CN114884730B - Request detection method, device, equipment and readable storage medium - Google Patents

Request detection method, device, equipment and readable storage medium Download PDF

Info

Publication number
CN114884730B
CN114884730B CN202210492914.9A CN202210492914A CN114884730B CN 114884730 B CN114884730 B CN 114884730B CN 202210492914 A CN202210492914 A CN 202210492914A CN 114884730 B CN114884730 B CN 114884730B
Authority
CN
China
Prior art keywords
request
detection
target
field
terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210492914.9A
Other languages
Chinese (zh)
Other versions
CN114884730A (en
Inventor
伍光兴
张志良
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN202210492914.9A priority Critical patent/CN114884730B/en
Publication of CN114884730A publication Critical patent/CN114884730A/en
Application granted granted Critical
Publication of CN114884730B publication Critical patent/CN114884730B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/955Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
    • G06F16/9566URL specific, e.g. using aliases, detecting broken or misspelled links
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Databases & Information Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a request detection method, a request detection device, request detection equipment and a readable storage medium. In the application, after the security detection equipment acquires a target request of an intranet terminal for accessing a target end, a response message aiming at the target request is sent to the intranet terminal; the intranet terminal executes the detection script in the response message to obtain a target field which is used for representing browser information and is encapsulated in the request header, and sends a detection request to the security detection equipment by taking the target field as a URL parameter; the security detection equipment analyzes the detection request to obtain a target field and a head field of the detection request; the target field is compared with the header field to determine whether to allow the access request of the intranet terminal. According to the scheme, various access requests sent by the intranet terminal are safely detected in a unified mode, so that the safety protection of the intranet is enhanced, and the safety of the intranet is improved. The request detection device, the request detection equipment and the readable storage medium have the same technical effects.

Description

Request detection method, device, equipment and readable storage medium
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a method, an apparatus, a device, and a readable storage medium for detecting a request.
Background
Currently, security gateways can be used to secure an intranet. In practical situations, the request sent by the intranet terminal may be tampered, and as the destination terminals accessed by the intranet terminal are various and the modes of detecting the request by each destination terminal are different, the security gateway is difficult to integrate the request detection modes of each destination terminal, so that the request sent by each intranet terminal is difficult to detect, and the intranet security is reduced.
Therefore, how to strengthen the safety protection of the intranet is a problem that needs to be solved by those skilled in the art.
Disclosure of Invention
In view of the foregoing, an object of the present application is to provide a method, an apparatus, a device, and a readable storage medium for detecting a request, so as to enhance security protection of an intranet. The specific scheme is as follows:
in a first aspect, the present application provides a request detection method, applied to a security detection device, including:
acquiring a target request of an intranet terminal for accessing a target terminal;
sending a response message aiming at the target request to the intranet terminal; the response message comprises a detection script, so that the intranet terminal executes the detection script to obtain a target field which is used for representing browser information and is packaged in a request header, and sends a detection request to the security detection equipment by taking the target field as a URL parameter;
analyzing the URL of the detection request to obtain the target field, and analyzing the detection request to obtain a header field contained in the detection request;
and comparing the target field with the header field to obtain a comparison result, and determining whether to allow the access request of the intranet terminal according to the comparison result.
Optionally, the method further comprises:
if the target request meets a preset detection condition, executing the step of sending a response message aiming at the target request to the intranet terminal;
wherein, the preset detection conditions are as follows: and ensuring the condition that the response message can be responded by the intranet terminal.
Optionally, the preset detection condition includes: the resources requested by the target request are script resources, and/or a User-Agent field in the target request is known, and/or the target request carries a reference field, and/or the target terminal is a Web master station.
Optionally, after encrypting the target field, the intranet terminal takes ciphertext of the target field as the URL parameter;
correspondingly, the parsing the URL of the detection request to obtain the target field includes:
analyzing the URL of the detection request to obtain the ciphertext of the target field, and decrypting the ciphertext to obtain the target field.
Optionally, the detection script is further configured to, when executed, cause the intranet terminal to obtain the original target request, and after sending the detection request, send the original target request again;
correspondingly, the comparing the target field with the header field to obtain a comparison result, and determining whether to allow the access request of the intranet terminal according to the comparison result includes:
and comparing the target field with the header field to obtain a comparison result, and determining whether to release the target request received later according to the comparison result.
Optionally, the comparing the target field with the header field to obtain a comparison result, and determining whether to allow the access request of the intranet terminal according to the comparison result includes:
if the target field is consistent with the header field, allowing the access request of the intranet terminal;
and if the target field is inconsistent with the header field, not allowing the access request of the intranet terminal.
Optionally, after the allowing the access request of the intranet terminal, the method further includes:
adding the IP address of the intranet terminal to a trusted list;
correspondingly, after the access request of the intranet terminal is not allowed, the method further comprises:
and blocking the IP address of the intranet terminal.
In yet another aspect, the present application provides a request detection apparatus applied to a security detection device, including:
the acquisition module is used for acquiring a target request of the intranet terminal for accessing the target terminal;
the sending module is used for sending a response message aiming at the target request to the intranet terminal; the response message comprises a detection script, so that the intranet terminal executes the detection script to obtain a target field which is used for representing browser information and is packaged in a request header, and sends a detection request to the security detection equipment by taking the target field as a URL parameter;
the analysis module is used for analyzing the URL of the detection request to obtain the target field and analyzing the detection request to obtain a header field contained in the detection request;
and the detection module is used for comparing the target field with the head field to obtain a comparison result, and determining whether to allow the access request of the intranet terminal according to the comparison result.
In yet another aspect, the present application provides an electronic device, including:
a memory for storing a computer program;
and a processor for executing the computer program to implement the request detection method disclosed above.
In yet another aspect, the present application provides a readable storage medium storing a computer program, wherein the computer program, when executed by a processor, implements the previously disclosed request detection method.
According to the scheme, the application provides a request detection method, which is applied to safety detection equipment and comprises the following steps: acquiring a target request of an intranet terminal for accessing a target terminal; sending a response message aiming at the target request to the intranet terminal; the response message comprises a detection script, so that the intranet terminal executes the detection script to obtain a target field which is used for representing browser information and is packaged in a request header, and sends a detection request to the security detection equipment by taking the target field as a URL parameter; analyzing the URL of the detection request to obtain the target field, and analyzing the detection request to obtain a header field contained in the detection request; and comparing the target field with the header field to obtain a comparison result, and determining whether to allow the access request of the intranet terminal according to the comparison result.
Therefore, the method and the device can detect the target request of the intranet terminal for accessing the target terminal by using the safety detection equipment. Specifically, when the security detection device obtains a target request of the intranet terminal for accessing the target end, the security detection device sends a response message aiming at the target request to the intranet terminal; because the response message contains the detection script, the intranet terminal can execute the detection script to obtain the target field which is used for representing the browser information and is encapsulated in the request header, and the intranet terminal takes the target field as the URL parameter and sends the detection request to the security detection equipment, so that the security detection equipment can analyze the URL of the detection request to obtain the target field and analyze the detection request to obtain the header field contained in the detection request; and comparing the target field with the head field to obtain a comparison result, and determining whether to allow the access request of the intranet terminal according to the comparison result, so that the security detection equipment realizes security detection for the target request. According to the scheme, the request detection mode of each destination end is not required to be integrated, the security detection is carried out on various access requests sent by the intranet terminal in a unified mode, the security protection of the intranet is enhanced, and the intranet security is improved.
Accordingly, the request detection device, the request detection equipment and the readable storage medium have the technical effects.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present application, and that other drawings may be obtained according to the provided drawings without inventive effort to a person skilled in the art.
FIG. 1 is a flow chart of a request detection method disclosed in the present application;
FIG. 2 is a flow chart of another request detection method disclosed herein;
FIG. 3 is a schematic diagram of a request detection scheme disclosed herein;
FIG. 4 is a flow chart of a request detection system disclosed herein;
FIG. 5 is a schematic diagram of an IP management page disclosed herein;
FIG. 6 is a schematic diagram of a request detection device disclosed in the present application;
FIG. 7 is a schematic diagram of an electronic device disclosed herein;
fig. 8 is a schematic diagram of another electronic device disclosed herein.
Detailed Description
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
At present, the request sent by the intranet terminal may be tampered, and as the destination terminals accessed by the intranet terminal are various, and the modes of detecting the request by each destination terminal are different, the security gateway is difficult to integrate the request detection modes of each destination terminal, so that the request sent by each intranet terminal is difficult to detect, and the intranet security is reduced. Therefore, the request detection scheme can detect various access requests sent by the intranet terminal, and enhances the safety protection of the intranet.
Referring to fig. 1, an embodiment of the present application discloses a request detection method, which is applied to a security detection device, and includes:
s101, acquiring a target request of the intranet terminal for accessing the target terminal.
In this embodiment, the security detection device may be a gateway device or other devices for performing security protection on an intranet. The target request may be an HTTP (Hyper Text Transfer Protocol ) request.
S102, sending a response message aiming at a target request to an intranet terminal; the response message contains a detection script, so that the intranet terminal executes the detection script to obtain a target field which is used for representing browser information and is encapsulated in the request header, and sends a detection request to the security detection equipment by taking the target field as a URL parameter.
The target field obtained by the intranet terminal executing the detection script needs to satisfy two conditions: (1) Browser information used by the terminal to send the target request can be represented; (2) can be encapsulated in the header of the target request. On the premise that these two conditions are satisfied, the following are: the head field of the request sent by the intranet terminal through the corresponding browser comprises a target field. And the intranet terminal takes the target field as a URL parameter, and the header field of the detection request sent to the safety detection equipment comprises the target field, and the load URL parameter also comprises the target field. Because the target field serving as the URL parameter is a local browser parameter obtained by the intranet terminal executing the detection script, if the target field in the head field of the detection request is consistent with the target field in the URL parameter, the detection request is not tampered in the process of being transmitted from the intranet terminal to the safety detection equipment; otherwise, the detection request is tampered in the process of being transmitted from the intranet terminal to the safety detection equipment. This can also be explained: the HTTP request issued by the corresponding browser in the terminal will reach the security detection device directly without interception or tampering.
In one implementation manner, the detection script in the response message is data set by the embodiment and impersonating the response of the target request, so that the detection script needs to be matched with the resource requested by the target request, and the response message can be responded by the intranet terminal, so that the terminal side can execute the detection script. The preset detection condition may determine whether the resource requested by the target request matches the detection script. That is, if the resource requested by the target request does not match the detection script, the terminal side cannot execute the detection script, so that the request is directly released without performing a subsequent detection step. And if the target request meets the preset detection condition, executing the step of sending a response message aiming at the target request to the intranet terminal so as to execute the subsequent steps. Wherein, preset detection conditions are: and ensuring the condition that the response message can be responded by the intranet terminal. Such as: and judging whether the resource requested by the target request is matched with the detection script.
In one embodiment, if the resource requested by the target request is a script resource, then the resource requested by the target request is considered to match the detection script. Thus in one embodiment, the matching of the resource requested by the target request with the detection script includes: if the resource requested by the target request is the script resource, the resource requested by the target request is matched with the detection script; the script resources include at least one or a combination of the following: js resources and html resources.
Since the present embodiment detects the HTTP request, the preset detection condition also needs to be determined: if the User-Agent field in the target request is known, if the target request carries the reference field, and if the target terminal is the Web master station, only at least one of the above 3 judgment items needs to be judged to be yes, then the detection condition is considered to be satisfied.
It follows that the case where the target request satisfies the preset detection condition is: "the resource requested by the target request matches the detection script" and "the User-Agent field in the target request is known and/or the target request carries the reference field and/or the target is the Web master). Accordingly, the case where the target request does not satisfy the preset detection condition is: "the resource requested by the target request does not match the detection script" or "the User-Agent field in the target request is unknown and/or the target request does not carry the reference field and/or the target is not the Web master). In one specific embodiment, the method further comprises: and if the target request does not meet the preset detection condition, releasing the target request.
S103, analyzing the URL of the detection request to obtain a target field, and analyzing the detection request to obtain a header field contained in the detection request.
It should be noted that, the function of the detection script is: and acquiring information of a browser used for sending the HTTP request in the intranet terminal. If the HTTP request sent by the intranet terminal is tampered in the process of being transmitted to the security detection device, when the request arrives at the security detection device, the header information may be different from the browser information local to the terminal. Of course, if the original request sent by the intranet terminal is not tampered in the process of being transmitted to the security detection device, the target request acquired by the security detection device is the original request sent by the intranet terminal.
In order to detect whether the target request acquired by the security detection device is an original request sent by the intranet terminal, the intranet terminal executes the detection script, so that browser information local to the intranet terminal can be obtained. Since the browser information in the header field of the request is changed correspondingly after the request is tampered, whether the request is tampered can be detected by detecting whether the browser information local to the terminal exists in the header field of the request.
For this purpose, after the intranet terminal executes the detection script to obtain the target field that represents the browser information and can be encapsulated in the request header, the detection script causes the intranet terminal to send a detection request (still an HTTP request) loaded with the target field. If the header field in the detection request is consistent with the target field serving as the load in the current request, the detection request is not tampered in the transmission path from the intranet terminal to the security detection equipment.
Since the header field of the HTTP request includes: the User-Agent field, the reference field, the identification information of the target end, and the like, so that "the target field which is used for representing the browser information and can be encapsulated in the request header" can be selected from the header field of the HTTP request for subsequent comparison. The target field is used as a URL parameter in the detection request, and the URL can be consistent with the URL in the target request or can be randomly designated. The User-Agent field contains a feature string, which is used to identify the application type, operating system, software developer and version number of the User Agent software that initiates the request, which are browser information, from the opposite end of the network protocol.
The header field of the HTTP request may indicate: identity information (e.g., version, etc.) of the browser, address, port, etc. of the web server. The header field may thus be used to identify the browser and the web server being accessed, for example: and judging the characteristics supported by the browser of the client through the User-Agent field so as to improve the User experience. And judging whether the User-Agent type under the IP address is changed by counting the number of the User-Agent types under a certain IP address, thereby deducing whether unsafe network sharing behaviors exist.
S104, comparing the target field with the head field to obtain a comparison result, and determining whether to allow the access request of the intranet terminal according to the comparison result.
In a specific embodiment, after encrypting a target field, the intranet terminal takes ciphertext of the target field as a URL parameter; accordingly, parsing the URL of the detection request to obtain the target field includes: analyzing the URL of the detection request to obtain the ciphertext of the target field, and decrypting the ciphertext to obtain the target field. It can be seen that the URL parameter (i.e., the target field) in the detection request exists in the ciphertext form, so that the URL parameter is ensured not to be tampered with. Comparing the target field with the header field to obtain a comparison result, and determining whether to allow the access request of the intranet terminal according to the comparison result, including: if the target field is consistent with the header field, allowing the access request of the intranet terminal; if the target field is inconsistent with the header field, the access request of the intranet terminal is not allowed.
In a specific embodiment, after the access request of the intranet terminal is allowed, the method further includes: adding the IP address of the intranet terminal to a trusted list; correspondingly, after the access request of the intranet terminal is not allowed, the method further comprises the following steps: and blocking the IP address of the intranet terminal.
Since the security detection device may lose the target request acquired in step S101 during the detection process. If the situation occurs, the intranet terminal can send the request of the access target terminal once again, and therefore the security detection equipment can determine whether the latest received request is released or intercepted according to the comparison result. Of course, if the security detection device does not lose the target request acquired in step S101, it may directly determine whether to release the request or intercept the request according to the comparison result. Thus, in one embodiment, the detection script is further configured to, when executed, perform the following functions: the intranet terminal obtains the original target request, and sends the original target request again after sending the detection request; correspondingly, comparing the target field with the header field to obtain a comparison result, and determining whether to allow the access request of the intranet terminal according to the comparison result, including: and comparing the target field with the header field to obtain a comparison result, and determining whether to release the subsequently received target request according to the comparison result.
Therefore, the method and the device can detect the target request of the intranet terminal for accessing the target terminal by using the security detection equipment. Specifically, when the security detection device obtains a target request of the intranet terminal for accessing the target end, the security detection device sends a response message aiming at the target request to the intranet terminal; because the response message contains the detection script, the intranet terminal can execute the detection script to obtain the target field which is used for representing the browser information and is encapsulated in the request header, and the intranet terminal takes the target field as the URL parameter and sends the detection request to the security detection equipment, so that the security detection equipment can analyze the URL of the detection request to obtain the target field and analyze the detection request to obtain the header field contained in the detection request; and comparing the target field with the head field to obtain a comparison result, and determining whether to allow the access request of the intranet terminal according to the comparison result, so that the security detection equipment realizes security detection for the target request. According to the scheme, the request detection mode of each destination end is not required to be integrated, the security detection is carried out on various access requests sent by the intranet terminal in a unified mode, the security protection of the intranet is enhanced, and the intranet security is improved.
Referring to fig. 2, an embodiment of the present application discloses another request detection method, which is applied to an intranet terminal, and includes:
s201, sending a target request for accessing a target end to the security detection equipment so that the security detection equipment sends a response message aiming at the target request to the intranet terminal; the response message contains a detection script.
S202, executing the detection script obtains a target field which is used for representing browser information and is packaged in a request header.
In one embodiment, executing the detection script results in a target field representing browser information and encapsulated in a request header, comprising: the detection script is executed to obtain the target field by the environment variable location.
S203, using the target field as a URL parameter, sending a detection request to the security detection equipment, so that the security detection equipment analyzes the URL of the detection request to obtain the target field, and analyzing the detection request to obtain a header field contained in the detection request; and comparing the target field with the head field to obtain a comparison result, and determining whether to allow the access request of the intranet terminal according to the comparison result.
In this embodiment, the detection request is an HTTP detection packet configured by the detection script control intranet terminal for detecting whether or not the HTTP request is tampered with. The detection request is thus also an HTTP request. In order to avoid tampering of a target field in the detection request in the transmission process, ciphertext of the target field is used as a URL of the detection request in parameter filling. In one embodiment, before sending the detection request to the security detection device, the method includes: and encrypting the target field to obtain a ciphertext, and filling the ciphertext serving as a parameter into the URL for detection to obtain a detection request. In one embodiment, the URL used for detection is: the URL is extracted from a request sent by an intranet terminal; or a randomly specified URL.
In a specific embodiment, when the intranet terminal executes the detection script, a timer is used for starting timing; and if the timer is finished, the target request is sent to the safety detection equipment again, so that the safety detection equipment releases or intercepts the latest received target request according to the comparison result. Wherein, the timing duration of the timer should not be less than: the intranet terminal executes the detection script, constructs the detection request, and transmits the total time required by the detection request. Of course, instead of using a timer, the intranet terminal may send the detection request and one target request at the same time. Thus, the target request can be released or intercepted under the condition that the safety detection device loses the previous target request.
Of course, if the security detection device does not lose the previous target request, whether to release the target request or intercept the target request can be directly determined according to the comparison result, without waiting for a new target request. If the security detection device has not lost the previous target request and received a new target request, the security detection device may randomly select one of the target requests to pass or intercept.
Therefore, the method and the device can detect the target request of the intranet terminal for accessing the target end by using the security detection equipment, do not need to integrate the request detection mode of each target end, and perform security detection on various access requests sent by the intranet terminal in a unified mode, so that the security protection of the intranet is enhanced, and the security of the intranet is improved.
Referring to fig. 3, an embodiment of the present application discloses a request detection scheme, which includes 5 flows, and the working mechanisms of the different flows are mainly described below.
Scheme 1: the method comprises the steps that an internet terminal of an intranet sends an original request to a security gateway;
scheme 2: after receiving the request packet, the security gateway determines whether the packet can be detected using js code (i.e., a detection script). Because js code needs to be executed on the terminal side, if a. Gif picture is requested, the terminal will not execute js code replied to by the security gateway, and thus the js code does not match the. Gif picture. If the request is html resource or js resource, the terminal executes js code replied by the security gateway, so the terminal considers that the request sent by the terminal is responded, and therefore, the terminal considers that: the js code is matched with html resources and js resources, so that the aim of detection is fulfilled.
If the js code can be used for detection, the security gateway can further judge whether the User-Agent field of the received request is known, whether the request is a request to the Web site, whether the type of the operating system is known, whether the request field is carried with the reference field and other judging conditions so as to improve the response probability of the detection packet replied by the security gateway to the client. When these conditions are met, the security gateway replies to the HTTP status code of 200 and sends a detection packet carrying js code to the terminal.
Scheme 3: js code is executed on the terminal to implement: acquiring information of a terminal local browser through location.href, constructing and reporting a request for detection; a timer is registered by setTimeout method to let the terminal issue an original HTTP request again in a specified time.
Wherein constructing the request for detection comprises: the User-Agent field of the local browser of the terminal, the reference field of the current page and other original information are obtained through js codes, the field name and the field value are encrypted, the encryption result is spliced into a URL (the URL is designated as the URL of the original HTTP request sent by the terminal in the embodiment) as parameters, and the request for detection is obtained. This request is then accessed by js code, which must flow through the security gateway. In this embodiment, the request is identical to the original HTTP request issued by the terminal, with the exception that the request has more encrypted original information than the original HTTP request.
Scheme 4: after the timer of the terminal expires, the terminal revisits the original URL, i.e. resends an original HTTP request, which also flows through the security gateway.
Scheme 5: the security gateway receives the request for detection and a new original HTTP request.
The security gateway analyzes the header of the request for detection and the encrypted original information, then decrypts the encrypted original information to obtain a plaintext, compares the plaintext with the header of the request for detection, and if the difference exists, can consider that the HTTP request is tampered in the transmission path from the terminal to the security gateway. Otherwise, the HTTP request is considered not tampered with in the transmission path from the terminal to the security gateway, and then the newly received original HTTP request may be put on the Web site.
In this embodiment, the security gateway may reply to the HTTP request to be detected, where the HTTP status code of the reply packet is set to 200 and includes js detection code, and the terminal loads the detection code after receiving the reply packet, so as to construct a detection request for reporting. The detection request contains ciphertext of the information of the local browser of the terminal. The security gateway can compare the terminal local browser information included in the detection request with the header field of the detection request, if some fields are changed, the HTTP request received by the security gateway can be considered as being tampered by other devices in the network transmission process, otherwise, the HTTP request is not tampered from the client to the detection device.
The present embodiment can detect the HTTP header field, thereby detecting whether the HTTP request is tampered with. The scheme adopts a url jump mechanism of JavaScript to detect whether the HTTP data packet of the terminal is tampered. By deploying a detection device in the network (this embodiment may detect directly with the security gateway). The network connection relationship between the detecting device, the internet terminal and other devices can be seen in fig. 4.
It can be seen that, the security gateway in this embodiment may detect the tampered HTTP request of the intranet under the condition that the service is not affected, and if the tampered HTTP request is identified, consider that the terminal IP that sent the request has the behavior of the private device.
As shown in fig. 5, the function of detecting the private access prevention of the terminal can be started on the security gateway, so that whether a tamper device with private access exists in the intranet can be detected according to the embodiment, and for an IP address (e.g. the internet surfing terminal B in fig. 4) with private access, the IP address can be blocked, and in addition, a trusted IP address can be added as required. To achieve better detection, security gateways are typically deployed in a tandem manner in the network, as shown in fig. 4.
A request detection device provided in the embodiments of the present application is described below, and a request detection device described below and a request detection method described above may be referred to mutually.
Referring to fig. 6, an embodiment of the present application discloses that a request detection device is provided, which is applied to a security detection device, and includes:
the acquiring module 601 is configured to acquire a target request of the intranet terminal for accessing the target terminal;
the sending module 602 is configured to send a response message for the target request to the intranet terminal; the response message comprises a detection script, so that the intranet terminal executes the detection script to obtain a target field which is used for representing browser information and is packaged in a request header, and the target field is used as a URL parameter to send a detection request to the security detection equipment;
the parsing module 603 is configured to parse the URL of the detection request to obtain a target field, and parse the detection request to obtain a header field included in the detection request;
the detection module 604 is configured to compare the target field with the header field, obtain a comparison result, and determine whether to allow the access request of the intranet terminal according to the comparison result.
In one specific embodiment, the method further comprises:
the judging module is used for executing the step of sending a response message aiming at the target request to the intranet terminal if the target request meets the preset detection condition; wherein, preset detection conditions are: and ensuring the condition that the response message can be responded by the intranet terminal.
In one embodiment, the preset detection conditions include: the resources requested by the target request are script resources, and/or a User-Agent field in the target request is known, and/or the target request carries a reference field, and/or the target terminal is a Web master station.
In a specific embodiment, after encrypting a target field, the intranet terminal takes ciphertext of the target field as a URL parameter; accordingly, the security detection device analyzes the URL of the detection request to obtain the ciphertext of the target field, and decrypts the ciphertext to obtain the target field.
In a specific embodiment, the detection script is further configured to, when executed, have the following functions: the intranet terminal obtains the original target request, and sends the original target request again after sending the detection request; correspondingly, the security detection device compares the target field with the header field to obtain a comparison result, and determines whether to release the subsequently received target request according to the comparison result.
In one embodiment, the detection module is specifically configured to: if the target field is consistent with the header field, allowing the access request of the intranet terminal; if the target field is inconsistent with the header field, the access request of the intranet terminal is not allowed.
In one specific embodiment, the method further comprises:
the adding module is used for adding the IP address of the intranet terminal to the trusted list;
correspondingly, the method further comprises the steps of:
and the blocking module is used for blocking the IP address of the intranet terminal.
The more specific working process of each module and unit in this embodiment may refer to the corresponding content disclosed in the foregoing embodiment, and will not be described herein.
Therefore, the present embodiment provides a request detection device, which can detect various access requests sent by an intranet terminal, and strengthen security protection on the intranet. In addition, the virtual device may be deployed in a cloud computing platform, such as a software module deployed in a hypervisor (virtual machine monitor) layer of the cloud computing platform.
The following describes an electronic device provided in an embodiment of the present application, and the electronic device described below and the method and apparatus for detecting a request described above may refer to each other.
Referring to fig. 7, an embodiment of the present application discloses an electronic device, including:
a memory 701 for storing a computer program;
a processor 702 for executing the computer program to implement the method disclosed in any of the embodiments above.
Referring to fig. 8, fig. 8 is a schematic diagram of another electronic device provided in this embodiment, where the electronic device may have a relatively large difference due to different configurations or performances, and may include one or more processors (central processing units, CPU) 322 (e.g., one or more processors) and a memory 332, and one or more storage media 330 (e.g., one or more mass storage devices) storing application programs 342 or data 344. Wherein the memory 332 and the storage medium 330 may be transitory or persistent. The program stored on the storage medium 330 may include one or more modules (not shown), each of which may include a series of instruction operations in the data processing apparatus. Still further, the central processor 322 may be configured to communicate with the storage medium 330 and execute a series of instruction operations in the storage medium 330 on the electronic device 301.
The electronic device 301 may also include one or more power supplies 326, one or more wired or wireless network interfaces 350, one or more input/output interfaces 358, and/or one or more operating systems 341. For example, windows ServerTM, mac OS XTM, unixTM, linuxTM, freeBSDTM, etc.
In fig. 8, the application 342 may be a program that performs a request detection method, and the data 344 may be data required or generated to perform the request detection method.
The steps in the request detection method described above may be implemented by the structure of the electronic device.
The electronic device may be a single hardware device, or may be a hardware device in a cluster, such as a cloud computing platform. The cloud computing platform is a service form for organizing a plurality of independent server physical hardware resources into pooled resources by adopting the technologies of computing virtualization, network virtualization and storage virtualization, is a structure based on software defined resources on the development of the virtualization technology, and can provide resource capabilities in forms of virtual machines, containers and the like. The method and the system have the characteristics of flexibility, elasticity, distribution, multiple tenants, on demand and the like, and are a novel IT (information technology) and software delivery mode by eliminating the fixed relation between hardware and an operating system, relying on the communication uniform resource scheduling of a network and then providing needed virtual resources and services.
The following describes a readable storage medium provided in the embodiments of the present application, and the readable storage medium described below and a method, apparatus and device for detecting a request described above may refer to each other.
A readable storage medium storing a computer program, wherein the computer program when executed by a processor implements the request detection method disclosed in the foregoing embodiments. For specific steps of the method, reference may be made to the corresponding contents disclosed in the foregoing embodiments, and no further description is given here.
Reference to "first," "second," "third," "fourth," etc. (if present) herein is used to distinguish similar objects from each other and does not necessarily describe a particular order or sequence. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments described herein may be implemented in other sequences than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed or inherent to such process, method, or apparatus.
It should be noted that the description herein of "first," "second," etc. is for descriptive purposes only and is not to be construed as indicating or implying a relative importance or implying an indication of the number of technical features being indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In addition, the technical solutions of the embodiments may be combined with each other, but it is necessary to base that the technical solutions can be realized by those skilled in the art, and when the technical solutions are contradictory or cannot be realized, the combination of the technical solutions should be regarded as not exist and not within the protection scope of the present application.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, so that the same or similar parts between the embodiments are referred to each other.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of readable storage medium known in the art.
The principles and embodiments of the present application are described herein with specific examples, the above examples being provided only to assist in understanding the methods of the present application and their core ideas; meanwhile, as those skilled in the art will have modifications in the specific embodiments and application scope in accordance with the ideas of the present application, the present description should not be construed as limiting the present application in view of the above.

Claims (10)

1. The request detection method is characterized by being applied to safety detection equipment, wherein the safety detection equipment is positioned between an intranet terminal and a target end and comprises the following steps:
acquiring a target request of an intranet terminal for accessing a target terminal;
sending a response message aiming at the target request to the intranet terminal; the response message comprises a detection script which impersonates the response of the target request, so that the intranet terminal executes the detection script to obtain a target field which is used for representing browser information and is packaged in a request header, and the target field is used as a URL parameter to send a detection request to the security detection equipment;
analyzing the URL of the detection request to obtain the target field, and analyzing the detection request to obtain a header field contained in the detection request;
and comparing the target field with the header field to obtain a comparison result, and determining whether to allow the access request of the intranet terminal according to the comparison result.
2. The request detection method according to claim 1, further comprising:
if the target request meets a preset detection condition, executing the step of sending a response message aiming at the target request to the intranet terminal;
wherein, the preset detection conditions are as follows: and ensuring the condition that the response message can be responded by the intranet terminal.
3. The request detection method according to claim 2, wherein the preset detection conditions include: the resources requested by the target request are script resources, and/or a User-Agent field in the target request is known, and/or the target request carries a reference field, and/or the target terminal is a Web master station.
4. The request detection method according to claim 1, wherein after encrypting the target field, the intranet terminal takes ciphertext of the target field as the URL parameter;
correspondingly, the parsing the URL of the detection request to obtain the target field includes:
analyzing the URL of the detection request to obtain the ciphertext of the target field, and decrypting the ciphertext to obtain the target field.
5. The request detection method according to claim 1, wherein the detection script is further configured to, when executed, cause the intranet terminal to obtain the original target request, and after sending the detection request, send the original target request again;
correspondingly, the comparing the target field with the header field to obtain a comparison result, and determining whether to allow the access request of the intranet terminal according to the comparison result includes:
and comparing the target field with the header field to obtain a comparison result, and determining whether to release the target request received later according to the comparison result.
6. The method for detecting a request according to any one of claims 1 to 5, wherein comparing the target field with the header field to obtain a comparison result, and determining whether to allow the access request of the intranet terminal according to the comparison result includes:
if the target field is consistent with the header field, allowing the access request of the intranet terminal;
and if the target field is inconsistent with the header field, not allowing the access request of the intranet terminal.
7. The method for detecting a request according to claim 6, further comprising, after the allowing the access request of the intranet terminal:
adding the IP address of the intranet terminal to a trusted list;
correspondingly, after the access request of the intranet terminal is not allowed, the method further comprises:
and blocking the IP address of the intranet terminal.
8. The utility model provides a request detection device which characterized in that is applied to safety inspection equipment, safety inspection equipment is located between intranet terminal and the target end, includes:
the acquisition module is used for acquiring a target request of the intranet terminal for accessing the target terminal;
the sending module is used for sending a response message aiming at the target request to the intranet terminal; the response message comprises a detection script which impersonates the response of the target request, so that the intranet terminal executes the detection script to obtain a target field which is used for representing browser information and is packaged in a request header, and the target field is used as a URL parameter to send a detection request to the security detection equipment;
the analysis module is used for analyzing the URL of the detection request to obtain the target field and analyzing the detection request to obtain a header field contained in the detection request;
and the detection module is used for comparing the target field with the head field to obtain a comparison result, and determining whether to allow the access request of the intranet terminal according to the comparison result.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the request detection method of any one of claims 1 to 7.
10. A readable storage medium for storing a computer program, wherein the computer program when executed by a processor implements the request detection method according to any one of claims 1 to 7.
CN202210492914.9A 2022-05-07 2022-05-07 Request detection method, device, equipment and readable storage medium Active CN114884730B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210492914.9A CN114884730B (en) 2022-05-07 2022-05-07 Request detection method, device, equipment and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210492914.9A CN114884730B (en) 2022-05-07 2022-05-07 Request detection method, device, equipment and readable storage medium

Publications (2)

Publication Number Publication Date
CN114884730A CN114884730A (en) 2022-08-09
CN114884730B true CN114884730B (en) 2023-12-29

Family

ID=82673268

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210492914.9A Active CN114884730B (en) 2022-05-07 2022-05-07 Request detection method, device, equipment and readable storage medium

Country Status (1)

Country Link
CN (1) CN114884730B (en)

Citations (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1801824A (en) * 2006-01-16 2006-07-12 北京北方烽火科技有限公司 Anti-theft chain method for WEB service
CN101695164A (en) * 2009-09-28 2010-04-14 华为技术有限公司 Verification method, device and system for controlling resource access
CN102098331A (en) * 2010-12-29 2011-06-15 北京锐安科技有限公司 Method and system for reducing WEB type application contents
CN103051976A (en) * 2013-01-22 2013-04-17 中兴通讯股份有限公司 Method, system and equipment for distributing HLS (HyperText Transfer Protocol Living Steaming) content by CDN (Content Distribute Network)
CN105871845A (en) * 2016-03-31 2016-08-17 深圳市深信服电子科技有限公司 Method and device for detecting Web vulnerability scanning behavior
CN106998335A (en) * 2017-06-13 2017-08-01 深信服科技股份有限公司 A kind of leak detection method, gateway device, browser and system
KR20170114423A (en) * 2016-04-04 2017-10-16 주식회사 케이티 Method and system for providing interactive response message service
CN107404486A (en) * 2017-08-04 2017-11-28 厦门市美亚柏科信息股份有限公司 Parse method, apparatus, terminal device and the storage medium of Http data
CN108696481A (en) * 2017-04-07 2018-10-23 北京京东尚科信息技术有限公司 leak detection method and device
CN109033885A (en) * 2017-06-09 2018-12-18 腾讯科技(深圳)有限公司 A kind of data response method, terminal device and server
CN109120603A (en) * 2018-07-25 2019-01-01 平安科技(深圳)有限公司 A kind of injection loophole detection method and device
CN109698863A (en) * 2018-12-20 2019-04-30 杭州迪普科技股份有限公司 A kind of method, apparatus, equipment and the storage medium of determining HTTP message safety
WO2019218845A1 (en) * 2018-05-17 2019-11-21 中兴通讯股份有限公司 Hypertext transfer protocol redirecting method, device, routing device and storage medium
CN110881043A (en) * 2019-11-29 2020-03-13 杭州迪普科技股份有限公司 Method and device for detecting web server vulnerability
CN111200499A (en) * 2019-12-03 2020-05-26 云深互联(北京)科技有限公司 System data access method and device based on PC (personal computer) end enterprise browser
CN111953761A (en) * 2020-08-04 2020-11-17 Oppo广东移动通信有限公司 Data processing method and device, electronic equipment and storage medium
WO2020253351A1 (en) * 2019-06-21 2020-12-24 深圳前海微众银行股份有限公司 Click hijacking vulnerability detection method, device and computer apparatus
CN112242972A (en) * 2019-07-16 2021-01-19 腾讯科技(武汉)有限公司 Network request processing method, device, storage medium and terminal
CN112583807A (en) * 2020-12-04 2021-03-30 锐捷网络股份有限公司 Verification method, verification device, electronic equipment and storage medium
CN112699374A (en) * 2020-12-28 2021-04-23 山东鲁能软件技术有限公司 Integrity checking vulnerability security protection method and system
CN113328972A (en) * 2020-02-28 2021-08-31 浙江宇视科技有限公司 Equipment monitoring method, device, equipment and storage medium
CN114124476A (en) * 2021-11-05 2022-03-01 苏州浪潮智能科技有限公司 Sensitive information leakage vulnerability detection method, system and device for Web application

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7493655B2 (en) * 2000-03-22 2009-02-17 Comscore Networks, Inc. Systems for and methods of placing user identification in the header of data packets usable in user demographic reporting and collecting usage data
US9270691B2 (en) * 2010-11-01 2016-02-23 Trusteer, Ltd. Web based remote malware detection

Patent Citations (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1801824A (en) * 2006-01-16 2006-07-12 北京北方烽火科技有限公司 Anti-theft chain method for WEB service
CN101695164A (en) * 2009-09-28 2010-04-14 华为技术有限公司 Verification method, device and system for controlling resource access
CN102098331A (en) * 2010-12-29 2011-06-15 北京锐安科技有限公司 Method and system for reducing WEB type application contents
CN103051976A (en) * 2013-01-22 2013-04-17 中兴通讯股份有限公司 Method, system and equipment for distributing HLS (HyperText Transfer Protocol Living Steaming) content by CDN (Content Distribute Network)
CN105871845A (en) * 2016-03-31 2016-08-17 深圳市深信服电子科技有限公司 Method and device for detecting Web vulnerability scanning behavior
KR20170114423A (en) * 2016-04-04 2017-10-16 주식회사 케이티 Method and system for providing interactive response message service
CN108696481A (en) * 2017-04-07 2018-10-23 北京京东尚科信息技术有限公司 leak detection method and device
CN109033885A (en) * 2017-06-09 2018-12-18 腾讯科技(深圳)有限公司 A kind of data response method, terminal device and server
CN106998335A (en) * 2017-06-13 2017-08-01 深信服科技股份有限公司 A kind of leak detection method, gateway device, browser and system
CN107404486A (en) * 2017-08-04 2017-11-28 厦门市美亚柏科信息股份有限公司 Parse method, apparatus, terminal device and the storage medium of Http data
WO2019218845A1 (en) * 2018-05-17 2019-11-21 中兴通讯股份有限公司 Hypertext transfer protocol redirecting method, device, routing device and storage medium
CN109120603A (en) * 2018-07-25 2019-01-01 平安科技(深圳)有限公司 A kind of injection loophole detection method and device
CN109698863A (en) * 2018-12-20 2019-04-30 杭州迪普科技股份有限公司 A kind of method, apparatus, equipment and the storage medium of determining HTTP message safety
WO2020253351A1 (en) * 2019-06-21 2020-12-24 深圳前海微众银行股份有限公司 Click hijacking vulnerability detection method, device and computer apparatus
CN112242972A (en) * 2019-07-16 2021-01-19 腾讯科技(武汉)有限公司 Network request processing method, device, storage medium and terminal
CN110881043A (en) * 2019-11-29 2020-03-13 杭州迪普科技股份有限公司 Method and device for detecting web server vulnerability
CN111200499A (en) * 2019-12-03 2020-05-26 云深互联(北京)科技有限公司 System data access method and device based on PC (personal computer) end enterprise browser
CN113328972A (en) * 2020-02-28 2021-08-31 浙江宇视科技有限公司 Equipment monitoring method, device, equipment and storage medium
CN111953761A (en) * 2020-08-04 2020-11-17 Oppo广东移动通信有限公司 Data processing method and device, electronic equipment and storage medium
CN112583807A (en) * 2020-12-04 2021-03-30 锐捷网络股份有限公司 Verification method, verification device, electronic equipment and storage medium
CN112699374A (en) * 2020-12-28 2021-04-23 山东鲁能软件技术有限公司 Integrity checking vulnerability security protection method and system
CN114124476A (en) * 2021-11-05 2022-03-01 苏州浪潮智能科技有限公司 Sensitive information leakage vulnerability detection method, system and device for Web application

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于MD5的URL防篡改算法设计;刘国卿;;科技信息(03);第504-505、536页 *

Also Published As

Publication number Publication date
CN114884730A (en) 2022-08-09

Similar Documents

Publication Publication Date Title
US10904277B1 (en) Threat intelligence system measuring network threat levels
CN103607385B (en) Method and apparatus for security detection based on browser
CN111132138A (en) Transparent communication protection method and device for mobile application program
US20200327045A1 (en) Test System and Test Method
US8661456B2 (en) Extendable event processing through services
CN111224952B (en) Network resource acquisition method and device for directional flow and storage medium
CN111597537B (en) Block chain network-based certificate issuing method, related equipment and medium
CN113259429A (en) Session keeping control method, device, computer equipment and medium
Imamura et al. Web access monitoring mechanism for Android webview
CN110619022B (en) Node detection method, device, equipment and storage medium based on block chain network
CN107623916B (en) Method and equipment for WiFi network security monitoring
CN113938474A (en) Virtual machine access method and device, electronic equipment and storage medium
CN110968400B (en) Application program execution method and device, computer equipment and storage medium
CN114884730B (en) Request detection method, device, equipment and readable storage medium
CN113067802A (en) User identification method, device, equipment and computer readable storage medium
JP5383923B1 (en) Information processing apparatus, information processing system, information processing method, and program
CN113709136B (en) Access request verification method and device
CN111786938B (en) Method, system and electronic equipment for preventing malicious resource acquisition
CN112929357A (en) Virtual machine data analysis method, device, equipment and storage medium
CN112887255A (en) Network communication method and device
CN111314131A (en) Task issuing method and device, storage medium and electronic device
CN108156144B (en) Access authentication method and corresponding device
CN110995756A (en) Method and device for calling service
CN105142130B (en) A kind of information processing method and electronic equipment
CN114745415B (en) Vehicle service communication data processing method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant