CN105635064B - CSRF attack detection method and device - Google Patents
CSRF attack detection method and device Download PDFInfo
- Publication number
- CN105635064B CN105635064B CN201410606807.XA CN201410606807A CN105635064B CN 105635064 B CN105635064 B CN 105635064B CN 201410606807 A CN201410606807 A CN 201410606807A CN 105635064 B CN105635064 B CN 105635064B
- Authority
- CN
- China
- Prior art keywords
- danger
- http request
- target
- http
- attack detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
the invention provides a CSRF attack detection method and a device, wherein the method is applied to a CSRF attack detection server and comprises the following steps: acquiring an HTTP request sent by client equipment to a server; extracting a detection field from the HTTP request; determining whether a CSRF attack is detected according to the detection field. By applying the embodiment of the invention, the CSRF vulnerability characteristics do not need to be extracted independently for each CSRF vulnerability, but the CSRF attack detection server acquires the HTTP request sent by the client equipment to the server, directly extracts the detection field from the HTTP request and determines whether the CSRF attack is detected or not according to the detection field, so that the complicated operation that a vulnerability characteristic library can be established only after the CSRF vulnerability occurs and the CSRF attack is detected is avoided, and the universality of CSRF attack detection is improved because the CSRF attack can be detected in real time.
Description
Technical Field
The invention relates to the technical field of network communication, in particular to a CSRF (Cross Site Request Forgery) attack detection method and device.
Background
CSRF, as a network attack, can send a forged access request to the attacked station on behalf of the victim, which may cause leakage of personal information of the victim or compromise the security of the attacked station. Generally, a CSRF attack is implemented by forging a form (form) in an HTTP request, and in the prior art, it is required to detect whether a CSRF vulnerability exists in the form through a preset vulnerability feature library, and when the CSRF vulnerability exists, it is determined that the CSRF attack is detected. However, in order to establish a vulnerability feature library, vulnerability features need to be extracted from a form corresponding to each known CSRF vulnerability in advance, and particularly when the number of CSRF vulnerabilities is large, the operation process of establishing the vulnerability feature library is complicated; moreover, when a newly appeared CSRF vulnerability is faced, because the vulnerability feature library does not store corresponding vulnerability features, it is difficult to detect the CSRF vulnerability in real time, resulting in poor universality of the existing CSRF attack detection mode.
Disclosure of Invention
The invention provides a CSRF attack detection method and a device, which are used for solving the problems of more complicated process and poorer universality of the existing CSRF attack detection.
according to a first aspect of the embodiments of the present invention, there is provided a CSRF attack detection method, which is applied to a CSRF attack detection server, and includes:
acquiring an HTTP request sent by client equipment to a server;
Extracting a detection field from the HTTP request;
determining whether a CSRF attack is detected according to the detection field
According to a first aspect of the embodiments of the present invention, there is provided a CSRF attack detection apparatus, which is applied to a CSRF attack detection server, and includes:
the client device comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring an HTTP request sent to a server by the client device;
an extracting unit, configured to extract a detection field from the HTTP request;
A first detection unit configured to determine whether a CSRF attack is detected according to the detection field.
By applying the embodiment of the invention, the CSRF vulnerability characteristics do not need to be extracted independently for each CSRF vulnerability, but the CSRF attack detection server acquires the HTTP request sent by the client equipment to the server, directly extracts the detection field from the HTTP request and determines whether the CSRF attack is detected or not according to the detection field, so that the complicated operation that a vulnerability characteristic library can be established only after the CSRF vulnerability occurs and the CSRF attack is detected is avoided, and the universality of CSRF attack detection is improved because the CSRF attack can be detected in real time.
drawings
FIG. 1 is a schematic diagram of an application scenario of a CSRF attack detection embodiment of the present invention;
FIG. 2 is a flow chart of one embodiment of a CSRF attack detection method of the present invention;
FIG. 3A is a flow chart of another embodiment of the CSRF attack detection method of the present invention;
FIG. 3B is a table diagram of an HTTP request in the embodiment shown in FIG. 3A;
FIG. 4 is a flow chart of another embodiment of the CSRF attack detection method of the present invention;
FIG. 5 is a hardware structure diagram of the device where the CSRF attack detection apparatus of the present invention is located;
FIG. 6 is a block diagram of one embodiment of an attack detection apparatus of the present invention;
FIG. 7 is a block diagram of another embodiment of an attack detection apparatus of the present invention;
Fig. 8 is a block diagram of another embodiment of the attack detection apparatus of the present invention.
Detailed Description
In order to make the technical solutions in the embodiments of the present invention better understood and make the above objects, features and advantages of the embodiments of the present invention more comprehensible, the technical solutions in the embodiments of the present invention are described in further detail below with reference to the accompanying drawings.
referring to fig. 1, a schematic diagram of an application scenario for implementing CSRF attack detection by applying an embodiment of the present invention is shown:
In fig. 1, a user may access a server a and a server B through a browser on a mobile phone, where it is assumed that the server a is a server of a trusted website on which the user has registered, and the server B is a server of a malicious website, and in addition, the client device may include a PC (Personal Computer), a tablet Computer, and other devices having a network access function, in addition to the mobile phone as an example of the client device. When a user accesses the server a through the browser, the server a allows the user to log in the server a after verifying that the user name and the password input by the user are correct, and at this time, the user can normally send an HTTP (Hypertext Transfer Protocol) request to the server a. Meanwhile, the server A sends the COOKIE information generated for the user to a browser on the mobile phone of the user, and the subsequent user can access the server A in the browser without repeated login based on the stored COOKIE information.
Assuming that a user does not log in a server A and opens a webpage access server B in the browser, the server B may return an offensive code to the browser to request the user to access the server A because the server B is a server of a malicious website, the browser carries COOKIE information stored in the browser under the condition that the user is unknown according to the request of the server B, sends an access request to the server A based on the received offensive code, and the server A executes the offensive code sent by the browser because the user passes the authentication of the server A, so that the server A is attacked by CSRF.
in the embodiment of the present invention, in order to perform CSRF attack detection, as shown in fig. 1, a CSRF attack detection server may be set in a network, and obtain HTTP traffic transmitted between a client device and a server B, and extract a detection field from the HTTP traffic, thereby implementing real-time detection of CSRF attack and improving detection universality. The following describes the implementation of the present invention in detail with reference to specific embodiments.
referring to fig. 2, a flowchart of an embodiment of the CSRF attack detection method according to the present invention is shown, where the embodiment is described from the side of a CSRF attack detection server, and shows a process of performing CSRF attack detection directly according to a detection field in an HTTP request, and the process includes the following steps:
Step 201: and acquiring an HTTP request sent by the client device to the server.
referring to fig. 1, when a client device wants to access a server, taking login as an example, a login interface is displayed on a browser of the client device, where login boxes in the login interface include a user name input box, a password input box, and the like, and the login boxes may be implemented by a form (form). Based on the forms, the client device may submit HTTP requests to the server in a standard format, where different data may be collected through different form controls when the types of data to be requested by the HTTP requests are different, thereby generating HTTP requests containing different forms.
In this embodiment, after the client device generates the HTTP request, the HTTP request is sent to the server as a request for submitting data to the server, and the HTTP request may specifically be a POST request. In this step, the CSRF server may obtain the HTTP request sent by the client device to the server, so as to detect a CSRF attack that may exist in the HTTP request.
Step 202: the detection field is extracted from the HTTP request.
as described in step 201, the HTTP request contains different forms according to the type of data requested from the server, and in this step, the detection field may be extracted from the form of the obtained HTTP request. The detection field may specifically include a URI (Uniform Resource Identifier) and a referrer (web page link information); the URI is used to locate each resource on the server, and the referrer is located at the header (header) of the HTTP request and indicates a web page link within the server.
step 203: determining whether a CSRF attack is detected according to the detection field.
after the URI and the referrer as the detection fields are extracted, whether the URI is related to the referrer or not can be judged, and normally, for a normal HTTP request, the referrer indicates a web page connection in the server, so that the URI can be completely or partially the same as the URI to be accessed by the HTTP request, namely, the URI is related to the referrer; and the HTTP request for the CSRF attack is linked to a malicious website, so that the referrer is completely different from the URI to which the HTTP request is to access, i.e. the URI is not related to the referrer, so that when the URI is not related to the referrer, it can be determined that the CSRF attack is detected.
The referrer in the embodiment of the invention mainly refers to the referrer from which the protocol and the IP part have been deleted, for example, the original referrer is "http: htm ", the protocol part" http: the referrer after// "and IP section" 192.168.20.172 "is"/test/attak. htm ". During comparison, the sequence of the character string fields forming the URI and the referrer can be respectively extracted to generate a URI array and a referrer array, then whether the character string fields corresponding to the same array number are the same or not is respectively compared according to the sequence of the array numbers from small to large, if at least one character string field is the same, the URI and the referrer can be determined to be related, and if not, the URI and the referrer can be determined to be unrelated.
In one example, assuming that the referrer is "/vlun/axaus/admin/administerrates _ add. REF 0 ═ vlun/, REF 1 ═ axaus/, REF 2 ═ admin/, REF 3 ═ administers _ add.php; assuming that the extracted URI is "/vlun/axaus/admin/administors _ add.php", the correspondingly generated URI array includes URI [0] ═ vlun/, URI [1] ═ axaus/, URI [2] ═ admin/, URI [3] ═ administors _ add.php, where the numbers in [ ] indicate the number group numbers, and it can be known through comparison that the character string fields with the same number group numbers in the refer and the URI are identical, so the refer and the URI are identical, and the URI and refer can be determined to be related according to the comparison result;
in another example, assuming that the referrer is unchanged, the extracted URI is "/vlun/axaus/admin _ list. php", and the corresponding generated URI array includes URI [0] ═/vlun/, URI [1] ═ axaus/, URI [2] ═/admin _ list. php, and as can be known by comparison, the character string fields with array numbers [0] and [1] in the referrer and the URI are the same, so that the referrer and the URI are partially the same, and the URI and the referrer can be determined to be related according to the comparison result;
in another example, assuming that the referrer is "/test/attak.htm", the corresponding generated referrer array includes REF [0] ═ test/, REF [1] ═ attak.htm; assuming that the extracted URI is "/vlun/axaus/admin/administors _ add.php", the correspondingly generated URI array includes URI [0 ]/vlun/, URI [1 ]/axaus/, URI [2 ]/admin/, URI [3 ]/administors _ add.php, since the character string fields with the same number of groups in the refer and URI are different, the refer and the URI are completely different, and the URI can be determined to be irrelevant to the refer according to the comparison result.
by applying the embodiment, the CSRF vulnerability characteristics do not need to be extracted independently for each CSRF vulnerability, but the CSRF attack detection server acquires the HTTP request sent by the client equipment to the server, directly extracts the detection field from the HTTP request and determines whether the CSRF attack is detected or not according to the detection field, so that the complex operation that the vulnerability characteristic library can be established only after the CSRF vulnerability occurs and the CSRF attack is detected is avoided, and the universality of CSRF attack detection is improved because the CSRF attack can be detected in real time.
referring to fig. 3A, a flowchart of another embodiment of the CSRF attack detection method according to the present invention is shown, where the embodiment is described from the CSRF attack detection server side, and shows a process of performing CSRF attack detection on a received HTTP request through a pre-created risk form access list, and the process includes the following steps:
Step 301: the danger form is detected from HTTP traffic transmitted between the client device and the server.
with reference to fig. 1, different client devices and servers may all implement network access by transmitting HTTP traffic. In this embodiment, before detecting the CSRF attack, the CSRF attack detection server may create a risk form access list based on detecting HTTP requests in HTTP traffic transmitted in the network, and detect the CSRF attack based on the risk form access list.
in this step, a danger form is detected from HTTP traffic, and during the detection, an HTTP request sent by a client device to a server may be acquired, and it is determined whether a form of the HTTP request includes a danger hiding feature field, and when the form includes the danger hiding feature field, it may be determined that the danger form is detected from the HTTP request. When judging whether the danger hiding characteristic field is contained, the following method can be adopted: at least one input tag with a hidden type value contained in the form of the HTTP request is obtained, and when a value contained in the obtained input tag is not empty, it may be determined that the input tag is a danger hiding feature field, that is, a danger form is detected from the corresponding HTTP request.
For example, assuming that the HTTP request obtained by the CSRF attack detection server is a POST request, if the form of the POST request contains the following contents, it may be determined that a dangerous form is detected:
<form method="POST"name="form0"action="http://ip:80/admin/
administrators_add.php">;
<input type="hidden"name="user_name"value="newadmin"/>
the content of the form contains an input tag, the type value of the input tag is "hidden", the value of the input tag is non-empty "newadmin", and therefore the form can be determined to be a dangerous form.
in this step, the risk form may be detected specifically by using an existing pcre (Perl Compatible Regular Expressions, Perl language Compatible Regular Expressions), and certainly, other methods may also be used for detecting, which is not limited to this embodiment of the present invention and is not described in detail.
Step 302: and generating danger table items for the danger table in the danger table access list.
after the danger form is detected, a danger table entry can be created for the danger form in a danger form access list, and at least one danger characteristic field extracted from the danger form is written into the danger table entry; furthermore, the current time can be written in the dangerous table entry, the aging time D is set for the dangerous table entry at the same time, and when the aging time D is up, the dangerous table entry is deleted so as to perform regular maintenance on the dangerous table entry.
wherein, at least one danger characteristic field extracted from the danger form comprises a source IP address of the HTTP request carried in the form; further, the danger characteristic field may further include at least one of the following fields:
danger characteristic field 1: a destination page contained in the action tag of the danger form, wherein the destination page is a file name part in the content of the action tag, namely contains the last "/", and the content after the last "/"; for example, if the action tag is "action" — "http:// 15.15.15/vlun/axaus/admin/administration _ add. php", the destination page is "/administration _ add. php";
danger characteristic field 2: according to the URI array generated by at least one character string field extracted from the action tag, the character string field used for generating the URI array does not comprise a protocol part and an IP address part in the action tag, and each character string is extracted by taking "/" as a separator and contains the "/"; for example, if the action tag is still "action" — "http:// 15.15.15/vlun/axaus/admin/administration _ add. php", then the URI array corresponds to: URI [0] ═ vlun/, URI [1] ═ axaus/, URI [2] ═ admin/, URI [3] -/administers _ add.php;
danger characteristic field 3: the type value is a name value and a corresponding value contained in the hidden input tag; it should be noted that, in one danger form, multiple sets of corresponding name values and value values may be included, in order to improve the detection efficiency of the danger form and save the danger entry storage resource in this embodiment, only one set of corresponding name values and value values may be stored, for example, the detected first set of corresponding name values and value values may also be detected and stored according to different requirements, and this embodiment is not limited.
Based on the above example, as shown in table 1 below, an example of a danger entry created in the danger form access list for the detected danger form:
TABLE 1
step 303: and acquiring an HTTP request sent by the client device to the server.
this step is consistent with the description of step 201, and is not described herein again.
step 304: the detection field is extracted from the HTTP request.
In this embodiment, the CSRF attack detection server may extract a detection field from a form of the HTTP request, where the detection field includes a source IP address of the HTTP request, and further may include at least one of the following detection fields:
a detection field 1 is a target page contained in an action tag in a form of the HTTP request;
detection field 2: the name value and the corresponding value in the form of the HTTP request;
Detection field 3: the URI and the referrer in the form of the HTTP request.
as shown in fig. 3B, a schematic diagram of a form of an HTTP request acquired by the CSRF attack detection server in this embodiment is shown: wherein, the source IP address is "15.15.15", the destination page is "/administers _ add. php", the first set of corresponding name and value values are "user _ name" and "newadmin", the URI is "/vlun/axus/admin/administers _ add. php", the referrer is "http: htm "// 192.168.20.172/test/attak.
step 305: and finding the target dangerous table item corresponding to the detection field in the dangerous table access list.
With the source IP address extracted in step 304 as a key, the danger table entry corresponding to the source IP address is searched from the danger table access list described in step 302 as a target danger table entry, and with reference to the example of fig. 3B, if the source IP address is 15.15.15, the target danger table entry corresponding to the searched target danger table entry may be as shown in table 1.
step 306: and judging whether the HTTP request meets a preset attack detection condition or not according to the danger characteristic field in the target danger table item.
In this embodiment, different detection fields correspond to different attack detection conditions, and when determining whether the HTTP request satisfies the attack detection conditions, if the detection efficiency is improved, only one of the following attack detection conditions may be determined, and if the detection accuracy is improved, all of the following attack detection conditions may be determined, or a combination of any of the following attack detection conditions may be determined as needed, which is not limited in the embodiment of the present invention:
first attack detection condition: when the detection field includes the source IP address, determining whether the source IP address is found in the danger list access list, and if so, determining that the attack detection condition is satisfied, that is, determining that the attack detection condition is satisfied when the target danger list item is found in step 305;
second attack detection condition: when the detection field comprises a target page, judging whether the target page is the same as the target page in the target dangerous table item, and if so, determining that the attack detection condition is met;
third attack detection condition: when the detection field comprises a name value and a corresponding value, judging whether the name value and the corresponding value are the same as the name value and the value stored in the target dangerous table item, and if so, determining that the attack detection condition is met;
fourth attack detection condition: when the detection field includes the URI and the referrer, it is determined whether the URI is related to the referrer, and if not, it is determined that the attack detection condition is satisfied, and the specific determination process may refer to the related description in step 203, which is not described herein again.
Step 307: when the attack detection condition is satisfied, it is determined that a CSRF attack is detected.
with reference to fig. 3B, assuming that, when determining whether the HTTP request satisfies the preset attack detection condition in step 306, it needs to determine all attack detection conditions listed in step 306, according to the detection result, a source IP address "15.15.15" of the HTTP request is the same as a source IP address in table 1, a destination page "/administers _ add.php" of the HTTP request is the same as a destination page in table 1, a set of corresponding name values "user _ name" and value "newadmin" included in the HTTP request are the same as the name values and value values in table 1, and URIs "/vlun/axaus/administers _ add.php" and refer "HTTP: htm ", so the CSRF attack detection server can determine that a CSRF attack was detected.
By applying the embodiment, the CSRF vulnerability characteristics do not need to be extracted independently for each CSRF vulnerability, but the CSRF attack detection server detects HTTP traffic and automatically creates the danger form access list based on the detected danger form, so that when an HTTP request sent to the server by client equipment is obtained, the detection field can be directly extracted from the HTTP request, and the danger form access list is searched according to the detection field, so that the CSRF attack can be detected in real time.
referring to fig. 4, a flowchart of another embodiment of the CSRF attack detection method according to the present invention is shown, where the embodiment is described from the side of a CSRF attack detection server, and shows a process of performing CSRF attack detection by backtracking cached HTTP traffic when receiving an HTTP request, and the process includes the following steps:
Step 401: and caching HTTP traffic transmitted between the client device and the server.
The difference from the embodiment shown in fig. 3A is that in this embodiment, the danger form access list does not need to be created in advance, but rather, HTTP traffic transmitted between the client device and the server can be obtained by the CSRF attack detection server in real time and cached in the storage space. When caching the HTTP traffic, the HTTP traffic can be conveniently searched for later backtracking according to time, and the caching time of the HTTP traffic can be recorded at the same time.
Step 402: and acquiring an HTTP request sent by the client device to the server.
this step is consistent with the description of step 201, and is not described herein again.
step 403: the detection field is extracted from the HTTP request.
this step is consistent with the description of step 304, and is not repeated herein.
step 404: and when the URI in the HTTP request is not related to the referrer, acquiring the target HTTP traffic in a preset time period from the cached HTTP traffic.
When the detection field extracted in step 403 includes the URI and the referrer in the form of the HTTP request, it may be determined whether the URI and the referrer are related, and if not, the target HTTP traffic within the preset time period is obtained from the cached HTTP traffic. The preset time period can be flexibly set as required, and when the target HTTP traffic is obtained, the HTTP traffic can be obtained according to the caching time recorded during HTTP traffic caching by taking the current time for obtaining the HTTP request as a starting point; for example, if the current time is T1 and the preset time period is T, the obtained target HTTP traffic is the HTTP traffic cached between time T-T1 and time T.
It should be noted that, in this step, it may also be possible to directly obtain the target HTTP traffic in the preset time period from the cached HTTP traffic without determining whether the URI is related to the referrer, which is not limited in this embodiment of the present invention.
step 405: and judging whether the HTTP request meets a preset attack detection condition or not according to the detection field and a target characteristic field in the target HTTP traffic.
in this step, the target feature field in the target HTTP traffic may include at least one of the following feature fields extracted from the form of the target HTTP traffic: a source IP address, a destination page, a URI, a referrer, at least one set of corresponding name and value values.
when determining whether the HTTP request meets the preset attack detection condition based on the target feature field, reference may be made to the description in step 306, which is not described herein again.
Step 406: when the attack detection condition is satisfied, it is determined that a CSRF attack is detected.
by applying the embodiment, the CSRF vulnerability characteristics do not need to be extracted independently for each CSRF vulnerability, the HTTP flow is cached by the CSRF attack detection server, when the HTTP request sent to the server by the client equipment is obtained, the detection field is directly extracted from the HTTP request, and the cached HTTP flow is traced back according to the detection field, so that the CSRF attack is detected in real time.
corresponding to the foregoing CSRF attack detection method embodiment, the present invention also provides an embodiment of a CSRF attack detection apparatus.
The embodiment of the CSRF attack detection device can be applied to a CSRF attack detection server. The embodiment of the apparatus may be implemented by software, or by hardware, or by a combination of hardware and software. The software implementation is taken as an example, and is formed by reading corresponding computer program instructions in the nonvolatile memory into the memory for operation through the processor of the device where the software implementation is located as a logical means. From a hardware level, as shown in fig. 5, a hardware structure diagram of a server where the CSRF attack detection apparatus of the present invention is located is shown, and in addition to the processor, the network interface, the memory, and the non-volatile storage shown in fig. 5, the server where the apparatus is located in the embodiment may also generally include other hardware, such as a forwarding chip responsible for processing a packet, and the like, which is not shown in detail in fig. 5.
referring to fig. 6, a block diagram of an embodiment of the CSRF attack detection apparatus according to the present invention is applied to a CSRF attack detection server, and includes: an acquisition unit 610, an extraction unit 620, and a first detection unit 630.
The acquiring unit 610 is configured to acquire an HTTP request sent by a client device to a server;
an extracting unit 620, configured to extract a detection field from the HTTP request;
a first detecting unit 630, configured to determine whether a CSRF attack is detected according to the detection field.
In an alternative implementation:
The detection field extracted from the HTTP request by the extracting unit 620 includes a URI and a referrer;
The first detection unit 630 may include (not shown in fig. 6):
a correlation detection subunit, configured to determine whether the URI is correlated with a referrer;
A third CSRF attack detection determining subunit for determining that a CSRF attack is detected when the URI is not associated with a referrer.
Referring to fig. 7, a block diagram of another embodiment of the CSRF attack detection apparatus according to the present invention, which is applied to a CSRF attack detection server, and the embodiment may further include, on the basis of the embodiment shown in fig. 6: a second detection unit 640 and a generation unit 650.
the second detecting unit 640 is configured to detect a dangerous form from HTTP traffic transmitted between the client device and the server, where the dangerous form includes a dangerous input tag;
a generating unit 650, configured to generate a danger table entry for the danger form in a danger form access list, where the danger table entry includes at least one danger feature field extracted from the danger form;
the first detection unit 630 includes (not shown in fig. 7):
A target dangerous table item searching subunit, configured to search a target dangerous table item corresponding to the detection field in the dangerous form access list;
The first attack detection condition judgment subunit is used for judging whether the HTTP request meets a preset attack detection condition according to the danger characteristic field in the target danger table item;
a first CSRF attack detection determining subunit for determining that a CSRF attack is detected when the attack detection condition is satisfied.
In an alternative implementation:
the second detection unit 640 may include (not shown in fig. 7):
an input tag obtaining subunit, configured to obtain an input tag in which at least one type value in HTTP traffic transmitted between the client device and the server is hidden;
the dangerous form detection determining subunit is configured to determine that a dangerous form is detected when the hidden input tag includes a dangerous input tag with a value that is not null;
The generating unit 650 may include (not shown in fig. 7):
a danger characteristic field extracting subunit, configured to extract at least one danger characteristic field in the danger form, where the at least one danger characteristic field includes a source IP address of the danger form;
and the danger characteristic field writing subunit is used for writing at least one danger characteristic field containing the source IP address into the danger table entry.
Wherein, the dangerous characteristic field may include at least one of the following fields in addition to the source IP address:
A destination page contained in the action tag of the dangerous form;
generating a Universal Resource Identifier (URI) array according to at least one character string field extracted from the action tag;
the at least one type value is a name value and a corresponding value contained in the hidden input tag.
In another alternative implementation:
The target dangerous table item searching subunit may be specifically configured to search, with a source IP address of the HTTP request as a detection field, a dangerous table item corresponding to the source IP address from the dangerous form access list as the target dangerous table item;
the first attack detection condition judgment subunit may be specifically configured to detect at least one of:
when the detection field comprises a target page in the HTTP request, judging whether the target page in the HTTP request is the same as the target page in the target dangerous table item, and if so, determining that a preset attack detection condition is met;
When the detection field comprises a name value and a corresponding value in the HTTP request, judging whether the name value and the corresponding value in the HTTP request are the same as the name value and the value stored in the target dangerous table entry, and if so, determining that a preset attack detection condition is met;
and when the detection field comprises the URI and the webpage link information referrer in the HTTP request, judging whether the URI is related to the referrer, and if not, determining that a preset attack detection condition is met.
Referring to fig. 8, a block diagram of another embodiment of the CSRF attack detection apparatus according to the present invention, which is applied to a CSRF attack detection server, where the embodiment may further include, on the basis of the embodiment shown in fig. 6: a buffer unit 660.
the caching unit 660 is configured to cache the HTTP traffic transmitted between the client device and the server.
the first detection unit may include (not shown in fig. 8):
The target HTTP traffic caching subunit is used for acquiring target HTTP traffic within a preset time period from the cached HTTP traffic when the URI and the referrer in the HTTP request are irrelevant;
The second attack detection condition judgment subunit is used for judging whether the HTTP request meets a preset attack detection condition according to the detection field and a target feature field in the target HTTP traffic;
A second CSRF attack detection determining subunit for determining that a CSRF attack is detected when the attack detection condition is satisfied.
in an alternative implementation:
the second CSRF attack detection determination subunit may be specifically configured to detect at least one of:
When the detection field comprises a source IP address of the HTTP request, judging whether the source IP address in the HTTP request is the same as the source IP address of the target HTTP flow, and if so, determining that a preset attack detection condition is met;
when the detection field comprises a target page in the HTTP request, judging whether the target page in the HTTP request is the same as the target page in the target HTTP flow, and if so, determining that a preset attack detection condition is met;
when the detection field comprises a name value and a corresponding value in the HTTP request and the value is not empty, judging whether the name value and the corresponding value are the same as the name value and the corresponding value in the target HTTP flow, and if so, determining that a preset attack detection condition is met.
the implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the invention. One of ordinary skill in the art can understand and implement it without inventive effort.
It can be seen from the above embodiments that, instead of extracting the CSRF vulnerability characteristics individually for each CSRF vulnerability, the CSRF attack detection server obtains the HTTP request sent by the client device to the server, directly extracts the detection field from the HTTP request, and determines whether the CSRF attack is detected according to the detection field, thereby avoiding the cumbersome operation of establishing the vulnerability characteristic library and performing the CSRF detection only after the CSRF vulnerability occurs, and improving the universality of the CSRF attack detection because the CSRF attack can be detected in real time.
other embodiments of the invention will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the invention and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the invention being indicated by the following claims.
It will be understood that the invention is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the invention is limited only by the appended claims.
Claims (14)
1. a cross-site request forgery CSRF attack detection method is applied to a CSRF attack detection server, and the method comprises the following steps:
acquiring a hypertext transfer protocol (HTTP) request sent to a server by client equipment;
extracting a detection field from the HTTP request;
searching a target dangerous table item corresponding to the detection field in a dangerous table access list; the dangerous table entries in the dangerous form access list comprise: at least one danger characteristic field extracted from the danger form; the danger form is detected from HTTP traffic transmitted between the client device and the server;
Judging whether the HTTP request meets a preset attack detection condition or not according to a danger characteristic field in the target danger table item; determining that a CSRF attack is detected when the attack detection condition is satisfied.
2. The method of claim 1, wherein prior to obtaining the HTTP request sent by the client device to the server, the method further comprises:
detecting a danger form from HTTP traffic transmitted between the client device and the server, wherein the danger form comprises a danger input label;
and generating a danger table item for the danger table in a danger table access list, wherein the danger table item comprises at least one danger characteristic field extracted from the danger table.
3. the method of claim 2,
the detecting the danger form from the HTTP traffic transmitted between the client device and the server comprises:
Acquiring at least one type value in HTTP traffic transmitted between the client device and the server as a hidden input tag;
When the type value is a hidden dangerous input label with a non-empty attribute value, determining that a dangerous form is detected;
generating a danger table entry for the danger table in the danger table access list, wherein the method comprises the following steps:
extracting at least one danger characteristic field in the danger form, wherein the at least one danger characteristic field comprises a source Internet Protocol (IP) address of the danger form;
writing at least one danger characteristic field containing the source IP address into the danger entry.
4. the method of claim 3, wherein the danger signature field includes at least one of the following fields in addition to the source IP address:
a destination page contained in the action tag of the dangerous form;
Generating a Universal Resource Identifier (URI) array according to at least one character string field extracted from the action tag;
the at least one type value is a name value and a corresponding value contained in the hidden input tag.
5. The method according to any one of claims 1 to 4,
The finding of the target dangerous item corresponding to the detection field in the dangerous form access list includes:
taking a source IP address of the HTTP request as a detection field, and searching a danger table item corresponding to the source IP address from the danger table access list as a target danger table item;
the step of judging whether the HTTP request meets a preset attack detection condition according to the danger characteristic field in the target danger table entry comprises at least one of the following steps:
when the detection field comprises a target page in the HTTP request, judging whether the target page in the HTTP request is the same as the target page in the target dangerous table item, and if so, determining that a preset attack detection condition is met;
When the detection field comprises a name value and a corresponding value in the HTTP request, judging whether the name value and the corresponding value in the HTTP request are the same as the name value and the value stored in the target dangerous table entry, and if so, determining that a preset attack detection condition is met;
And when the detection field comprises the URI and the webpage link information referrer in the HTTP request, judging whether the URI is related to the referrer, and if not, determining that a preset attack detection condition is met.
6. A cross-site request forgery CSRF attack detection method is applied to a CSRF attack detection server, and the method comprises the following steps:
Acquiring a hypertext transfer protocol (HTTP) request sent to a server by client equipment;
extracting a detection field from the HTTP request;
When the URI and the referrer in the HTTP request are irrelevant, acquiring target HTTP traffic within a preset time period from cached HTTP traffic transmitted between the client equipment and the server;
Judging whether the HTTP request meets a preset attack detection condition or not according to the detection field and a target characteristic field in the target HTTP traffic;
Determining that a CSRF attack is detected when the attack detection condition is satisfied.
7. the method according to claim 6, wherein the determining whether the HTTP request meets a preset attack detection condition according to the detection field and a target feature field in the target HTTP traffic includes at least one of:
when the detection field comprises a source IP address of the HTTP request, judging whether the source IP address in the HTTP request is the same as the source IP address of the target HTTP flow, and if so, determining that a preset attack detection condition is met;
when the detection field comprises a target page in the HTTP request, judging whether the target page in the HTTP request is the same as the target page in the target HTTP flow, and if so, determining that a preset attack detection condition is met;
when the detection field comprises a name value and a corresponding value in the HTTP request and the value is not empty, judging whether the name value and the corresponding value are the same as the name value and the corresponding value in the target HTTP flow, and if so, determining that a preset attack detection condition is met.
8. a CSRF attack detection apparatus, applied to a CSRF attack detection server, the apparatus comprising:
the client device comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring an HTTP request sent to a server by the client device;
an extracting unit, configured to extract a detection field from the HTTP request;
A first detection unit comprising:
The target dangerous table item searching subunit is used for searching a target dangerous table item corresponding to the detection field in a dangerous form access list; the dangerous table entries in the dangerous form access list comprise: at least one danger characteristic field extracted from the danger form; the danger form is detected from HTTP traffic transmitted between the client device and the server;
the first attack detection condition judgment subunit is used for judging whether the HTTP request meets a preset attack detection condition according to the danger characteristic field in the target danger table item;
a first CSRF attack detection determining subunit for determining that a CSRF attack is detected when the attack detection condition is satisfied.
9. the apparatus of claim 8, further comprising:
the second detection unit is used for detecting a danger form from HTTP (hyper text transport protocol) traffic transmitted between the client equipment and the server, wherein the danger form comprises a danger input label;
and the generating unit is used for generating a danger table entry for the danger table in a danger table access list, wherein the danger table entry comprises at least one danger characteristic field extracted from the danger table.
10. the apparatus of claim 9, wherein the second detection unit comprises:
an input tag obtaining subunit, configured to obtain an input tag in which at least one type value in HTTP traffic transmitted between the client device and the server is hidden;
the dangerous form detection determining subunit is configured to determine that a dangerous form is detected when the hidden input tag includes a dangerous input tag with a value that is not null;
The generation unit includes:
a danger characteristic field extracting subunit, configured to extract at least one danger characteristic field in the danger form, where the at least one danger characteristic field includes a source IP address of the danger form;
And the danger characteristic field writing subunit is used for writing at least one danger characteristic field containing the source IP address into the danger table entry.
11. The apparatus of claim 10, wherein the danger signature field comprises at least one of the following fields in addition to the source IP address:
A destination page contained in the action tag of the dangerous form;
generating a Universal Resource Identifier (URI) array according to at least one character string field extracted from the action tag;
The at least one type value is a name value and a corresponding value contained in the hidden input tag.
12. The apparatus according to any one of claims 8 to 11,
The target dangerous table item searching subunit is specifically configured to search a dangerous table item corresponding to the source IP address from the dangerous form access list as the target dangerous table item, with the source IP address of the HTTP request as a detection field;
The first attack detection condition judgment subunit is specifically configured to detect at least one of:
When the detection field comprises a target page in the HTTP request, judging whether the target page in the HTTP request is the same as the target page in the target dangerous table item, and if so, determining that a preset attack detection condition is met;
When the detection field comprises a name value and a corresponding value in the HTTP request, judging whether the name value and the corresponding value in the HTTP request are the same as the name value and the value stored in the target dangerous table entry, and if so, determining that a preset attack detection condition is met;
and when the detection field comprises the URI and the webpage link information referrer in the HTTP request, judging whether the URI is related to the referrer, and if not, determining that a preset attack detection condition is met.
13. A CSRF attack detection apparatus, applied to a CSRF attack detection server, the apparatus comprising:
the cache unit is used for caching HTTP traffic transmitted between the client equipment and the server;
the client device comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring an HTTP request sent to a server by the client device;
An extracting unit, configured to extract a detection field from the HTTP request;
the first detection unit includes:
The target HTTP traffic caching subunit is used for acquiring target HTTP traffic within a preset time period from the HTTP traffic cached by the caching unit when the URI and the referrer in the HTTP request are irrelevant;
the second attack detection condition judgment subunit is used for judging whether the HTTP request meets a preset attack detection condition according to the detection field and a target feature field in the target HTTP traffic;
A second CSRF attack detection determining subunit for determining that a CSRF attack is detected when the attack detection condition is satisfied.
14. The apparatus of claim 13, wherein the second CSRF attack detection determines the subunit to be specifically configured to detect at least one of:
when the detection field comprises a source IP address of the HTTP request, judging whether the source IP address in the HTTP request is the same as the source IP address of the target HTTP flow, and if so, determining that a preset attack detection condition is met;
when the detection field comprises a target page in the HTTP request, judging whether the target page in the HTTP request is the same as the target page in the target HTTP flow, and if so, determining that a preset attack detection condition is met;
when the detection field comprises a name value and a corresponding value in the HTTP request and the value is not empty, judging whether the name value and the corresponding value are the same as the name value and the corresponding value in the target HTTP flow, and if so, determining that a preset attack detection condition is met.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410606807.XA CN105635064B (en) | 2014-10-31 | 2014-10-31 | CSRF attack detection method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410606807.XA CN105635064B (en) | 2014-10-31 | 2014-10-31 | CSRF attack detection method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105635064A CN105635064A (en) | 2016-06-01 |
CN105635064B true CN105635064B (en) | 2019-12-06 |
Family
ID=56049569
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410606807.XA Active CN105635064B (en) | 2014-10-31 | 2014-10-31 | CSRF attack detection method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105635064B (en) |
Families Citing this family (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111541672A (en) * | 2016-12-23 | 2020-08-14 | 新东网科技有限公司 | Method and system for detecting security of HTTP (hyper text transport protocol) request |
CN107294994B (en) * | 2017-07-06 | 2020-06-05 | 网宿科技股份有限公司 | CSRF protection method and system based on cloud platform |
CN107682346B (en) * | 2017-10-19 | 2021-06-25 | 南京大学 | System and method for rapidly positioning and identifying CSRF attack |
CN108055275A (en) * | 2017-12-25 | 2018-05-18 | 中山市得高行知识产权中心(有限合伙) | Safety control system of Internet application equipment |
CN108197467A (en) * | 2018-01-11 | 2018-06-22 | 郑州云海信息技术有限公司 | A kind of automated detection method and system of CSRF loopholes |
CN113711559B (en) * | 2019-04-16 | 2023-09-29 | 北京嘀嘀无限科技发展有限公司 | System and method for detecting anomalies |
CN114726564B (en) * | 2021-01-04 | 2023-05-23 | 腾讯科技(深圳)有限公司 | Security detection method, security detection device, electronic device, and medium |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101883024A (en) * | 2010-06-23 | 2010-11-10 | 南京大学 | Dynamic detection method for cross-site forged request |
CN103679018A (en) * | 2012-09-06 | 2014-03-26 | 百度在线网络技术(北京)有限公司 | Method and device for detecting CSRF loophole |
CN104038474A (en) * | 2014-05-09 | 2014-09-10 | 深信服网络科技(深圳)有限公司 | Internet access detection method and device |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080222736A1 (en) * | 2007-03-07 | 2008-09-11 | Trusteer Ltd. | Scrambling HTML to prevent CSRF attacks and transactional crimeware attacks |
US8181246B2 (en) * | 2007-06-20 | 2012-05-15 | Imperva, Inc. | System and method for preventing web frauds committed using client-scripting attacks |
US8438649B2 (en) * | 2010-04-16 | 2013-05-07 | Success Factors, Inc. | Streaming insertion of tokens into content to protect against CSRF |
-
2014
- 2014-10-31 CN CN201410606807.XA patent/CN105635064B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101883024A (en) * | 2010-06-23 | 2010-11-10 | 南京大学 | Dynamic detection method for cross-site forged request |
CN103679018A (en) * | 2012-09-06 | 2014-03-26 | 百度在线网络技术(北京)有限公司 | Method and device for detecting CSRF loophole |
CN104038474A (en) * | 2014-05-09 | 2014-09-10 | 深信服网络科技(深圳)有限公司 | Internet access detection method and device |
Also Published As
Publication number | Publication date |
---|---|
CN105635064A (en) | 2016-06-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105635064B (en) | CSRF attack detection method and device | |
US9954886B2 (en) | Method and apparatus for detecting website security | |
CN104125209B (en) | Malice website prompt method and router | |
US9147067B2 (en) | Security method and apparatus | |
US20150271202A1 (en) | Method, device, and system for detecting link layer hijacking, user equipment, and analyzing server | |
US20200106790A1 (en) | Intelligent system for mitigating cybersecurity risk by analyzing domain name system traffic | |
CN110430188B (en) | Rapid URL filtering method and device | |
IL256893B (en) | Document capture using client-based delta encoding with server | |
CN107347076B (en) | SSRF vulnerability detection method and device | |
CN105760379B (en) | Method and device for detecting webshell page based on intra-domain page association relation | |
CN102571846A (en) | Method and device for forwarding hyper text transport protocol (HTTP) request | |
CN107612926B (en) | One-sentence speech WebShell interception method based on client recognition | |
CN106713318B (en) | WEB site safety protection method and system | |
CN105187430A (en) | Reverse proxy server, reverse proxy system and reverse proxy method | |
US20190268373A1 (en) | System, method, apparatus, and computer program product to detect page impersonation in phishing attacks | |
CN109660552A (en) | A kind of Web defence method combining address jump and WAF technology | |
US8910281B1 (en) | Identifying malware sources using phishing kit templates | |
US20120180125A1 (en) | Method and system for preventing domain name system cache poisoning attacks | |
CN108322420B (en) | Method and device for detecting backdoor file | |
CN107786529B (en) | Website detection method, device and system | |
CN108282443B (en) | Crawler behavior identification method and device | |
CN110602134B (en) | Method, device and system for identifying illegal terminal access based on session label | |
CN104660556A (en) | Cross site request forgery vulnerability detection method and device | |
CN109495471A (en) | A kind of pair of WEB attack result determination method, device, equipment and readable storage medium storing program for executing | |
CN106453598B (en) | A kind of scan agent method based on http protocol |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant after: Xinhua three Technology Co., Ltd. Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant before: Huasan Communication Technology Co., Ltd. |
|
CB02 | Change of applicant information | ||
GR01 | Patent grant | ||
GR01 | Patent grant |