Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Method and apparatus for detecting loophole of WebSocket cross-site request forgery

A cross-site request forgery and vulnerability technology, applied in the field of communication, can solve problems such as occupation, multi-bandwidth, HTTP request header field length, etc.

Inactive Publication Date: 2017-01-04
CHINA UNIONPAY
View PDF3 Cites 10 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

This traditional HTTP request mode brings obvious disadvantages: the browser needs to continuously send requests to the server to be tested, but the header field of the HTTP request (called header in English) is very long, and the useful data contained in the HTTP request may be Just a small value, so it will take up a lot of bandwidth
[0004] Specifically, the browser and the server to be tested first perform a handshake connection using the HTTP protocol. After the HTTP handshake connection has been successful, the browser sends a handshake connection request based on the WebSocket protocol to the server to be tested. How should the test server authenticate the user's identity during the handshake phase? That is to say, in the prior art, the handshake connection request of the WebSocket protocol is not verified. In this way, hackers may forge the handshake request based on the WebSocket protocol to establish a WebSocket with the server to be tested. Link
[0005] Cross-site request forgery (Cross-site request forgery, referred to as CSRF), as a network attack method, can send a forged access request to the server under attack in the name of the victim, which may cause the leakage of the victim's personal information, thereby making the The security of the server under test is compromised

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method and apparatus for detecting loophole of WebSocket cross-site request forgery
  • Method and apparatus for detecting loophole of WebSocket cross-site request forgery
  • Method and apparatus for detecting loophole of WebSocket cross-site request forgery

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0079] In order to make the object, technical solution and beneficial effects of the present invention more clear, the present invention will be further described in detail below in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described here are only used to explain the present invention, not to limit the present invention.

[0080] It should be understood that the technical solutions of the embodiments of the present invention can be applied to various communication systems, for example: Global System of Mobile Communication (GSM for short) system, Code Division Multiple Access (CDMA for short) system, broadband Code Division Multiple Access (WCDMA for short) General Packet Radio Service (GPRS for short) system, Long Term Evolution (LTE for short) system, Frequency Division Duplex for LTE (Frequency Division Duplex for short) FDD) system, LTE Time Division Duplex (TDD for short), Universal Mobile Telecommuni...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The embodiments of the invention relate to the field of telecommunication, and in particular to a method and apparatus for detecting a loophole of a WebSocket cross-site request forgery, aiming at detecting whether a to-be-tested server has the loophole of WebSocket cross-site request forgery. According to the embodiments of the invention, the method comprises the following steps: when it is determined that a handshake connection request is based on the WebSocket protocol, based on the handshake connection request, generating at least one forgery request based on the WebSocket protocol, transmitting the at least one forgery request to a to-be-tested server, determining whether the to-be-tested server may be deceived by the forgery request based on the WebSocket protocol so as to verify whether the to-be-tested server has the loophole of WebSocket cross-site request forgery and the risk level of the loophole.

Description

technical field [0001] The embodiment of the present invention relates to the communication field, and in particular to a method and device for detecting WebSocket cross-site request forgery vulnerabilities. Background technique [0002] In order to realize instant messaging, many websites use polling (called polling in English). Polling is to send an HTTP request (HTTPrequest in English) by the browser to the server to be tested at a specific time interval (such as every 1 second), and then the server to be tested returns the latest data to the browser. This traditional HTTP request mode brings obvious disadvantages: the browser needs to continuously send requests to the server to be tested, but the header field of the HTTP request (called header in English) is very long, and the useful data contained in the HTTP request may be Just a small value, so it will take up a lot of bandwidth. [0003] Based on the above content, a new web socket protocol (called WebSocket protoc...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06H04L29/08
CPCH04L63/1433H04L63/168H04L67/02H04L69/162
Inventor 王旸陈舟杨阳胡景秀尹亚伟
Owner CHINA UNIONPAY
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com