CN104852907A - Cross-site request forgery CSRF attack recognition method and device - Google Patents
Cross-site request forgery CSRF attack recognition method and device Download PDFInfo
- Publication number
- CN104852907A CN104852907A CN201510185810.3A CN201510185810A CN104852907A CN 104852907 A CN104852907 A CN 104852907A CN 201510185810 A CN201510185810 A CN 201510185810A CN 104852907 A CN104852907 A CN 104852907A
- Authority
- CN
- China
- Prior art keywords
- source
- uri
- request
- src
- http request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
The present invention discloses a cross-site request forgery CSRF attack recognition method and device. When a source src in a load of an obtained HTTP request is detected to be at an abnormal state, whether an abnormal GET request whose source IP is the same as a source IP of the HTTP request is received within a preset time is determined, and if is, a CSRF attack is confirmed. By this means, srcs at abnormal states and the abnormal GET requests are continuously detected to commonly confirm whether CSRF attacks based on forged srcs are received, thereby realizing recognition of the CSRF attacks based on the forged srcs.
Description
Technical field
The embodiment of the present invention relates to communication technical field, especially relates to a kind of cross-site forged request CSRF attack recognition method and apparatus.
Background technology
CSRF (Cross-Site Request Forgery, cross-site forged request) core of attacking forges list, any keeper is added in affected application system by forging list, the keeper's called after X1 such as added, and be worth well to the optimum configurations of Partial key, as add keeper time need by new user name, user cipher, the key parameters such as subscriber mailbox set value.With this user when accessing malicious websites, the list of forgery sends in system server by the authority that malicious websites can steal normal users, attacks after system server performs the list of this forgery.
It is exactly attack by forging list that CSRF attacks the most frequently used, if but destination server deploys intrusion prevention equipment, and this attack method may invaded system of defense identification, causes attacking unsuccessfully; May continue to adopt the method for some escape intrusion prevention equipment Inspections to attack to this some assailant; Such as utilize and forge src (Source, information source) replace the method for forging list to carry out CSRF attack, attack forgery list used is replaced to the src form of img, like this when the keeper of normal website is behind the normal website with keeper's identity logs, when click comprises the malicious websites of img label again, the keeper (such as X1) of assailant's structure will be added, the authority of user is stolen, thus the follow-up user right stolen that can utilize carries out CSRF attack to this normal website.
And in the prior art, the measure taked all can only identify that the CSRF based on forging list attacks, and None-identified is attacked based on the CSRF forging src.
Summary of the invention
Embodiments provide a kind of cross-site forged request CSRF attack detection method, comprising:
Whether the information source src detected in the load of the HTTP request obtained is in abnormality;
If src is in abnormality, judge that the abnormal GET whether receiving source IP in the given time identical with the source IP of HTTP request asks;
If the abnormal GET receiving source IP in the given time identical with the source IP of described HTTP request asks, then confirm that receiving CSRF attacks.
Preferably, whether the src detected in the HTTP request load obtained is in abnormality, is specially:
Whether the length detecting src in the load of the HTTP request obtained is greater than threshold value, and detects after the Uniform Resource Identifier uri in src whether there is question mark;
If the length of src is greater than threshold value, and there is question mark after uri, whether has after detection question mark and be no less than the parameter that two values are non-NULL;
Be no less than if whether have after question mark the parameter that two values are non-NULL, then determine that src is in abnormality.
Preferably, judge that the abnormal GET whether receiving source IP in the given time identical with the source IP of HTTP request asks, be specially:
Judge that whether receiving the source IP GET identical with the source IP of HTTP request in the given time asks;
If receive the source IP GET identical with the source IP of HTTP request in the given time to ask, then judge that whether the uri in GET request is consistent with the uri in the src being in abnormality, and judge that whether the uri in GET request is uncorrelated with previous link identification referer;
If the uri in GET request is consistent with the uri in the src being in abnormality, and GET ask in uri and referer uncorrelated, then determining that the GET that receives asks is that the abnormal GET that source IP is identical with the source IP of HTTP request asks.
Preferably, judge that whether uri and referer in GET request be uncorrelated, be specially:
Extract uri and referer in GET request;
Based on the slash in uri and referer, uri and referer is divided into multiple part;
If any one part in described uri is all different from any portion in described referer, then determine that uri and referer in GET request is uncorrelated.
Preferably, judge whether receive the abnormal GET request generated based on the src being in abnormality in the given time, be specially:
By the source IP in HTTP request, be in Uniform Resource Identifier uri in the src of abnormality and the current time is recorded in dangerous list, the information stored in dangerous list is aging based on the time timing of record;
Judge that the abnormal GET whether receiving source IP in the given time identical with the source IP of HTTP request asks based on the information stored in dangerous list;
If the abnormal GET receiving source IP in the given time identical with the source IP of described HTTP request asks, is updated to the time receiving abnormal GET request the time of recording in dangerous list.
The embodiment of the present invention additionally provides a kind of cross-site forged request CSRF attack-detection-device, comprising:
Detection module, for detect acquisition HTTP request in information source src in load whether be in abnormality;
Judge module, for when determining that src is in abnormality, judges that the abnormal GET whether receiving source IP in the given time identical with the source IP of HTTP request asks;
Identification module, for receive in the given time the source IP abnormal GET identical with the source IP of described HTTP request ask time, confirm receive CSRF attack.
Preferably, detection module, specifically for:
Whether the length detecting src in the load of the HTTP request obtained is greater than threshold value, and detects after the Uniform Resource Identifier uri in src whether there is question mark;
If the length of src is greater than threshold value, and there is question mark after uri, whether has after detection question mark and be no less than the parameter that two values are non-NULL;
Be no less than the parameter that two values are non-NULL if having after question mark, then determine that src is in abnormality.
Preferably, judge module, specifically for:
Judge that whether receiving the source IP GET identical with the source IP of HTTP request in the given time asks;
If receive the source IP GET identical with the source IP of HTTP request in the given time to ask, then judge that whether the uri in GET request is consistent with the uri in the src being in abnormality, and judge that whether the uri in GET request is uncorrelated with previous link identification referer;
If the uri in GET request is consistent with the uri in the src being in abnormality, and GET ask in uri and referer uncorrelated, then determining that the GET that receives asks is that the abnormal GET that source IP is identical with the source IP of HTTP request asks.
Preferably, judge module judges that whether uri and referer in GET request be uncorrelated, specifically comprises:
Extract uri and referer in GET request;
Based on the slash in uri and referer, uri and referer is divided into multiple part;
If any one part in described uri is all different from any portion in described referer, then determine that uri and referer in GET request is uncorrelated.
Preferably, judge module, specifically for:
By the source IP in HTTP request, be in Uniform Resource Identifier uri in the src of abnormality and the current time is recorded in dangerous list, the information stored in dangerous list is aging based on the time timing of record;
Judge that the abnormal GET whether receiving source IP in the given time identical with the source IP of HTTP request asks based on the information stored in dangerous list;
If the abnormal GET receiving source IP in the given time identical with the source IP of described HTTP request asks, is updated to the time receiving abnormal GET request the time of recording in dangerous list.
Compared with prior art, the embodiment of the invention discloses when being in abnormality by the src in the load of HTTP request acquisition being detected, judge that whether receiving source IP abnormal GET identical with the source IP of HTTP request is in the given time confirmed whether that receiving CSRF attacks; Be in the src of abnormality and abnormal GET request with this by lasting detection and be jointly confirmed whether that the CSRF received based on forging src attacks, and achieves the identification to attacking based on the CSRF forging src.
Accompanying drawing explanation
Fig. 1 is the schematic flow sheet of a kind of CSRF attack detection method that the embodiment of the present invention proposes;
Fig. 2 is the schematic diagram of CSRF Attack Theory;
Fig. 3 is the structure chart of a kind of CSRF attack-detection-device that the embodiment of the present invention proposes.
Embodiment
For the above-mentioned problems in the prior art, embodiments provide a kind of cross-site forged request CSRF attack detection method, as shown in Figure 1, comprise the following steps:
Whether step 101, the src detected in the HTTP request load of acquisition are in abnormality.
Be described for the environment of Fig. 2, at user C by the normal website A of browser access, and after being verified, website A returns cookie information to browser, within the effective time of cookie information, user C have accessed again website B, now, website B can by HTTP (HyperText TransferProtocol, HTML (Hypertext Markup Language)) ask to return to user C, step 101 in the present invention namely constantly detects the HTTP request of all acquisitions, and whether the parsing src got in HTTP request load is in abnormality further.
In one example in which, detect the process whether src is in abnormality, be specially:
Whether the length detecting src in the load of the HTTP request obtained is greater than threshold value, and detects after the Uniform Resource Identifier uri in src whether there is question mark;
If the length of src is greater than threshold value, and there is question mark after uri, whether has after detection question mark and be no less than the parameter that two values are non-NULL;
Be no less than the parameter that two values are non-NULL if having after question mark, then determine that src is in abnormality; Be no less than if do not have after question mark the parameter that two values are non-NULL, then can think that this src is not in abnormality;
Also three conditions that namely demand fulfillment is above-mentioned, could determine that src is in abnormality.
Concrete, what src quoted under normal conditions is resource in station, some simple functions can only be realized, so normal src does not carry protocol name (HTTP), also do not carry domain name (host) or server ip, also namely normal src length can not be long especially; Moreover the resource that src is corresponding is normally generally a pictures or a page, this resource does not generally have parameter, is do not have parameter and question mark after uri yet; Even if carry parameter once in a while, the number of parameters be worth for non-NULL can not more than two; Therefore correspond to the feature of normal src, consider the accuracy of judgement simultaneously, the src simultaneously meeting three conditions above can be called the src being in abnormality.
Be described for a concrete src, does is such as this src specially: http: // 192.168.20.172/vlun/axous/admin/administrators_add.php? user_name=img1 & new_passwd=& new_passwd1=passimg1 ..., the uri in this src is /vlun/axous/admin/administrators_add.php.In the process whether this src judged is abnormal, judge whether the length of this src exceedes threshold value, and whether there is question mark after the uri judging in this src, if the length of this src exceedes threshold value, and the uri in src is :/vlun/axous/admin/administrators_add.php, after the uri in visible src, there is a question mark.In the case, continue to judge after question mark, whether to there is the parameter that at least two values are non-NULL.In this src uri question mark after also exist content " user_name=img1 & new_passwd=& new_passwd1=passimg1 ... "Wherein, comprise parameter " user_name=img1 " and " new_passwd1=passimg1 " that value is non-NULL, and value is empty parameter " new_passwd=", also namely in this src uri question mark after exist and be no less than the parameter that two values are non-NULL, therefore can confirm that this src is in abnormality.
After confirming src and being in abnormality, perform step 102; If confirm, src is not in abnormality, and the detection for this HTTP request terminates.
The abnormal GET whether step 102, judgement receive source IP identical with the source IP of HTTP request in the given time asks.
The detailed process wherein judged can be as follows:
Judge that whether receiving the source IP GET identical with the source IP of HTTP request in the given time asks; If receive the source IP GET identical with the source IP of HTTP request in the given time to ask, then judge that whether the uri in GET request is consistent with the uri in the src being in abnormality, and judge GET request in uri and referer (previous link identification, Referer is a part for GET request header, when browser sends request to web server time, based on Referer, web server can know GET request from which page link is come) whether uncorrelated; If the uri in GET request is consistent with the uri in the src being in abnormality, and uri and referer in GET request is uncorrelated, then determining that the GET that receives asks is that the abnormal GET produced based on the src of exception asks.
Concrete, the source IP of HTTP request is the IP of user, when user have accessed malicious websites, malicious websites will steal the authority of user, and utilize the normal website of the authority of user to user's access before to attack, and this attack needs the IP utilizing user, therefore needs to judge that whether the source IP that GET asks is identical with the source IP of HTTP request, if identical, then continue to judge whether this GET request is that abnormal GET asks.
Judge whether GET request is abnormal GET request, and its process is as follows:
Because uri is used to identifying resource, when detecting that the uri that GET asks is consistent with the uri being in abnormality in the case, the doubtful page being needed access by this attack doubtful that the IP attacked attempts on access services device is described, due to doubtful attack can only be judged as, in order to judge whether that this doubtful attack is real attack further, need the further correlation judging the uri (address of corresponding new page) in GET request and referer (address of the corresponding previous page).
All from a page jump of same website to another page during a normal access webpage, that is will from the previous page (referer) redirect new page (uri), now two addresses are because be in same website, so have certain correlation, such as from http://rdbbs/bbs/forum.php? is the mod=forumdisplay & fid=58 page clicked and is jumped to http://rdbbs/bbs/forum.php? during the mod=viewthread & tid=129 page, can see "/bbs/forum.php? mod " be partly identical, also namely both are relevant, if but when attacking, be not that a page jump in same website is to another page, but the different page between different websites carries out redirect, uri and referer in such GET request would not be correlated with, also namely various piece is all not identical.
Therefore, if meet above two conditions simultaneously, then can determine that the GET request received is that abnormal GET asks, what just can determine to receive is that the abnormal GET that source IP is identical with the source IP of HTTP request asks.
In concrete process, as Fig. 2 and aforementioned, user C accesses normal website A, the cookie information produced is free restriction, and CSRF attack will steal the authority of user exactly to attack normal webpage, therefore must within the effective time of cookie information offensive attack, the IP that for this reason needs detection within the scheduled time (the concrete scheduled time was arranged based on the effective time of cookie information) whether to receive to come from user (the source IP also namely in HTTP request, be such as 192.168.20.170) GET request, if the GET do not received within the predetermined time from the IP of user asks, cookie information has crossed the term of validity, also just mean that the authority of user cannot be stolen, can think and cannot carry out CSRF attack, whether and if the GET that have received from the IP of user in the scheduled time asks, also needing to judge that this GET asks further is that abnormal GET request just can determine whether that receiving CSRF attacks.
Concrete judges whether GET request is that abnormal GET asks, whether uncorrelated according to referer and the uri judged in this GET request, and the uri of GET request the and whether uri that is in abnormality consistent jointly determines, such as, referer in GET request is: http: // 192.168.20.174/test/7829.htm, uri in GET request is /vlun/axous/admin/administrators_add.php, both is incoherent, and the uri be in the src of abnormality is /vlun/axous/admin/administrators_add.php, uri in asking with GET is the same, consistent, therefore can confirm that this GET asks as abnormal GET request.
Wherein, concrete judge that whether uri and referer in GET request be uncorrelated, have following process: extract uri and referer in GET request; Based on the slash in uri and referer, uri and referer is divided into multiple part; If any one part in uri is all different from any portion in described referer, then determine that uri and referer in GET request is uncorrelated.
Normally realize being described across the request of website access function by web mode for a validated user, such as in request, uri is /vlun/axous/admin_list.php, and referer is http: // 192.168.20.172/vlun/axous/admin/administrators_add.php, between both /vlun/axous/ is identical, therefore uri and referer is relevant.
Realize being described across the request of website access function in an illegal mode, in this request, referer is specially: http: // 192.168.20.174/test/7829.htm, and uri is :/vlun/axous/admin/administrators_add.php, convert the character string in uri to array url []: be that separator is changed with slash, non-first slash need appear in former and later two array elements simultaneously.Url [] after now being changed by uri is: url []={ '/vlun/ ', '/axous/ ', '/admin/ ', '/administrators_add.php ' }.Then referer is carried out identical conversion, be converted into referer []={ '/192.168.20.174/ ', '/test/ ', '/7829.htm/ ' }, in referer character string, traversal searches all elements of url array again, if there is certain element of uri array in Referer character string, then stop searching, illustrate that uri with referer is relevant, if any one element in all elements in uri array is not all present in referer character string, then illustrate that uri and referer is uncorrelated.
In addition, when determining that src is in abnormality, can also by the source IP in HTTP request, uri and the current time in the src of abnormality of being in is recorded in dangerous list, and the information stored in dangerous list is aging based on the time timing of record; Judge that the abnormal GET whether receiving source IP in the given time identical with the source IP in HTTP request asks based on the information stored in dangerous list; If the abnormal GET receiving source IP in the given time identical with the source IP of HTTP request asks, is updated to the time receiving abnormal GET request the time of recording in dangerous list.
Concrete, for the source IP (192.168.20.170) in above-mentioned HTTP request and Uri (/vlun/axous/admin/administrators_add.php) information, this dangerous list can be as shown in table 1:
Table 1
Time D1 in table 1 is the current time (namely receiving this abnormal HTTP request), the follow-up ageing time determined effective time based on cookie information in table 1, due to when determining that src is in abnormality, just establish dangerous list, and based on this dangerous list, the GET request received is detected, therefore this dangerous list ageing time is the aforesaid scheduled time, when arriving ageing time, illustrate that cookie information is no longer valid, corresponding information can be deleted, if and also do not arrive ageing time, also namely cookie information is still effective, just can utilize the information in this table 1, judge that the abnormal GET whether receiving source IP in the given time identical with the source IP of HTTP request asks, its concrete process is identical with aforementioned process, superfluous chatting no longer is carried out at this, and the abnormal GET receiving source IP in the given time identical with the source IP of HTTP request asks, the time received is in cookie information still effective time period, such as the time is A, time D1 in dangerous list is updated to time A, this is because cookie information effective time again carries out using the time that this time logs in as starting point calculating based on landing time each time, if the abnormal GET receiving source IP in the given time identical with the source IP of HTTP request asks, represent and logged in again normal website based on the user right stolen, therefore cookie information just needs the time logged in based on this time as the time started effective time, prolong a period of time backward, such as one hour, and continue based on have updated the information stored in the dangerous list of time judge " scheduled time " (this scheduled time be based on prolongation after cookie information carry out arranging effective time) in whether receive source IP identical with the source IP in HTTP request abnormal GET ask.
If judge, the abnormal GET receiving source IP in the given time identical with the source IP of HTTP request asks, then perform step 103; If the abnormal GET not receiving source IP in the given time identical with the source IP of HTTP request asks, the testing process for this HTTP request terminates.
Step 103, confirmation receive CSRF and attack.
Concrete, ask determining in the scheduled time the abnormal GET receiving source IP identical with the source IP of HTTP request, the source IP of the GET request also namely received is identical with the source IP of HTTP request, and this GET ask in uri consistent with the uri in the src be under abnormality, and uri and referer that this GET asks is uncorrelated, then can confirm that receiving CSRF attacks.
The embodiment of the present invention also proposed a kind of cross-site forged request CSRF attack-detection-device, as shown in Figure 3, comprising:
Whether detection module 301, be in abnormality for the src detected in the load of the HTTP request of acquisition;
Judge module 302, for when determining that src is in abnormality, judges that the abnormal GET whether receiving source IP in the given time identical with the source IP of HTTP request asks;
Identification module 303, for receive in the given time the source IP abnormal GET identical with the source IP of HTTP request ask time, confirm receive CSRF attack.
Concrete, detection module 301, specifically for:
Whether the length detecting src in the load of the HTTP request obtained is greater than threshold value, and detects after the Uniform Resource Identifier uri in src whether there is question mark;
If the length of src is greater than threshold value, and there is question mark after uri, whether has after detection question mark and be no less than the parameter that two values are non-NULL;
Be no less than the parameter that two values are non-NULL if having after question mark, then determine that src is in abnormality.
Concrete, judge module 302, specifically for:
Judge that whether receiving the source IP GET identical with the source IP of HTTP request in the given time asks;
If receive the source IP GET identical with the source IP of HTTP request in the given time to ask, then judge that whether the uri in GET request is consistent with the uri in the src being in abnormality, and judge that whether the uri in GET request is uncorrelated with previous link identification referer;
If the uri in GET request is consistent with the uri in the src being in abnormality, and GET ask in uri and referer uncorrelated, then determining that the GET that receives asks is that the abnormal GET that source IP is identical with the source IP of HTTP request asks.
Judge module 302 judges that whether uri and referer in GET request be uncorrelated, specifically comprises:
Extract uri and referer in GET request;
Based on the slash in uri and referer, uri and referer is divided into multiple part;
If any one part in described uri is all different from any portion in described referer, then determine that uri and referer in GET request is uncorrelated.
Judge module 302, specifically for:
By the source IP in HTTP request, be in Uniform Resource Identifier uri in the src of abnormality and the current time is recorded in dangerous list, the information stored in dangerous list is aging based on the time timing of record;
Judge that the abnormal GET whether receiving source IP in the given time identical with the source IP of HTTP request asks based on the information stored in dangerous list;
If the abnormal GET receiving source IP in the given time identical with the source IP of described HTTP request asks, is updated to the time receiving abnormal GET request the time of recording in dangerous list.
Compared with prior art, when the embodiment of the invention discloses a kind of cross-site forged request CSRF attack detection method and equipment by being in abnormality by the src in the load of HTTP request acquisition being detected, judge that whether receiving source IP abnormal GET identical with the source IP of HTTP request is in the given time confirmed whether that receiving CSRF attacks; Be in the src of abnormality and abnormal GET request with this by lasting detection and be jointly confirmed whether that the CSRF received based on forging src attacks, and achieves the identification to attacking based on the CSRF forging src.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention can by hardware implementing, and the mode that also can add necessary general hardware platform by software realizes.Based on such understanding, technical scheme of the present invention can embody with the form of software product, it (can be CD-ROM that this software product can be stored in a non-volatile memory medium, USB flash disk, portable hard drive etc.) in, comprise some instructions and perform each method implementing described in scene of the present invention in order to make a computer equipment (can be personal computer, server, or the network equipment etc.).
It will be appreciated by those skilled in the art that accompanying drawing is a schematic diagram preferably implementing scene, the module in accompanying drawing or flow process might not be that enforcement the present invention is necessary.
It will be appreciated by those skilled in the art that the module in the device implemented in scene can carry out being distributed in the device of enforcement scene according to implementing scene description, also can carry out respective change and being arranged in the one or more devices being different from this enforcement scene.The module of above-mentioned enforcement scene can merge into a module, also can split into multiple submodule further.
The invention described above sequence number, just to describing, does not represent the quality implementing scene.
Be only several concrete enforcement scene of the present invention above, but the present invention is not limited thereto, the changes that any person skilled in the art can think of all should fall into protection scope of the present invention.
Claims (10)
1. a cross-site forged request CSRF attack detection method, is characterized in that, comprising:
Whether the information source src detected in the load of the HTTP request obtained is in abnormality;
If described src is in abnormality, judge that the abnormal GET whether receiving source IP in the given time identical with the source IP of described HTTP request asks;
If the abnormal GET receiving source IP in the given time identical with the source IP of described HTTP request asks, then confirm that receiving CSRF attacks.
2. the method for claim 1, is characterized in that, whether the src in the described load detecting the HTTP request obtained is in abnormality, is specially:
Whether the length detecting src in the load of the HTTP request obtained is greater than threshold value, and detects after the Uniform Resource Identifier uri in described src whether there is question mark;
If the length of described src is greater than threshold value, and there is question mark after described uri, detect whether to have after described question mark and be no less than the parameter that two values are non-NULL;
Be no less than if having after described question mark the parameter that two values are non-NULL, then determine that described src is in abnormality.
3. the method for claim 1, is characterized in that, the abnormal GET whether described judgement receives source IP identical with the source IP of described HTTP request in the given time asks, and is specially:
Judge that whether receiving the source IP GET identical with the source IP of described HTTP request in the given time asks;
If receive the source IP GET identical with the source IP of described HTTP request in the given time to ask, then judge that whether the uri in described GET request is consistent with the described uri be in the src of abnormality, and judge that whether the uri in described GET request is uncorrelated with previous link identification referer;
If the uri in described GET request is consistent with the described uri be in the src of abnormality, and uri and referer in described GET request is uncorrelated, then determine that the GET received asks to be that the abnormal GET that source IP is identical with the source IP of described HTTP request asks.
4. method as claimed in claim 3, is characterized in that, judges that whether uri and referer in described GET request be uncorrelated, is specially:
Extract uri and referer in described GET request;
Based on the slash in uri and referer, described uri and described referer is divided into multiple part;
If any one part in described uri is all different from any portion in described referer, determine that uri and referer in described GET request is uncorrelated.
5. the method for claim 1, is characterized in that, the abnormal GET whether described judgement receives source IP identical with the source IP of described HTTP request in the given time asks, and is specially:
By the source IP in described HTTP request, be in Uniform Resource Identifier uri in the src of abnormality and the current time is recorded in dangerous list, the information stored in described dangerous list is aging based on the time timing of record;
Judge that the abnormal GET whether receiving source IP in the given time identical with the source IP of described HTTP request asks based on the information stored in described dangerous list;
If the abnormal GET receiving source IP in the given time identical with the source IP of described HTTP request asks, is updated to the time receiving described abnormal GET request the time of recording in described dangerous list.
6. a cross-site forged request CSRF attack-detection-device, is characterized in that, comprising:
Whether detection module, be in abnormality for the information source src detected in the load of the HTTP request of acquisition;
Judge module, for when determining that described src is in abnormality, judges that the abnormal GET whether receiving source IP in the given time identical with the source IP of described HTTP request asks;
Identification module, for receive in the given time the source IP abnormal GET identical with the source IP of described HTTP request ask time, confirm receive CSRF attack.
7. equipment as claimed in claim 6, is characterized in that, described detection module, specifically for:
Whether the length detecting src in the load of the HTTP request obtained is greater than threshold value, and detects after the Uniform Resource Identifier uri in described src whether there is question mark;
If the length of described src is greater than threshold value, and there is question mark after described uri, detect whether to have after described question mark and be no less than the parameter that two values are non-NULL;
Be no less than if having after described question mark the parameter that two values are non-NULL, then determine that described src is in abnormality.
8. equipment as claimed in claim 6, is characterized in that, described judge module, specifically for:
Judge that whether receiving the source IP GET identical with the source IP of described HTTP request in the given time asks;
If receive the source IP GET identical with the source IP of described HTTP request in the given time to ask, then judge that whether the uri in described GET request is consistent with the described uri be in the src of abnormality, and judge that whether the uri in described GET request is uncorrelated with previous link identification referer;
If the uri in described GET request is consistent with the described uri be in the src of abnormality, and uri and referer in described GET request is uncorrelated, then determine that the GET received asks to be that the abnormal GET that source IP is identical with the source IP of described HTTP request asks.
9. equipment as claimed in claim 8, is characterized in that, described judge module judges that whether uri and referer in described GET request be uncorrelated, specifically comprises:
Extract uri and referer in described GET request;
Based on the slash in uri and referer, described uri and described referer is divided into multiple part;
If any one part in described uri is all different from any portion in described referer, then determine that uri and referer in described GET request is uncorrelated.
10. equipment as claimed in claim 6, is characterized in that, described judge module, specifically for:
By the source IP in described HTTP request, be in Uniform Resource Identifier uri in the src of abnormality and the current time is recorded in dangerous list, the information stored in described dangerous list is aging based on the time timing of record;
Judge that the abnormal GET whether receiving source IP in the given time identical with the source IP of HTTP request asks based on the information stored in described dangerous list;
If the abnormal GET receiving source IP in the given time identical with the source IP of described HTTP request asks, is updated to the time receiving described abnormal GET request the time of recording in described dangerous list.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510185810.3A CN104852907B (en) | 2015-04-17 | 2015-04-17 | A kind of cross-site forged request CSRF attack recognition method and apparatus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510185810.3A CN104852907B (en) | 2015-04-17 | 2015-04-17 | A kind of cross-site forged request CSRF attack recognition method and apparatus |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104852907A true CN104852907A (en) | 2015-08-19 |
| CN104852907B CN104852907B (en) | 2018-08-24 |
Family
ID=53852263
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510185810.3A Active CN104852907B (en) | 2015-04-17 | 2015-04-17 | A kind of cross-site forged request CSRF attack recognition method and apparatus |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104852907B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106776975A (en) * | 2016-12-06 | 2017-05-31 | 成都知道创宇信息技术有限公司 | A kind of method of CSRF token elements in identification webpage |
| CN107306259A (en) * | 2016-04-22 | 2017-10-31 | 腾讯科技(深圳)有限公司 | Attack detection method and device in Webpage access |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103944900A (en) * | 2014-04-18 | 2014-07-23 | 中国科学院计算技术研究所 | Cross-station request attack defense method and device based on encryption |
| US8893270B1 (en) * | 2008-01-29 | 2014-11-18 | Trend Micro Incorporated | Detection of cross-site request forgery attacks |
-
2015
- 2015-04-17 CN CN201510185810.3A patent/CN104852907B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8893270B1 (en) * | 2008-01-29 | 2014-11-18 | Trend Micro Incorporated | Detection of cross-site request forgery attacks |
| CN103944900A (en) * | 2014-04-18 | 2014-07-23 | 中国科学院计算技术研究所 | Cross-station request attack defense method and device based on encryption |
Non-Patent Citations (2)
| Title |
|---|
| ALEXEI CZESKIS.ETC: "Lightweight Server Support for Browser-Based CSRF Protection", 《ACM》 * |
| 郑新新;马兆丰;黄勤龙: "跨站请求伪造(CSRF)分析与检测技术研究", 《第十届中国通信学会学术年会论文集》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107306259A (en) * | 2016-04-22 | 2017-10-31 | 腾讯科技(深圳)有限公司 | Attack detection method and device in Webpage access |
| CN106776975A (en) * | 2016-12-06 | 2017-05-31 | 成都知道创宇信息技术有限公司 | A kind of method of CSRF token elements in identification webpage |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104852907B (en) | 2018-08-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109951500B (en) | Network attack detection method and device | |
| US10498761B2 (en) | Method for identifying phishing websites and hindering associated activity | |
| CN108683666B (en) | Webpage identification method and device | |
| US10248782B2 (en) | Systems and methods for access control to web applications and identification of web browsers | |
| US8601586B1 (en) | Method and system for detecting web application vulnerabilities | |
| CN103701793B (en) | The recognition methods of server broiler chicken and device | |
| Pan et al. | Anomaly based web phishing page detection | |
| US8392963B2 (en) | Techniques for tracking actual users in web application security systems | |
| KR101001132B1 (en) | Method and System for Determining Vulnerability of Web Application | |
| US8307431B2 (en) | Method and apparatus for identifying phishing websites in network traffic using generated regular expressions | |
| CN103701795B (en) | The recognition methods of the attack source of Denial of Service attack and device | |
| CN103929440B (en) | Webpage tamper resistant device and its method based on web server cache match | |
| EP3557843B1 (en) | Content delivery network (cdn) bot detection using compound feature sets | |
| US20110289583A1 (en) | Correlation engine for detecting network attacks and detection method | |
| CN107295116B (en) | Domain name resolution method, device and system | |
| CN105939326A (en) | Message processing method and device | |
| CN111786966A (en) | Method and device for browsing webpage | |
| WO2010111716A1 (en) | Real-time malicious code inhibitor | |
| CN106713318B (en) | WEB site safety protection method and system | |
| WO2018066000A1 (en) | System and method to detect and block bot traffic | |
| CN105635064B (en) | CSRF attack detection method and device | |
| CN107733699B (en) | Internet asset security management method, system, device and readable storage medium | |
| Kaur et al. | Browser fingerprinting as user tracking technology | |
| CN111079138A (en) | Abnormal access detection method and device, electronic equipment and readable storage medium | |
| CN109660552A (en) | A kind of Web defence method combining address jump and WAF technology |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant after: Xinhua three Technology Co., Ltd. Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant before: Huasan Communication Technology Co., Ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |