请求数据包进行拆包,得到待校验格式数据;An unpacking unit is configured to unpack the request data packet to obtain data to be verified;
匹配校验单元,用于根据预设安全规则,对待校验格式数据进行匹配校验,输出安全数据;a matching check unit, configured to perform matching check on the data to be verified according to a preset security rule, and output security data;
装包传输单元,用于对安全数据进行装包,得到安全数据包,并将安全数据包传输给网站的核心组件;核心组件包括网站的管理组件和支付组件。A packet transfer unit for packaging security data, obtaining a secure data packet, and transmitting the secure data packet to a core component of the website; the core component includes a management component and a payment component of the website.
上述技术方案具有如下有益效果:The above technical solution has the following beneficial effects:
本发明网站脚本攻击防范方法及装置,应用于j2ee(Java 2 Platform,Enterprise Edition:java2平台企业级应用软件),在用户使用HTTP(超文本传输协议HyperText Transfer Protocol)协议访问网站,最终到达具体应用资源之前使用拦截器对使用HTTP协议传输的内容进行安全规则过滤,保证传输到各核心组件的协议内容为安全状态;本发明能够高效有效的防范电子商务网站的脚本攻击。The website script attack prevention method and device of the invention are applied to j2ee (Java 2 Platform, Enterprise Edition: enterprise application software of java2 platform), and the user accesses the website by using HTTP (HyperText Transfer Protocol) protocol, and finally reaches a specific application. Before the resource is used, the interceptor is used to filter the content transmitted by using the HTTP protocol to ensure that the protocol content transmitted to each core component is in a secure state; the present invention can effectively and effectively prevent script attacks on the e-commerce website.
附图说明DRAWINGS
图1为本发明网站脚本攻击防范方法实施例1的流程示意图;1 is a schematic flowchart of Embodiment 1 of a method for defending a website script attack according to the present invention;
图2为本发明网站脚本攻击防范方法实施例2的架构示意图;2 is a schematic structural diagram of Embodiment 2 of a website script attack defense method according to the present invention;
图3为本发明网站脚本攻击防范装置实施例1的结构示意图。FIG. 3 is a schematic structural diagram of Embodiment 1 of a website script attack defense apparatus according to the present invention.
具体实施方式detailed description
为了便于理解本发明,下面将参照相关附图对本发明进行更全面的描述。附图中给出了本发明的首选实施例。但是,本发明可以以许多不同的形式来实现,并不限于本文所描述的实施例。相反地,提供这些实施例的目的是使对本发明的公开内容更加透彻全面。In order to facilitate the understanding of the present invention, the present invention will be described more fully hereinafter with reference to the accompanying drawings. Preferred embodiments of the invention are given in the drawings. However, the invention may be embodied in many different forms and is not limited to the embodiments described herein. Rather, these embodiments are provided so that this disclosure will be thorough and comprehensive.
除非另有定义,本文所使用的所有的技术和科学术语与属于本发明的技术 领域的技术人员通常理解的含义相同。本文中在本发明的说明书中所使用的术语只是为了描述具体的实施例的目的,不是旨在于限制本发明。本文所使用的术语“及/或”包括一个或多个相关的所列项目的任意的和所有的组合。Unless otherwise defined, all technical and scientific terms used herein and the techniques pertaining to the invention Those skilled in the art generally understand the same meaning. The terminology used in the description of the present invention is for the purpose of describing particular embodiments and is not intended to limit the invention. The term "and/or" used herein includes any and all combinations of one or more of the associated listed items.
本发明网站脚本攻击防范方法实施例1:Embodiment 1 of the website script attack defense method of the present invention:
为了解决传统攻击防范措施效率低、无法有效防范的问题,本发明提供了一种网站脚本攻击防范方法实施例1,图1为本发明网站脚本攻击防范方法实施例1的流程示意图;如图1所示,可以包括以下步骤:In order to solve the problem that the traditional attack defense measures are inefficient and cannot be effectively prevented, the present invention provides a method for preventing a website script attack defense. FIG. 1 is a schematic flowchart of Embodiment 1 of a website script attack defense method according to the present invention; As shown, the following steps can be included:
步骤S110:拦截网站接收到的各请求数据包;请求数据包为网站接收到的基于超文本传输协议传输的网络请求包含的数据;Step S110: intercepting each request data packet received by the website; requesting the data packet to be data included in the network request transmitted by the website based on the hypertext transfer protocol;
步骤S120:对请求数据包进行拆包,得到待校验格式数据;Step S120: Unpacking the request data packet to obtain data to be verified;
步骤S130:根据预设安全规则,对待校验格式数据进行匹配校验,输出安全数据;Step S130: Perform matching verification on the data to be checked according to the preset security rule, and output security data.
步骤S140:对安全数据进行装包,得到安全数据包,并将安全数据包传输给网站的核心组件;核心组件包括网站的管理组件和支付组件。Step S140: Packing the security data, obtaining the security data packet, and transmitting the security data packet to the core component of the website; the core component includes a management component and a payment component of the website.
具体而言,本发明涉及一种网站访问拦截器,通过拦截器校验和过滤有害脚本以达到保护网站应用的目的。拦截器对HTTP请求数据进行拆包的目的是为了把数据包拆分成校验器可以处理的常规的数据格式(即待校验格式数据),例如,数据包原来是流的形式提交到电子商务网站,拦截器就将该数据流拆分成字符串的数据格式。而对过滤后的安全数据进行装包的目的,是为了把数据复原成原来的数据格式。核心组件具体可以包括电子商务网站的会员管理组件、商品管理组件、订单管理组件、支付组件、营销管理组件以及报表管理组件等。In particular, the present invention relates to a website access interceptor that checks and filters harmful scripts through an interceptor to achieve the purpose of protecting a website application. The purpose of the interceptor to unpack the HTTP request data is to split the data packet into a regular data format that can be processed by the validator (ie, the data to be verified). For example, the data packet is originally submitted as a stream to the electronic The business website, the interceptor splits the data stream into a string data format. The purpose of packaging the filtered security data is to restore the data to the original data format. The core components may specifically include a member management component of an e-commerce website, a commodity management component, an order management component, a payment component, a marketing management component, and a report management component.
在一个具体的实施例中,步骤S130中对待校验格式数据进行匹配校验,输出安全数据的步骤可以包括:In a specific embodiment, the step of checking the format data to be checked in step S130, the step of outputting the security data may include:
通过正则表示式,对预设安全规则和待校验格式数据进行匹配,获取攻击脚本;预设安全规则可以包括危险字符和危险字符串;Matching the preset security rules and the data to be verified by the regular expression to obtain an attack script; the preset security rules may include dangerous characters and dangerous strings;
对攻击脚本进行过滤,将过滤后的待校验格式数据作为安全数据进行输出。The attack script is filtered, and the filtered format data to be checked is output as security data.
在一个具体的实施例中,上述对攻击脚本进行过滤的步骤可以包括:In a specific embodiment, the step of filtering the attack script may include:
对攻击脚本的字符进行转义。 Escape the characters of the attack script.
具体而言,拦截器的校验器,可以使用正则表示式的方式,把安全规则和拆包的数据进行匹配效验,如发现攻击脚本,则进行过滤,即把攻击脚本的字符进行转义。Specifically, the interceptor's checker can use the regular expression to match the security rules and the unpacked data. If the attack script is found, it is filtered, that is, the characters of the attack script are escaped.
在一个具体的实施例中,在步骤S140之前还可以包括步骤:In a specific embodiment, the step may further include before step S140:
根据请求数据包,生成审计日志;审计日志可以包括请求访问网站的访问地址数据、访问方式数据以及访问内容数据。An audit log is generated according to the request packet; the audit log may include access address data, access mode data, and access content data of the requesting access to the website.
具体而言,在校验完成后,可以生成审计日志记录到存储中,以供管理人员查阅。审计日志记录了包括访问IP(网络之间互连的协议:Internet Protocol)、访问方式、访问内容等,管理人员可以根据审计日志进行攻击防范分析和对安全规则进行修改升级。Specifically, after the verification is completed, an audit log record can be generated into the storage for inspection by the management personnel. The audit log records the access IP (Internet Protocol), the access method, and the access content. The administrator can perform attack defense analysis and modify and upgrade the security rules based on the audit log.
在一个具体的实施例中,在步骤S120之前还可以包括步骤:In a specific embodiment, the step may further include before step S120:
根据网站攻击脚本的特征,生成预设安全规则;Generate preset security rules according to the characteristics of the website attack script;
根据审计日志的内容,对预设安全规则进行修改更新。Modify and update the preset security rules according to the contents of the audit log.
具体而言,攻击脚本有着和正常业务请求参数有着很大区别的特征,因此可以根据攻击脚本的特征,预先编写安全规则。安全规则可以包括一些危险字符或危险字符串,如下:Specifically, the attack script has characteristics that are quite different from the normal service request parameters, so the security rules can be pre-written according to the characteristics of the attack script. Security rules can include some dangerous characters or dangerous strings, as follows:
[1]|(竖线符号)[1]|(vertical symbol)
[2]&(&符号)[2]&(&symbol)
[3];(分号)[3]; (semicolon)
[4]$(美元符号)[4]$(dollar sign)
[5]%(百分比符号)[5]% (percentage symbol)
[6]@(at符号)[6]@(at symbol)
[7]'(单引号)[7]' (single quotes)
[8]"(引号)[8]" (quotation marks)
[9]\'(反斜杠转义单引号)[9]\'(backslash escaped single quotes)
[10]\"(反斜杠转义引号)[10]\" (backslash escaped quotes)
[11]<>(尖括号)[11]<>(angle brackets)
[12]()(括号) [12]() (brackets)
[13]+(加号)[13]+ (plus sign)
[14]CR(回车符,ASCII 0x0d)[14]CR (carriage return, ASCII 0x0d)
[15]LF(换行,ASCII 0x0a)[15]LF (line feed, ASCII 0x0a)
[16],(逗号)[16], (comma)
[17]\(反斜杠)[17]\(backslash)
安全规则的一示例可以如下(符号之间使用空格隔开):An example of a security rule can be as follows (separated by spaces between symbols):
|&;$%@’”\’\”<>()+CR LF,\|&;$%@’”\’\”<>()+CR LF,\
在具体操作中,可以对某一攻击脚本是否会被已设置的安全规则匹配进行审核检测,如果检测到未被匹配,需要针对该攻击脚本进行改进旧的安全规则或编写新的安全规则。因此,可以将安全规则保存在可配置的文件中,以便利管理人员对安全规则修改升级。管理人员可以进入电子商务网站后台web界面,然后点击“安全规则管理的菜单”,打开web编辑器,web编辑器读取安全规则文件并显示在编辑器上,进入可编辑模式。管理人员编辑好安全规则后,点击保存按钮。编辑器会把数据更新到安全规则文件。In a specific operation, it is possible to perform an audit detection on whether an attack script is matched by a set security rule. If it is detected that it is not matched, it is necessary to improve the old security rule or write a new security rule for the attack script. Therefore, security rules can be saved in configurable files to facilitate administrators to modify and upgrade security rules. The administrator can enter the e-commerce website back-end web interface, and then click "Security Rule Management Menu" to open the web editor. The web editor reads the security rule file and displays it on the editor to enter the editable mode. After the manager has edited the security rules, click the Save button. The editor will update the data to the security rules file.
本发明网站脚本攻击防范方法实施例1,基于HTTP协议提供一种在j2ee应用中高效有效的防范脚本攻击的方法。当用户使用HTTP协议访问网站时,最终到达具体应用资源之前使用拦截器对使用HTTP协议传输的内容进行安全规则过滤,保证传输到各核心组件的协议内容为安全状态;同时为保证安全规则能持续获得升级以及满足日常的安全审计,会将拦截日志记录到存储中供网站管理人员提供数据分析便利。Embodiment 1 of the website script attack defense method of the present invention provides an efficient and effective method for preventing script attacks in a j2ee application based on the HTTP protocol. When a user accesses a website using the HTTP protocol, the interceptor is used to filter the content transmitted by using the HTTP protocol before the specific application resource is finally obtained, so that the protocol content transmitted to each core component is in a secure state; and the security rule can be continued. Obtaining an upgrade and meeting daily security audits will log the interception logs to the store for webmasters to provide data analysis convenience.
本发明网站脚本攻击防范方法实施例2:Embodiment 2 of the website script attack defense method of the present invention:
为了解决传统攻击防范措施效率低、无法有效防范的问题,本发明还提供了一种网站脚本攻击防范方法实施例2,图2为本发明网站脚本攻击防范方法实施例2的架构示意图;如图2所示,浏览器、IOS APP、Android APP和外部子系统,所有HTTP请求最终都会被拦截器拦截,拦截器可以进行如下处理:In order to solve the problem that the traditional attack defense measures are inefficient and cannot be effectively prevented, the present invention also provides a second embodiment of the website script attack defense method, and FIG. 2 is a schematic structural diagram of the second embodiment of the website script attack defense method according to the present invention; 2, browser, IOS APP, Android APP and external subsystem, all HTTP requests will eventually be intercepted by the interceptor, the interceptor can handle the following:
(1)拦截器对拦截到的HTTP请求数据进行拆包。(1) The interceptor unpacks the intercepted HTTP request data.
(2)拦截器的校验器,可以使用正则表示式的方式,把安全规则和拆包的数据进行匹配效验,如发现攻击脚本,则进行过滤。 (2) The interceptor's checker can use the regular expression to match the security rules and the unpacked data. If the attack script is found, it is filtered.
(3)攻击脚本都有着和正常业务请求参数有着很大区别的特征,因此可以根据攻击脚本的特征,预先设置安全规则。并可将安全规则是保存在可配置的文件中,以便于对安全规则修改升级。(3) Attack scripts have characteristics that are quite different from normal service request parameters. Therefore, security rules can be set in advance according to the characteristics of the attack script. Security rules can be saved in a configurable file to facilitate the modification of security rules.
(4)校验完成后生成审计日志记录到存储中,以供查阅。(4) After the verification is completed, the audit log record is generated into the storage for review.
(5)生成审计日志后对过滤后的安全数据进行装包然后传输给各核心组件。(5) After the audit log is generated, the filtered security data is packaged and transmitted to each core component.
(6)审计日志记录了包括访问IP、访问方式、访问内容等,可以根据审计日志进行分析和对安全规则进行修改升级。(6) The audit log records the access IP, access method, and access content, and can be analyzed according to the audit log and the security rules are modified and upgraded.
其中,外部子系统具体可以指:与电子商务网站发生数据对接的子应用。浏览器、IOS app、Android APP、外部子系统,都是访问者,它们向电子商务网站发送数据获取的请求或提交数据的请求。核心组件是电子商务网站的核心部分。The external subsystem may specifically refer to a sub-application that is connected to an e-commerce website. The browser, IOS app, Android APP, and external subsystem are all visitors who send requests for data acquisition or requests for data to the e-commerce website. The core component is the core part of the e-commerce website.
本发明网站脚本攻击防范装置实施例1:The website script attack defense device of the present invention is Embodiment 1:
基于以上网站脚本攻击防范方法的技术方案,同时为了解决传统攻击防范措施效率低、无法有效防范的问题,本发明还提供了一种网站脚本攻击防范装置实施例1;图3为本发明网站脚本攻击防范装置实施例1的结构示意图,如图3所示,可以包括:Based on the technical solution of the above-mentioned website script attack prevention method, and in order to solve the problem that the traditional attack defense measures are inefficient and cannot be effectively prevented, the present invention also provides a website script attack defense device embodiment 1; FIG. 3 is a website script of the present invention; The schematic diagram of the structure of the attack defense device embodiment 1, as shown in FIG. 3, may include:
拦截单元310,用于拦截网站接收到的各请求数据包;请求数据包为网站接收到的基于超文本传输协议传输的网络请求包含的数据;The intercepting unit 310 is configured to intercept each request data packet received by the website; and request the data packet to be data included in the network request received by the website based on the hypertext transfer protocol;
拆包单元320,用于对请求数据包进行拆包,得到待校验格式数据;The unpacking unit 320 is configured to unpack the request data packet to obtain data to be verified;
匹配校验单元330,用于根据预设安全规则,对待校验格式数据进行匹配校验,输出安全数据;The matching check unit 330 is configured to perform matching check on the data to be checked according to the preset security rule, and output security data.
装包传输单元340,用于对安全数据进行装包,得到安全数据包,并将安全数据包传输给网站的核心组件;核心组件包括网站的管理组件和支付组件。The packet transmission unit 340 is configured to package the security data, obtain the security data packet, and transmit the security data packet to the core component of the website; the core component includes a management component and a payment component of the website.
在一个具体的实施例中,匹配校验单元330可以包括:In a specific embodiment, the matching check unit 330 can include:
匹配模块332,用于通过正则表示式,对预设安全规则和待校验格式数据进行匹配,获取攻击脚本;预设安全规则可以包括危险字符和危险字符串;The matching module 332 is configured to match the preset security rule and the to-be-checked format data by using a regular expression to obtain an attack script; the preset security rule may include a dangerous character and a dangerous character string;
过滤模块334,用于对攻击脚本进行过滤,将过滤后的待校验格式数据作 为安全数据进行输出。The filtering module 334 is configured to filter the attack script and use the filtered format data to be verified. Output for secure data.
在一个具体的实施例中,过滤模块334用于对攻击脚本的字符进行转义。In a specific embodiment, the filtering module 334 is configured to escape the characters of the attack script.
在一个具体的实施例中,网站脚本攻击防范装置还可以包括:In a specific embodiment, the website script attack defense device may further include:
审计单元360,用于根据请求数据包,生成审计日志;审计日志可以包括请求访问网站的访问地址数据、访问方式数据以及访问内容数据。The auditing unit 360 is configured to generate an audit log according to the request data packet; the audit log may include access address data, access mode data, and access content data of the requesting website.
在一个具体的实施例中,网站脚本攻击防范装置还可以包括:In a specific embodiment, the website script attack defense device may further include:
预设更新单元350,用于根据网站攻击脚本的特征,生成预设安全规则;并根据审计日志的内容,对预设安全规则进行修改更新。The preset update unit 350 is configured to generate a preset security rule according to the characteristics of the website attack script, and modify and update the preset security rule according to the content of the audit log.
本发明网站脚本攻击防范装置实施例1,基于HTTP协议提供一种在j2ee应用中高效有效的防范脚本攻击的方法。当用户使用HTTP协议访问网站时,最终到达具体应用资源之前使用拦截器对使用HTTP协议传输的内容进行安全规则过滤,保证传输到各核心组件的协议内容为安全状态;同时为保证安全规则能持续获得升级以及满足日常的安全审计,会将拦截日志记录到存储中供网站管理人员提供数据分析便利。Embodiment 1 of the website script attack defense device of the present invention provides an efficient and effective method for preventing script attacks in a j2ee application based on the HTTP protocol. When a user accesses a website using the HTTP protocol, the interceptor is used to filter the content transmitted by using the HTTP protocol before the specific application resource is finally obtained, so that the protocol content transmitted to each core component is in a secure state; and the security rule can be continued. Obtaining an upgrade and meeting daily security audits will log the interception logs to the store for webmasters to provide data analysis convenience.
以上所述实施例的各技术特征可以进行任意的组合,为使描述简洁,未对上述实施例中的各个技术特征所有可能的组合都进行描述,然而,只要这些技术特征的组合不存在矛盾,都应当认为是本说明书记载的范围。The technical features of the above-described embodiments may be arbitrarily combined. For the sake of brevity of description, all possible combinations of the technical features in the above embodiments are not described. However, as long as there is no contradiction between the combinations of these technical features, All should be considered as the scope of this manual.
以上所述实施例仅表达了本发明的几种实施方式,其描述较为具体和详细,但并不能因此而理解为对发明专利范围的限制。应当指出的是,对于本领域的普通技术人员来说,在不脱离本发明构思的前提下,还可以做出若干变形和改进,这些都属于本发明的保护范围。因此,本发明专利的保护范围应以所附权利要求为准。 The above-described embodiments are merely illustrative of several embodiments of the present invention, and the description thereof is more specific and detailed, but is not to be construed as limiting the scope of the invention. It should be noted that a number of variations and modifications may be made by those skilled in the art without departing from the spirit and scope of the invention. Therefore, the scope of the invention should be determined by the appended claims.

Claims (10)

  1. 一种网站脚本攻击防范方法,其特征在于,包括以下步骤:A website script attack prevention method is characterized in that it comprises the following steps:
    拦截网站接收到的各请求数据包;所述请求数据包为所述网站接收到的基于超文本传输协议传输的网络请求包含的数据;Blocking each request data packet received by the website; the request data packet is data included in the network request received by the website based on the hypertext transfer protocol;
    对所述请求数据包进行拆包,得到待校验格式数据;Unpacking the request data packet to obtain data to be verified;
    根据预设安全规则,对所述待校验格式数据进行匹配校验,输出安全数据;Performing matching verification on the data to be verified according to a preset security rule, and outputting security data;
    对所述安全数据进行装包,得到安全数据包,并将所述安全数据包传输给所述网站的核心组件;所述核心组件包括所述网站的管理组件和支付组件。The security data is packaged, a secure data package is obtained, and the secure data package is transmitted to a core component of the website; the core component includes a management component and a payment component of the website.
  2. 根据权利要求1所述的网站脚本攻击防范方法,其特征在于,根据预设安全规则,对所述待校验格式数据进行匹配校验,输出安全数据的步骤包括:The method for defending a website script attack according to claim 1, wherein the step of performing matching verification on the data to be checked according to a preset security rule, and the step of outputting the security data includes:
    通过正则表示式,对所述预设安全规则和所述待校验格式数据进行匹配,获取攻击脚本;所述预设安全规则包括危险字符和危险字符串;Matching the preset security rule and the to-be-checked format data to obtain an attack script by using a regular expression; the preset security rule includes a dangerous character and a dangerous character string;
    对所述攻击脚本进行过滤,将过滤后的所述待校验格式数据作为所述安全数据进行输出。Filtering the attack script, and outputting the filtered format data to be checked as the security data.
  3. 根据权利要求2所述的网站脚本攻击防范方法,其特征在于,对所述攻击脚本进行过滤的步骤包括:The method for defending a website script attack according to claim 2, wherein the step of filtering the attack script comprises:
    对所述攻击脚本的字符进行转义。Escape the characters of the attack script.
  4. 根据权利要求1至3任意一项所述的网站脚本攻击防范方法,其特征在于,对所述安全数据进行装包,得到安全数据包,并将所述安全数据包传输给所述网站的核心组件的步骤之前还包括步骤:The method for defending a website script attack according to any one of claims 1 to 3, characterized in that the security data is packaged to obtain a secure data packet, and the secure data packet is transmitted to a core of the website. The steps of the component also include the steps:
    根据所述请求数据包和所述安全数据包,生成审计日志;所述审计日志包括请求访问所述网站的访问地址数据、访问方式数据以及访问内容数据。And generating an audit log according to the request data packet and the security data packet; the audit log includes access address data, access mode data, and access content data that request access to the website.
  5. 根据权利要求4所述的网站脚本攻击防范方法,其特征在于,对拦截到的请求数据包进行拆包,得到待校验格式数据的步骤之前还包括步骤:The method for defending a website script attack according to claim 4, wherein the step of unpacking the intercepted request data packet to obtain data to be verified includes steps:
    根据网站攻击脚本的特征,生成所述预设安全规则;Generating the preset security rule according to a feature of the website attack script;
    根据所述审计日志的内容,对所述预设安全规则进行修改更新。Modifying and updating the preset security rule according to the content of the audit log.
  6. 一种网站脚本攻击防范装置,其特征在于,包括:A website script attack defense device, comprising:
    拦截单元,用于拦截网站接收到的各请求数据包;所述请求数据包为所述 网站接收到的基于超文本传输协议传输的网络请求包含的数据;An intercepting unit, configured to intercept each request data packet received by the website; the request data packet is The data received by the web site received by the website based on the hypertext transfer protocol;
    拆包单元,用于对所述请求数据包进行拆包,得到待校验格式数据;An unpacking unit, configured to unpack the request data packet to obtain data to be verified;
    匹配校验单元,用于根据预设安全规则,对所述待校验格式数据进行匹配校验,输出安全数据;a matching check unit, configured to perform matching verification on the data to be verified according to a preset security rule, and output security data;
    装包传输单元,用于对所述安全数据进行装包,得到安全数据包,并将所述安全数据包传输给所述网站的核心组件;所述核心组件包括所述网站的管理组件和支付组件。a packet transmission unit, configured to package the security data, obtain a security data packet, and transmit the security data packet to a core component of the website; the core component includes a management component and a payment of the website Component.
  7. 根据权利要求6所述的网站脚本攻击防范装置,其特征在于,所述匹配校验单元包括:The website script attack defense apparatus according to claim 6, wherein the matching check unit comprises:
    匹配模块,用于通过正则表示式,对所述预设安全规则和所述待校验格式数据进行匹配,获取攻击脚本;所述预设安全规则包括危险字符和危险字符串;a matching module, configured to match the preset security rule and the to-be-checked format data by using a regular expression to obtain an attack script; the preset security rule includes a dangerous character and a dangerous character string;
    过滤模块,用于对所述攻击脚本进行过滤,将过滤后的所述待校验格式数据作为所述安全数据进行输出。The filtering module is configured to filter the attack script, and output the filtered format data to be checked as the security data.
  8. 根据权利要求7所述的网站脚本攻击防范装置,其特征在于,所述过滤模块用于对所述攻击脚本的字符进行转义。The website script attack defense apparatus according to claim 7, wherein the filtering module is configured to escape characters of the attack script.
  9. 根据权利要求6至8任意一项所述的网站脚本攻击防范装置,其特征在于,还包括:The website script attack defense device according to any one of claims 6 to 8, further comprising:
    审计单元,用于根据所述请求数据包,生成审计日志;所述审计日志包括请求访问所述网站的访问地址数据、访问方式数据以及访问内容数据。An auditing unit, configured to generate an audit log according to the request data packet; the audit log includes access address data, access mode data, and access content data that request access to the website.
  10. 根据权利要求9所述的网站脚本攻击防范装置,其特征在于,还包括:The website script attack defense device according to claim 9, further comprising:
    预设更新单元,用于根据网站攻击脚本的特征,生成所述预设安全规则;并根据所述审计日志的内容,对所述预设安全规则进行修改更新。 The preset update unit is configured to generate the preset security rule according to the feature of the website attack script, and modify and update the preset security rule according to the content of the audit log.
PCT/CN2016/097198 2016-07-29 2016-08-29 Website scripting attack prevention method and device WO2018018699A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610617181.1A CN106060090A (en) 2016-07-29 2016-07-29 Website script attack prevention method and device
CN201610617181.1 2016-07-29

Publications (1)

Publication Number Publication Date
WO2018018699A1 true WO2018018699A1 (en) 2018-02-01

Family

ID=57196781

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/097198 WO2018018699A1 (en) 2016-07-29 2016-08-29 Website scripting attack prevention method and device

Country Status (2)

Country Link
CN (1) CN106060090A (en)
WO (1) WO2018018699A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112769833A (en) * 2021-01-12 2021-05-07 恒安嘉新(北京)科技股份公司 Method and device for detecting command injection attack, computer equipment and storage medium
CN112887274A (en) * 2021-01-12 2021-06-01 恒安嘉新(北京)科技股份公司 Method and device for detecting command injection attack, computer equipment and storage medium

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106506548A (en) * 2016-12-23 2017-03-15 努比亚技术有限公司 The defence installation of cross-site scripting attack and method
CN107437025A (en) * 2017-08-07 2017-12-05 郑州云海信息技术有限公司 A kind of Data Audit method and device
CN108108471A (en) * 2018-01-02 2018-06-01 武汉斗鱼网络科技有限公司 Data filtering method, device, server and readable storage medium storing program for executing

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102291394A (en) * 2011-07-22 2011-12-21 网宿科技股份有限公司 Security defense system based on network accelerating equipment
CN104079528A (en) * 2013-03-26 2014-10-01 北大方正集团有限公司 Method and system of safety protection of Web application
CN104348789A (en) * 2013-07-30 2015-02-11 中国银联股份有限公司 Web server and method for preventing cross-site scripting attack
CN104519008A (en) * 2013-09-26 2015-04-15 北大方正集团有限公司 Cross-site scripting attack defense method and device and application server
CN104601540A (en) * 2014-12-05 2015-05-06 华为技术有限公司 Cross-site scripting (XSS) attack defense method and Web server

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040073811A1 (en) * 2002-10-15 2004-04-15 Aleksey Sanin Web service security filter
US20070136809A1 (en) * 2005-12-08 2007-06-14 Kim Hwan K Apparatus and method for blocking attack against Web application

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102291394A (en) * 2011-07-22 2011-12-21 网宿科技股份有限公司 Security defense system based on network accelerating equipment
CN104079528A (en) * 2013-03-26 2014-10-01 北大方正集团有限公司 Method and system of safety protection of Web application
CN104348789A (en) * 2013-07-30 2015-02-11 中国银联股份有限公司 Web server and method for preventing cross-site scripting attack
CN104519008A (en) * 2013-09-26 2015-04-15 北大方正集团有限公司 Cross-site scripting attack defense method and device and application server
CN104601540A (en) * 2014-12-05 2015-05-06 华为技术有限公司 Cross-site scripting (XSS) attack defense method and Web server

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112769833A (en) * 2021-01-12 2021-05-07 恒安嘉新(北京)科技股份公司 Method and device for detecting command injection attack, computer equipment and storage medium
CN112887274A (en) * 2021-01-12 2021-06-01 恒安嘉新(北京)科技股份公司 Method and device for detecting command injection attack, computer equipment and storage medium
CN112769833B (en) * 2021-01-12 2023-01-24 恒安嘉新(北京)科技股份公司 Method and device for detecting command injection attack, computer equipment and storage medium
CN112887274B (en) * 2021-01-12 2023-04-14 恒安嘉新(北京)科技股份公司 Method and device for detecting command injection attack, computer equipment and storage medium

Also Published As

Publication number Publication date
CN106060090A (en) 2016-10-26

Similar Documents

Publication Publication Date Title
US10129285B2 (en) End-to-end taint tracking for detection and mitigation of injection vulnerabilities in web applications
US10447730B2 (en) Detection of SQL injection attacks
Stuttard et al. The web application hacker's handbook: Finding and exploiting security flaws
WO2018018699A1 (en) Website scripting attack prevention method and device
Shahriar et al. Client-side detection of cross-site request forgery attacks
US20100332837A1 (en) Web application security filtering
US8285778B2 (en) Protecting web application data
Gupta et al. Attacks on web services need to secure XML on web
Ying et al. CSP adoption: current status and future prospects
Lepofsky The manager's guide to web application security: a concise guide to the weaker side of the web
Ravindran et al. A Review on Web Application Vulnerability Assessment and Penetration Testing.
Thai et al. A framework for website security assessment
JP5640752B2 (en) Attack imitation test method, attack imitation test device, and attack imitation test program
Kaluža et al. Content management system security
Yasmeen et al. The critical analysis of E-Commerce web application vulnerabilities
Quinton Safety of web applications: risks, encryption and handling vulnerabilities with PHP
CN109688108A (en) A kind of defence file uploads the security mechanism and its implementation method of loophole
Yergaliyev Continuous security testing for an existing client-server application
Chugh et al. A Programmatic Solution to Stop Heartbleed Bug Attack
Strukov et al. Experimental Investigation of Web Application Security
Bijjou Web Application Firewall Bypassing: An Approach for Penetra
Nguyen et al. An Improving Way For Website Security Assessment
Jnena Modern Approach for WEB Applications Vulnerability Analysis
Studiawan Forensic analysis of iOS binary cookie files
Strukov et al. Some Techniques of Detecting Web Applications Vulnerabilities

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16910278

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205 DATED 21/06/2019)

122 Ep: pct application non-entry in european phase

Ref document number: 16910278

Country of ref document: EP

Kind code of ref document: A1