Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Web interface design method for preventing request message from being tampered, attacked and replayed

A technology for requesting message and interface design, applied in user identity/authority verification, digital transmission system, electrical components, etc., can solve problems such as exposure and no secrets, and achieve the effect of reducing API power

Active Publication Date: 2020-07-24
HANGZHOU QUWEI SCI & TECH
View PDF4 Cites 7 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

In this existing technology, if the calling client is a browser, then there will be anonymous API access scenarios, but anonymous API also needs to prevent request message tampering
If the Appkey and signature algorithm are leaked, any user can construct a signature string. In the scenario where the requester is a browser, the front end has no secrets at all and will be exposed

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Web interface design method for preventing request message from being tampered, attacked and replayed

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0041] The present invention will be further described below in conjunction with the accompanying drawings and specific embodiments.

[0042] Such as figure 1 In the described embodiment, a kind of web interface design method that prevents the request message from being tampered with and attacked to replay, specifically comprises the following steps:

[0043](1) The server combines specific information to construct a Token, and if the caller is also a server, it will be issued in advance; if it is a browser client, it will return csrfToken;

[0044] If the caller is also a server, it will be issued in advance: Token=uuidNamespace(AppID). The Token is time-sensitive and associated with the AppID of the caller. The caller applies for it on the receiver server in advance, and needs to apply again after it expires.

[0045] If it is a browser client, csrfToken is returned, and relevant specific parameters are agreed first:

[0046] requestInfo=remoteIP+URLpath+UserAgentRandomSt...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a web interface design method for preventing a request message from being tampered, attacked and replayed. The method specifically comprises the following steps: a server constructs a Token in combination with specific information, and issues the Token in advance if a caller is also the server; if the caller is a browser client, csrfToken is returned to; a public parametersignature algorithm and public parameters including nonceStr, openid, timestamp and token of the signature algorithm are appointed; an abstract service parameter, i.e., playload, which refers to a setof all service parameters is appointed; an API request is initiated; the legality of the request is verified according to the public parameters and the program in the request, and the verification flow priority following: parameter verification is the first, simple or complex operation is the second, and query cache delay is delayed. The method has the beneficial effects of ensuring no leakage even if the request is captured, preventing CSRF security of the browser and the server, preventing parameters from being tampered, and ensuring that the request is not replayed.

Description

technical field [0001] The invention relates to the technical field related to request messages, in particular to a web interface design method for preventing request messages from being tampered with and replayed. Background technique [0002] The technical solutions of the prior art are as follows: (1) A method, system and device for defending against cross-site request forgery CSRF attacks, the method usually sends a cookie containing token to the login user, and then parses out the token according to the requested cookie value for comparison. This technology requires that the cookie storing the token must be in httponly mode, otherwise the front-end js can steal it. Secondly, the token value of this technology needs to adopt an encryption algorithm, and the encryption algorithm variable needs a time stamp, so that the token can change, otherwise it will be manually recorded and stored. This technology does not reflect how to prevent cookies from being tampered with. ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06H04L9/32
CPCH04L63/0807H04L63/0421H04L63/145H04L9/3247
Inventor 高海顾湘余陈峰
Owner HANGZHOU QUWEI SCI & TECH
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com