CN107612926B - One-sentence speech WebShell interception method based on client recognition - Google Patents
One-sentence speech WebShell interception method based on client recognition Download PDFInfo
- Publication number
- CN107612926B CN107612926B CN201710948543.XA CN201710948543A CN107612926B CN 107612926 B CN107612926 B CN 107612926B CN 201710948543 A CN201710948543 A CN 201710948543A CN 107612926 B CN107612926 B CN 107612926B
- Authority
- CN
- China
- Prior art keywords
- value
- server
- request
- client
- cookie
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Computer And Data Communications (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses a one-sentence WebShell interception method based on client recognition, which comprises the following steps of: step 1: after receiving the HTTP request, the server detects whether the Cookie has an Access token value, and if not, the server goes to the step 2; if yes, detecting whether the value is consistent with the access token value in the Session, if so, releasing the request, and if not, ignoring the request; step 2: the server checks whether the client transmits the specified Cookie, if not, the server verifies the specified Cookie, and if so, the server detects whether the Cookie value is legal; if the request is legal, the request is ignored, and if the request is legal, the step 3 is carried out; and step 3: comparing the Referer value in the HTTP request, if the Referer value is not equal to the current accessed URL, ignoring the request, and if the Referer value is equal to the current URL, turning to the step 4; and 4, step 4: the server generates a random character string as an Access token and stores the random character string into the Session, and sets the Access token as a website Cookie, so that the access is successful; the invention has high matching precision, does not influence the use of normal users, and can greatly reduce the rate of missing report and the rate of false report.
Description
Technical Field
The invention relates to a WebShell interception method, in particular to a one-sentence WebShell interception method based on client recognition.
Background
In the website infiltration process, an attacker usually leaves a website backdoor for future use; one of them (namely a sentence WebShell) is often used due to short and strong characters; the function of these backdoors is usually to execute malicious code delivered by the user, so the code of the backdoor itself is very short, and is colloquially called a sentence Trojan; because the backdoors can really execute the attack action only after users transmit attack codes, a sentence of client side of the backdoor exists; the clients usually carry attack codes, and users can carry out attack operation only by filling back door addresses and passwords; but these clients typically exist in software and do not have the capability to execute javascript code; the existing WebShell access interception is basically carried out by collecting WebShell characteristics disclosed on a network for matching or detecting some sensitive functions; the method is easy to generate a large number of false alarms based on feature matching, and WebShell features are changed at any time, so that a feature library cannot completely contain all the features, and omission easily occurs.
Disclosure of Invention
The invention provides a one-sentence WebShell interception method based on client recognition, which has high matching accuracy, does not influence normal user use, and can greatly reduce the rate of missing report and the rate of false report.
The technical scheme adopted by the invention is as follows: a one-sentence WebShell interception method based on client recognition comprises the following steps:
step 1: after receiving the HTTP request, the server detects whether the Cookie has an Access token value, and if not, the server goes to the step 2; if yes, detecting whether the value is consistent with the access token value in the Session, if so, releasing the request, and if not, ignoring the request;
step 2: the server checks whether the client transmits the specified Cookie, if not, the server verifies the specified Cookie, and if so, the server detects whether the Cookie value is consistent with the encryption value stored in the Session in the server; if not, ignoring the request, and if the request is consistent, turning to the step 3;
and step 3: comparing the Referer value in the HTTP request, if the Referer value is not equal to the current accessed URL, ignoring the request, and if the Referer value is equal to the current URL, turning to the step 4;
and 4, step 4: the server generates a random character string as an Access token and stores the random character string in the Session, and sets the Access token as a website Cookie, so that the access is successful.
Further, the verification process in step 2 is as follows:
s1: acquiring fingerprint information of a user browser from an HTML page, and then transmitting the fingerprint information to a server;
s2: the server receives browser fingerprint information transmitted by the client, takes out an IP address in an HTTP request and a Key preset in the server for encryption, stores a value generated after encryption into a Session and returns the value to a client page;
s3: and after receiving the value returned by the server, the client page sets the value as the website Cookie' and accesses the current URL again.
Further, in step S2, the Key is encrypted in MD5, and the encryption formula is as follows: client _ ID + IP + Key; the Client _ ID is browser fingerprint information, and the IP is an IP address in the HTTP request.
Further, the fingerprint information of the user browser obtained in step S1 is obtained through a Canvas tag.
Further, in the step S1, the browser fingerprint information is transferred to the server asynchronously by the javascript code.
The invention has the beneficial effects that:
(1) the method intercepts the access request of the client after a sentence by detecting whether the client is a normal browser or not, and has high matching precision;
(2) the invention does not affect the use of normal users, and can greatly reduce the rate of missing report and the rate of false report.
Drawings
FIG. 1 is a schematic flow chart of the present invention.
FIG. 2 is a schematic diagram of the verification process of the present invention.
Detailed Description
The invention is further described with reference to the following figures and specific embodiments.
As shown in fig. 1, a method for intercepting a sentence in WebShell based on client recognition includes the following steps:
step 1: after receiving the HTTP request, the server detects whether the Cookie has an Access token value, and if not, the server goes to the step 2; if yes, detecting whether the value is consistent with the access token value in the Session, if so, releasing the request, and if not, ignoring the request;
step 2: the server checks whether the client transmits the specified Cookie, if the specified Cookie is not transmitted, the server returns to the following verification page for verification, and if the Cookie is transmitted, the server detects whether the Cookie value is consistent with the encryption value stored in the Session in the server; if not, ignoring the request, and if the request is consistent, turning to the step 3;
and step 3: comparing the Referer value in the HTTP request, if the Referer value is not equal to the current accessed URL, ignoring the request, and if the Referer value is equal to the current URL, turning to the step 4;
and 4, step 4: the server generates a random character string as an Access token and stores the random character string into the Session, and sets the Access token as a website Cookie, so that the access is successful; and then the client can access the website only by taking the AccessTken for each access.
Further, the verification process in step 2 is as follows:
s1: acquiring user browser fingerprint information (Client _ ID) in an HTML page, and then asynchronously transmitting the fingerprint information to a server by using a javascript code;
s2: after receiving browser fingerprint information (Client _ ID) transmitted by a Client, the server takes out an IP address in an HTTP request and a Key preset in the server for MD5 encryption, stores a generated MD5 value in a Session and returns the MD5 value to a Client page; the encryption formula is: md5(Client _ ID + IP + Key); the encrypted value is stored in a Session in the server, and a copy is transmitted to the client side for setting as a website Cookie;
s3: after receiving the MD5 value returned by the server, the client page sets the value as the website Cookie and accesses the current URL again; wherein (the Cookie name can be arbitrarily set, and hereinafter, the "designated Cookie" is substituted).
The method is based on the characteristic that the WebShell client side does not have the capability of executing JavaScript codes, and is matched with the detection of Cookie and HTTP refer of a website to identify abnormal access requests; the method comprises the steps that a client used by a user is detected when the user accesses a website through a technical means, if the user uses a browser, the access is considered to be normal, and if the user does not use the browser, the access is initiated by other programs, so that the access is different from the access of a normal user; the method and the system intercept the access request of the client after a sentence by detecting whether the client is a normal browser or not, have high matching precision, do not influence the use of normal users, and can greatly reduce the rate of missing reports and the rate of false reports.
In this context: the one sentence WebShell refers to a plurality of short and small website backdoor programs which need to be connected by using a specific client; cookie refers to data stored in a local terminal of a user for identifying the user identity and tracking the Session; JavaScript refers to a script program language, which is mostly used in front-end pages of websites and executed by browsers; the Referer refers to a part of an HTTP header, and when a browser sends a request to a web server, the browser generally carries with the Referer to tell the server from which page the browser is linked, and based on the Referer, the server can obtain some information for processing; canvas is an html5 tag through which browser fingerprint information can be obtained; access token is a concept of Windows operating system security. An access token contains security information for the login session. When a user logs in, the system creates an access token, and then all processes running in the user identity have a copy of the token; session refers to what is called "Session control" in computers, especially in network applications; HTTP refers to hypertext transfer protocol; URL refers to a uniform resource locator; HTML refers to hypertext markup language.
Claims (5)
1. A one-sentence speech WebShell interception method based on client recognition is characterized by comprising the following steps:
step 1: after receiving the HTTP request, the server detects whether the Cookie has an Access token value, and if not, the server goes to the step 2; if yes, detecting whether the value is consistent with the access token value in the Session, if so, releasing the request, and if not, ignoring the request;
step 2: the server checks whether the client transmits the specified Cookie, if not, the server verifies the specified Cookie, and if so, the server detects whether the Cookie value is consistent with the encryption value stored in the Session in the server; if not, ignoring the request, and if the request is consistent, turning to the step 3;
and step 3: comparing the Referer value in the HTTP request, if the Referer value is not equal to the current accessed URL, ignoring the request, and if the Referer value is equal to the current URL, turning to the step 4;
and 4, step 4: the server generates a random character string as an Access token to be stored in the Session, and sets the Access token as a website Cookie, so that the access is successful.
2. The WebShell interception method based on client recognition as claimed in claim 1, wherein the authentication process in step 2 is as follows:
s1: acquiring fingerprint information of a user browser from an HTML page, and then transmitting the fingerprint information to a server;
s2: the server receives browser fingerprint information transmitted by the client, takes out an IP address in an HTTP request and a Key preset in the server for encryption, stores a value generated after encryption into a Session and returns the value to a client page;
s3: and after receiving the value returned by the server, the client page sets the value as the website Cookie and accesses the current URL again.
3. The WebShell interception method of claim 2, wherein the Key is encrypted in MD5 in step S2 according to the following formula: client _ ID + IP + Key; the Client _ ID is browser fingerprint information, and the IP is an IP address in the HTTP request.
4. The WebShell interception method based on client identification as recited in claim 2, wherein the user-browser fingerprint information obtained in step S1 is obtained through a Canvas tag.
5. The WebShell interception method based on client identification as claimed in claim 2, wherein said step S1 transfers the browser fingerprint information to the server asynchronously through javascript code.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710948543.XA CN107612926B (en) | 2017-10-12 | 2017-10-12 | One-sentence speech WebShell interception method based on client recognition |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710948543.XA CN107612926B (en) | 2017-10-12 | 2017-10-12 | One-sentence speech WebShell interception method based on client recognition |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107612926A CN107612926A (en) | 2018-01-19 |
| CN107612926B true CN107612926B (en) | 2020-09-29 |
Family
ID=61068537
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710948543.XA Active CN107612926B (en) | 2017-10-12 | 2017-10-12 | One-sentence speech WebShell interception method based on client recognition |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107612926B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108259619B (en) * | 2018-01-30 | 2021-08-24 | 成都东软学院 | Network request protection method and network communication system |
| CN109194671B (en) * | 2018-09-19 | 2021-07-13 | 网宿科技股份有限公司 | Abnormal access behavior identification method and server |
| EP4040719A1 (en) * | 2019-08-05 | 2022-08-10 | Mastercard International Incorporated | Secure server client interaction |
| CN113746784B (en) * | 2020-05-29 | 2023-04-07 | 深信服科技股份有限公司 | Data detection method, system and related equipment |
| CN112668005A (en) * | 2020-12-30 | 2021-04-16 | 北京天融信网络安全技术有限公司 | Webshell file detection method and device |
| CN112800427B (en) * | 2021-04-08 | 2021-09-28 | 北京邮电大学 | Webshell detection method and device, electronic equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103888490A (en) * | 2012-12-20 | 2014-06-25 | 上海天泰网络技术有限公司 | Automatic WEB client man-machine identification method |
| CN103944900A (en) * | 2014-04-18 | 2014-07-23 | 中国科学院计算技术研究所 | Cross-station request attack defense method and device based on encryption |
| CN105471833A (en) * | 2015-05-14 | 2016-04-06 | 瑞数信息技术(上海)有限公司 | Safe communication method and device |
| CN106650437A (en) * | 2016-12-29 | 2017-05-10 | 广州华多网络科技有限公司 | Webshell detection method and device |
-
2017
- 2017-10-12 CN CN201710948543.XA patent/CN107612926B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103888490A (en) * | 2012-12-20 | 2014-06-25 | 上海天泰网络技术有限公司 | Automatic WEB client man-machine identification method |
| CN103944900A (en) * | 2014-04-18 | 2014-07-23 | 中国科学院计算技术研究所 | Cross-station request attack defense method and device based on encryption |
| CN105471833A (en) * | 2015-05-14 | 2016-04-06 | 瑞数信息技术(上海)有限公司 | Safe communication method and device |
| CN106650437A (en) * | 2016-12-29 | 2017-05-10 | 广州华多网络科技有限公司 | Webshell detection method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107612926A (en) | 2018-01-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107612926B (en) | One-sentence speech WebShell interception method based on client recognition | |
| US10673896B2 (en) | Devices, systems and computer-implemented methods for preventing password leakage in phishing attacks | |
| JP6624771B2 (en) | Client-based local malware detection method | |
| CN107209830B (en) | Method for identifying and resisting network attack | |
| EP2447878B1 (en) | Web based remote malware detection | |
| US9083733B2 (en) | Anti-phishing domain advisor and method thereof | |
| US9817969B2 (en) | Device for detecting cyber attack based on event analysis and method thereof | |
| US11451583B2 (en) | System and method to detect and block bot traffic | |
| CN101895516B (en) | Method and device for positioning cross-site scripting attack source | |
| US20130055403A1 (en) | System for detecting vulnerabilities in web applications using client-side application interfaces | |
| CN107046544B (en) | Method and device for identifying illegal access request to website | |
| WO2016186736A1 (en) | Security systems for mitigating attacks from a headless browser executing on a client computer | |
| US20070124806A1 (en) | Techniques for tracking actual users in web application security systems | |
| CN103929440A (en) | Web page tamper prevention device based on web server cache matching and method thereof | |
| CN105635064B (en) | CSRF attack detection method and device | |
| US20190268373A1 (en) | System, method, apparatus, and computer program product to detect page impersonation in phishing attacks | |
| US11810014B2 (en) | Systems, methods and apparatus for evaluating status of computing device user | |
| WO2014153959A1 (en) | Method, related apparatus and system for preventing cross-site request forgery | |
| CN112118238B (en) | Method, device, system, equipment and storage medium for authenticating login | |
| CN108322420B (en) | Method and device for detecting backdoor file | |
| US8381269B2 (en) | System architecture and method for secure web browsing using public computers | |
| CN111193708A (en) | Code scanning login method and device based on enterprise browser | |
| CN107294994B (en) | CSRF protection method and system based on cloud platform | |
| JP5743822B2 (en) | Information leakage prevention device and restriction information generation device | |
| US20210176275A1 (en) | System and method for page impersonation detection in phishing attacks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP02 | Change in the address of a patent holder |
Address after: 9/F, Block C, No. 28 Tianfu Avenue North Section, Chengdu High tech Zone, China (Sichuan) Pilot Free Trade Zone, Chengdu City, Sichuan Province, 610000 Patentee after: CHENGDU KNOWNSEC INFORMATION TECHNOLOGY Co.,Ltd. Address before: 610000, 11th floor, building 2, No. 219, Tianfu Third Street, hi tech Zone, Chengdu, Sichuan Province Patentee before: CHENGDU KNOWNSEC INFORMATION TECHNOLOGY Co.,Ltd. |
|
| CP02 | Change in the address of a patent holder |