A web interface design method for preventing request messages from being tampered with and replaying attacks
A technology for request message and interface design, applied in digital transmission systems, user identity/authority verification, secure communication devices, etc., can solve problems such as exposure and no secrets, and achieve CSRF security and prevent parameters from being tampered with. Effect
Active Publication Date: 2022-04-12
HANGZHOU QUWEI SCI & TECH
View PDF4 Cites 0 Cited by
- Summary
- Abstract
- Description
- Claims
- Application Information
AI Technical Summary
Problems solved by technology
In this existing technology, if the calling client is a browser, then there will be anonymous API access scenarios, but anonymous API also needs to prevent request message tampering
If the Appkey and signature algorithm are leaked, any user can construct a signature string. In the scenario where the requester is a browser, the front end has no secrets at all and will be exposed
Method used
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View moreImage
Smart Image Click on the blue labels to locate them in the text.
Smart ImageViewing Examples
Examples
Experimental program
Comparison scheme
Effect test
Embodiment Construction
[0043] The present invention will be further described below in conjunction with the accompanying drawings and specific embodiments.
[0044] like figure 1In the described embodiment, a kind of web interface design method that prevents the request message from being tampered with and attacked to replay, specifically comprises the following steps:
[0045] (1) The server combines specific information to construct a Token, and if the caller is also a server, it will be issued in advance; if it is a browser client, it will return csrfToken;
[0046] If the caller is also a server, it will be issued in advance: Token=uuidNamespace(AppID). The Token is time-sensitive and associated with the AppID of the caller. The caller applies for it on the receiver server in advance, and needs to apply again after it expires.
[0047] If it is a browser client, csrfToken is returned, and relevant specific parameters are agreed first:
[0048] requestInfo=remoteIP+URLpath+UserAgent
[0049] ...
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More PUM
Login to View More Abstract
The invention discloses a web interface design method for preventing request messages from being tampered with and attacking replay. It specifically includes the following steps: the server combines specific information to construct Token, and if the caller is also a server, it will be issued in advance; if it is a browser client, it will return csrfToken; agree on the public parameter signature algorithm, and agree on the public parameters of the signature algorithm: nonceStr, openid , timestamp, token; then agree on an abstract business parameter: payload, which refers to the collection of all business parameters; initiate an API request; verify the legitimacy of the request according to the public parameters and payload in the request, and the priority of the verification process follows: parameters Validation comes first, followed by simple or complex operations, and query caching is delayed. The invention has the beneficial effects of: ensuring that the packet will not be leaked even if the request is captured, preventing CSRF security of the browser and the server, preventing parameters from being tampered with, and ensuring that the request is not replayed.
Description
technical field [0001] The invention relates to the technical field related to request messages, in particular to a web interface design method for preventing request messages from being tampered with and replayed. Background technique [0002] The technical solutions of the prior art are as follows: (1) A method, system and device for defending against cross-site request forgery CSRF attacks. The method usually sends a cookie containing a token to the login user, and then parses out the token according to the requested cookie value for comparison. This technology requires that the cookie storing the token must be in httponly mode, otherwise the front-end js can steal it. Secondly, the token value of this technology needs to adopt an encryption algorithm, and the encryption algorithm variable needs a time stamp, so that the token can change, otherwise it will be manually recorded and stored. This technology does not reflect how to prevent cookies from being tampered with. ...
Claims
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More Application Information
Patent Timeline
Login to View More Patent Type & Authority Patents(China)
IPC IPC(8): H04L9/40H04L9/32
CPCH04L63/0807H04L63/0421H04L63/145H04L9/3247
Inventor 高海顾湘余陈峰
Owner HANGZHOU QUWEI SCI & TECH