Attack defense method, attack defense device, processor, and attack defense system
By generating dynamic syntax parsing rules and custom query scripts between the web server and the target database, the problem of defending against XSS attacks in existing technologies is solved, and the query statements are encrypted to ensure the security and accuracy of the query data.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- WEICHAI POWER CO LTD
- Filing Date
- 2022-10-08
- Publication Date
- 2026-07-10
Smart Images

Figure CN115544506B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of computer security technology, and more specifically, to an attack defense method, an attack defense device, a computer-readable storage medium, a processor, and an attack defense system. Background Technology
[0002] Currently, internet applications based on the web environment are becoming increasingly widespread. In the process of enterprise informatization, various services are hosted on the web platform. However, the rapid development of web service programs has also attracted the attention of hackers. For example, hackers exploit vulnerabilities in website operating systems to inject SQL injection code and / or XSS attack code into web service programs to gain control of the web service and steal important internal data.
[0003] To address the aforementioned problems, existing technologies typically offer two solutions: one is to perform input verification, input encoding, and output encoding during the application development phase; the other is to use a WAF (Web Application Firewall) defense system. For example, invention patent CN106355094A defends against attacks by replacing keywords in the web server and SQL file parser. Invention patent CN106503557A transforms and maps the database field names to be queried in SQL, making it impossible for attackers to guess the field names and thus preventing them from obtaining critical database information. However, neither of these inventions solves the problem of XSS injection attacks.
[0004] Therefore, there is an urgent need for a method to defend against XSS attacks. Summary of the Invention
[0005] The main objective of this application is to provide an attack defense method, attack defense device, computer-readable storage medium, processor, and attack defense system to solve the problem that it is difficult to defend against XSS attacks in the prior art.
[0006] According to one aspect of the present invention, an attack defense method is provided, comprising: receiving a syntax parsing rule sent by a web server, wherein the syntax parsing rule is a dynamic syntax parsing rule generated by the web server based on a randomly generated digital certificate of the client browser upon receiving a query request sent by a client browser; generating a custom query script based at least on the syntax parsing rule and a query statement corresponding to the query request; and sending the custom query script to a target database at least once, such that the target database performs a query based on the custom query script to obtain target query data.
[0007] Optionally, at least based on the syntax parsing rules and the query statement corresponding to the query request, a custom query script is generated, including: controlling a dynamic query syntax interpreter to compile the query statement into the custom query script according to the syntax parsing rules, wherein the dynamic query syntax interpreter is a plugin that compiles the query statement into the custom query script based on the syntax parsing rules.
[0008] Optionally, at least the custom query script is sent to the target database, causing the target database to perform a query based on the custom query script to obtain the target query data. This includes: controlling a custom query script interpreter to compile the custom query script into standard SQL query language, wherein the custom query script interpreter is a plugin that compiles the custom query script into the standard SQL query language; and sending the standard SQL query language to the target database, causing the target database to perform a query based on the standard SQL query language to obtain the target query data.
[0009] Optionally, after obtaining the target query data, the attack defense method further includes: receiving a custom front-end script sent by the web server, and compiling the custom front-end script into a dynamic syntax front-end script based at least on the digital certificate, wherein the custom front-end script is compiled by the web server based on the target query data sent by the target database; compiling the dynamic syntax front-end script into a front-end display page based at least on the digital certificate, and displaying the front-end display page on the client browser.
[0010] Optionally, at least based on the digital certificate, compiling the custom front-end script into a dynamic syntax front-end script includes: controlling a custom front-end script interpreter to compile the custom front-end script into the dynamic syntax front-end script according to the digital certificate, wherein the custom front-end script interpreter is a plugin that compiles the custom front-end script into the dynamic syntax front-end script based on the digital certificate.
[0011] Optionally, compiling the dynamic syntax front-end script into a front-end display page, at least based on the digital certificate, includes: controlling a dynamic front-end syntax interpreter to generate dynamic front-end parsing rules, at least based on the digital certificate; and controlling the dynamic front-end syntax interpreter to compile the dynamic syntax front-end script into the front-end display page according to the dynamic front-end parsing rules, wherein the dynamic front-end syntax interpreter is a plugin that compiles the dynamic syntax front-end script into the front-end display page based on the dynamic front-end parsing rules.
[0012] According to another aspect of the present invention, an attack defense device is also provided, comprising: a receiving unit, configured to receive syntax parsing rules sent by a web server, wherein the syntax parsing rules are dynamic syntax parsing rules generated by the web server based on a randomly generated digital certificate of the client browser when receiving a query request sent by a client browser; a generating unit, configured to generate a custom query script at least according to the syntax parsing rules and the query statement corresponding to the query request; and a querying unit, configured to send the custom query script at least to a target database, such that the target database performs a query based on the custom query script to obtain target query data.
[0013] According to another aspect of the present invention, a computer-readable storage medium is also provided, the computer-readable storage medium including a stored program, wherein the program executes any of the attack defense methods described above.
[0014] According to another aspect of the present invention, a processor is also provided, the processor being configured to run a program, wherein the program, when running, executes any of the aforementioned attack defense methods.
[0015] According to one aspect of the present invention, an attack defense system is also provided, comprising: an attack defense device for executing any of the attack defense methods described above; a web server communicating with the attack defense device; and a target database communicating with the web server.
[0016] In this embodiment of the invention, the attack defense method first receives syntax parsing rules generated by a web server based on a randomly generated digital certificate of the client browser; then, based on the syntax parsing rules and the query statement corresponding to the query request, the query statement is compiled (or interpreted) to obtain a custom query script; finally, the custom query script is sent to the target database at least once, so that the target database, upon receiving the custom query script, will at least perform a query based on the custom query script to obtain the target query data. In this attack defense method, the query statement is compiled according to the syntax parsing rules sent by the web server to obtain a custom query script, thus encrypting the query statement through syntax parsing rules to obtain a dynamic custom query script, ensuring high security of the obtained custom query script. Because the custom query script is obtained by compiling the corresponding query statement based on syntax parsing rules, XSS attack code injected from the front-end page cannot be executed, thereby preventing XSS injection attacks and solving the problem of difficulty in defending against XSS attacks in the prior art. Attached Figure Description
[0017] The accompanying drawings, which form part of this application, are used to provide a further understanding of this application. The illustrative embodiments and descriptions of this application are used to explain this application and do not constitute an undue limitation of this application. In the drawings:
[0018] Figure 1 A flowchart illustrating an embodiment of the attack defense method of this application is shown;
[0019] Figure 2 A schematic diagram of the query data flow according to one embodiment of this application is shown;
[0020] Figure 3 A flowchart illustrating another embodiment of the attack defense method of this application is shown;
[0021] Figure 4 A schematic diagram of the return data stream according to one embodiment of this application is shown;
[0022] Figure 5 A schematic diagram of the attack defense device according to an embodiment of this application is shown;
[0023] Figure 6 A flowchart illustrating an attack defense method according to a specific embodiment of this application is shown.
[0024] The above figures include the following reference numerals:
[0025] 10. Receiving unit; 20. Generating unit; 30. Querying unit; 100. Web server; 200. Dynamic query syntax interpreter; 300. Custom query script interpreter; 400. Target database; 500. Client browser; 600. Custom front-end script interpreter; 700. Dynamic front-end syntax interpreter; 800. Dynamic syntax library; 900. Dynamic front-end syntax library; 101. CA server. Detailed Implementation
[0026] It should be noted that, unless otherwise specified, the embodiments and features described in this application can be combined with each other. This application will now be described in detail with reference to the accompanying drawings and embodiments.
[0027] To enable those skilled in the art to better understand the present application, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present application, and not all embodiments. Based on the embodiments in the present application, all other embodiments obtained by those of ordinary skill in the art without creative effort should fall within the scope of protection of the present application.
[0028] It should be noted that the terms "first," "second," etc., in the specification, claims, and accompanying drawings of this application are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that such data can be interchanged where appropriate for the embodiments of this application described herein. Furthermore, the terms "comprising" and "having," and any variations thereof, are intended to cover non-exclusive inclusion; for example, a process, method, system, product, or apparatus that comprises a series of steps or units is not necessarily limited to those steps or units explicitly listed, but may include other steps or units not explicitly listed or inherent to such processes, methods, products, or apparatus.
[0029] For ease of description, the following explains some of the nouns or terms used in the embodiments of this application:
[0030] WAF: A defense system that provides protection specifically for web service programs by enforcing a series of security policies for HTTP / HTTPS;
[0031] SQL injection attack: By submitting a piece of database query code to query the database, and then obtaining some data based on the results returned by the program;
[0032] Cross-Site Scripting (XSS) attacks: These attacks embed malicious script code within a webpage that a user visits. When the user accesses the page, the embedded malicious script code is executed, thus achieving the purpose of the attack.
[0033] As mentioned in the background section, it is difficult to defend against XSS attacks in the prior art. In order to solve the above problems, in a typical embodiment of this application, an attack defense method, an attack defense device, a computer-readable storage medium, a processor, and an attack defense system are provided.
[0034] According to an embodiment of this application, an attack defense method is provided.
[0035] Figure 1 This is a flowchart of an attack defense method according to an embodiment of this application. For example... Figure 1 As shown, this attack defense method includes the following steps:
[0036] Step S101: Receive the syntax parsing rules sent by the Web server. The syntax parsing rules are dynamic syntax parsing rules generated by the Web server based on the randomly generated digital certificate of the client browser when it receives a query request sent by the client browser.
[0037] Step S102: Generate a custom query script based at least on the above syntax parsing rules and the query statement corresponding to the above query request;
[0038] Step S103: Send the above-mentioned custom query script to the target database at least once, so that the target database performs a query based on the above-mentioned custom query script and obtains the target query data.
[0039] In the aforementioned attack defense method, firstly, a syntax parsing rule generated by a web server based on a randomly generated digital certificate of the client browser is received; then, based on the syntax parsing rule and the query statement corresponding to the query request, the query statement is compiled (or interpreted) to obtain a custom query script; finally, the custom query script is sent to the target database at least once, so that the target database, upon receiving the custom query script, will at least perform a query based on the custom query script to obtain the target query data. In the attack defense method of this application, the query statement is compiled according to the syntax parsing rule sent by the web server to obtain a custom query script, thus achieving encryption of the query statement through syntax parsing rules to obtain a dynamic custom query script, thereby ensuring a high level of security for the obtained custom query script. Because the custom query script is obtained by compiling the corresponding query statement based on syntax parsing rules, XSS attack code injected from the front-end page cannot be executed, thereby avoiding XSS injection attacks and solving the problem of difficulty in defending against XSS attacks in existing technologies.
[0040] In one specific embodiment of this application, the digital certificate may be generated by a CA (Certification Authority) server. The aforementioned custom query script is a custom query script that the target database can recognize.
[0041] In practical applications, the aforementioned web server and the target database can be isolated from each other. In another specific embodiment of this application, the target database can be a MySQL database, SQL Server database, Oracle database, etc. Of course, in practical applications, the target database is not limited to MySQL, SQL Server, or Oracle databases; it can be any feasible database in the prior art. This application does not limit the type of the target database.
[0042] In one specific embodiment of this application, syntax parsing rules can also be generated based on the client browser's digital certificate and dynamic syntax library, which simplifies the process of obtaining syntax parsing rules. The aforementioned dynamic syntax library can be a rule base that is constantly updated and can provide several syntax rules.
[0043] Specifically, the aforementioned target database can be used to store various types of business data, and this application does not limit the data stored in the target database. In one specific embodiment of this application, the target database can be used to store relevant business data throughout the entire lifecycle of the engine. For example, business data from multiple stages of engine production, assembly, use, and maintenance.
[0044] It should be noted that the steps shown in the flowchart in the accompanying drawings can be executed in a computer system such as a set of computer-executable instructions, and although a logical order is shown in the flowchart, in some cases the steps shown or described may be executed in a different order than that shown here.
[0045] To simplify the process of compiling a query statement into a custom query script based on syntax parsing rules, in one embodiment of this application, a custom query script is generated based at least on the aforementioned syntax parsing rules and the query statement corresponding to the query request. This includes controlling a dynamic query syntax interpreter to compile the query statement into the custom query script based on the syntax parsing rules. The dynamic query syntax interpreter is a plugin that compiles the query statement into the custom query script based on the syntax parsing rules.
[0046] In practical applications, the aforementioned dynamic query syntax interpreter can compile the query statement into a custom query script based on the syntax parsing rules corresponding to the query statement. This achieves dynamic encryption of the query statement, preventing the execution of XSS attack code injected from the front end. Since the custom query script is dynamically obtained through syntax parsing rules, it dynamically transforms and maps the target database field names, making it impossible for attackers to accurately know the field names, thus resisting SQL injection attacks. Furthermore, the attack defense method of this application, by simply compiling the query statement into a custom query script through syntax parsing rules, does not increase the query difficulty of the target database. This ensures that the target database can easily obtain the target query data based on the custom query script, guaranteeing fast query speed and improving the user experience.
[0047] In another embodiment of this application, at least the custom query script is sent to the target database, causing the target database to perform a query based on the custom query script to obtain target query data. This includes: controlling a custom query script interpreter to compile the custom query script into standard SQL query language, wherein the custom query script interpreter is a plugin for compiling the custom query script into standard SQL query language; and sending the standard SQL query language to the target database, causing the target database to perform a query based on the standard SQL query language to obtain the target query data. In this embodiment, by using a custom query script interpreter to compile the custom query script into standard SQL query language, the standard SQL query language can be obtained relatively easily. Simultaneously, the target data is queried using standard SQL query syntax, which reduces the complexity of the target database query and ensures that the obtained target query data is relatively accurate.
[0048] In one specific embodiment of this application, the custom query script interpreter described above can be referred to as a database shell. This custom query script interpreter can convert custom query scripts into standard SQL query language.
[0049] In one specific embodiment of this application, such as Figure 2 As shown, the attack defense method of this application sets up a dynamic query syntax interpreter 200 and a custom query script interpreter 300 between the web server 100 and the target database 400, respectively. The dynamic query syntax interpreter 200 can compile the query statement corresponding to the query request into a custom query script based on syntax parsing rules. The custom query script interpreter 300 can compile the custom query script into standard SQL query language. Compared with the prior art, where the target database 400 directly queries through the query statement sent by the web server 100, this solution dynamically encrypts the query statement based on syntax parsing rules, improving security during the query process and thus resisting XSS injection attacks and SQL injection attacks.
[0050] In another embodiment of this application, such as Figure 3As shown, after obtaining the target query data, the attack defense method further includes: receiving a custom front-end script sent by the web server, and compiling the custom front-end script into a dynamic syntax front-end script based at least on the digital certificate, wherein the custom front-end script is compiled by the web server based on the target query data sent by the target database; compiling the dynamic syntax front-end script into a front-end display page based at least on the digital certificate, and displaying the front-end display page on the client browser. In this embodiment, when the web server receives the target query data from the target database, it compiles the target query data into a custom front-end script, and then compiles the custom front-end script into a front-end display page based on the digital certificate. This achieves dynamic encryption of the front-end display page, which can further resist XSS injection attacks and SQL injection attacks.
[0051] In order to obtain a dynamic syntax front-end script more easily, in another embodiment of this application, the custom front-end script is compiled into a dynamic syntax front-end script based at least on the digital certificate, including: controlling a custom front-end script interpreter to compile the custom front-end script into the dynamic syntax front-end script based on the digital certificate, wherein the custom front-end script interpreter is a plugin that compiles the custom front-end script into the dynamic syntax front-end script based on the digital certificate.
[0052] Specifically, in the above embodiments, the custom front-end script interpreter compiles the target query data into a dynamic custom front-end script based on a digital certificate.
[0053] In one embodiment of this application, compiling the dynamic syntax front-end script into a front-end display page, based at least on the aforementioned digital certificate, includes: controlling a dynamic front-end syntax interpreter to generate dynamic front-end parsing rules, based at least on the aforementioned digital certificate; and controlling the dynamic front-end syntax interpreter to compile the dynamic syntax front-end script into the front-end display page according to the aforementioned dynamic front-end parsing rules. The dynamic front-end syntax interpreter is a plugin that compiles the dynamic syntax front-end script into the front-end display page based on the aforementioned dynamic front-end parsing rules. In this embodiment, the dynamic front-end syntax interpreter compiles the dynamic syntax front-end script into a front-end display page, i.e., standard HTML and JavaScript scripts, according to the dynamic front-end parsing rules. This not only achieves encryption processing of the target query statement but also achieves relatively accurate display of the front-end display page on the client browser.
[0054] In one specific embodiment of this application, dynamic front-end parsing rules can be generated based on a digital certificate and a dynamic front-end syntax library. The aforementioned dynamic front-end syntax library is a rule base that can be updated at any time and provides several front-end syntax rules.
[0055] In one specific embodiment of this application, such as Figure 4 As shown, a custom front-end script interpreter 600 and a dynamic front-end syntax interpreter 700 are respectively set between the web server 100 and the client browser 500. The custom front-end script interpreter 600, based on the aforementioned digital certificate, recompiles the custom front-end script compiled by the web server 100 into a dynamic syntax front-end script. The dynamic front-end syntax interpreter 700, based on the digital certificate, generates dynamic front-end parsing rules and, based on these rules, compiles the dynamic syntax front-end script into a front-end display page. This achieves dynamic encryption of the target query data, further protecting against XSS and SQL injection attacks.
[0056] In practical applications, to further improve system security, the aforementioned dynamic query syntax interpreter, custom query script interpreter, custom front-end script interpreter, and dynamic front-end syntax interpreter can all be collectively referred to as browser plugins, which can be directly distributed as customized browsers to specific client users.
[0057] Specifically, in existing technologies, the web server directly sends SQL query statements to the target database; the client browser's front-end script also directly uses JavaScript scripts obtained from the web server. This structural pattern is the root cause of SQL injection and XSS attacks. Therefore, this application sets up a dynamic query syntax interpreter and a custom query script interpreter between the web server and the target database, respectively, thereby compiling the query statement into a dynamic SQL query statement. A custom front-end script interpreter and a dynamic front-end syntax interpreter are also set up between the web server and the client browser, thereby compiling the target query statement into a dynamic front-end script. The attack defense method of this application performs dynamic syntax processing on the query statements and front-end page scripts at the application layer, and performs asymmetric obfuscation, encryption, and salting, etc., so that all query requests and front-end page scripts of the current client browser are customized as dynamic scripts, avoiding the possibility of attackers using existing general-purpose scripts, thus solving the problem of difficulty in defending against XSS attacks in existing technologies.
[0058] This application also provides an attack defense device. It should be noted that the attack defense device of this application can be used to execute the attack defense method provided in this application. The attack defense device provided in this application is described below.
[0059] Figure 5This is a schematic diagram of the attack defense device according to an embodiment of this application. Figure 5 As shown, the attack defense device includes:
[0060] The receiving unit 10 is used to receive the syntax parsing rules sent by the Web server. The syntax parsing rules are dynamic syntax parsing rules generated by the Web server based on the randomly generated digital certificate of the client browser when it receives a query request sent by the client browser.
[0061] The generation unit 20 is used to generate a custom query script based at least on the above syntax parsing rules and the query statement corresponding to the above query request;
[0062] The query unit 30 is used to send the aforementioned custom query script to the target database, so that the target database performs a query based on the aforementioned custom query script and obtains the target query data.
[0063] In the aforementioned attack defense device, the receiving unit receives syntax parsing rules generated by a web server based on a randomly generated digital certificate of the client browser; the generating unit compiles (or interprets) the query statement corresponding to the syntax parsing rules and the query request to obtain a custom query script; the query unit sends the custom query script to the target database at least once, so that the target database, upon receiving the custom query script, performs a query based on the custom query script to obtain the target query data. In the attack defense method of this application, the query statement is compiled according to the syntax parsing rules sent by the web server to obtain a custom query script. This achieves encryption of the query statement through syntax parsing rules, resulting in a dynamic custom query script, thus ensuring high security of the obtained custom query script. Because the custom query script is obtained by compiling the corresponding query statement based on syntax parsing rules, XSS attack code injected from the front-end page cannot be executed, thereby preventing XSS injection attacks and solving the problem of difficulty in defending against XSS attacks in existing technologies.
[0064] In one specific embodiment of this application, the digital certificate may be generated by a CA (Certification Authority) server. The aforementioned custom query script is a custom query script that the target database can recognize.
[0065] In practical applications, the aforementioned web server and the target database can be isolated from each other. In another specific embodiment of this application, the target database can be a MySQL database, SQL Server database, Oracle database, etc. Of course, in practical applications, the target database is not limited to MySQL, SQL Server, or Oracle databases; it can be any feasible database in the prior art. This application does not limit the type of the target database.
[0066] In one specific embodiment of this application, syntax parsing rules can also be generated based on the client browser's digital certificate and dynamic syntax library, which simplifies the process of obtaining syntax parsing rules. The aforementioned dynamic syntax library can be a rule base that is constantly updated and can provide several syntax rules.
[0067] Specifically, the aforementioned target database can be used to store various types of business data, and this application does not limit the data stored in the target database. In one specific embodiment of this application, the target database can be used to store relevant business data throughout the entire lifecycle of the engine. For example, business data from multiple stages of engine production, assembly, use, and maintenance.
[0068] To simplify the process of compiling a query statement into a custom query script based on syntax parsing rules, in one embodiment of this application, the generation unit includes a compilation module for controlling a dynamic query syntax interpreter to compile the query statement into the custom query script based on syntax parsing rules. The dynamic query syntax interpreter is a plugin that compiles the query statement into the custom query script based on syntax parsing rules.
[0069] In practical applications, the aforementioned dynamic query syntax interpreter can compile the query statement into a custom query script based on the syntax parsing rules corresponding to the query statement. This achieves dynamic encryption of the query statement, preventing the execution of XSS attack code injected from the front end. Since the custom query script is dynamically obtained through syntax parsing rules, it dynamically transforms and maps the target database field names, making it impossible for attackers to accurately know the field names, thus resisting SQL injection attacks. Furthermore, the attack defense method of this application, by simply compiling the query statement into a custom query script through syntax parsing rules, does not increase the query difficulty of the target database. This ensures that the target database can easily obtain the target query data based on the custom query script, guaranteeing fast query speed and improving the user experience.
[0070] In another embodiment of this application, the query unit includes a first control module and a sending module. The first control module controls a custom query script interpreter to compile the custom query script into standard SQL query language. The custom query script interpreter is a plugin that compiles the custom query script into standard SQL query language. The sending module sends the standard SQL query language to the target database, causing the target database to perform a query based on the standard SQL query language to obtain the target query data. In this embodiment, by using a custom query script interpreter to compile the custom query script into standard SQL query language, the standard SQL query language can be obtained relatively easily. Simultaneously, the target data is queried using standard SQL query syntax, which reduces the complexity of the target database query and ensures that the obtained target query data is relatively accurate.
[0071] In one specific embodiment of this application, the custom query script interpreter described above can be referred to as a database shell. This custom query script interpreter can convert custom query scripts into standard SQL query language.
[0072] In one specific embodiment of this application, such as Figure 2 As shown, the attack defense method of this application sets up a dynamic query syntax interpreter 200 and a custom query script interpreter 300 between the web server 100 and the target database 400, respectively. The dynamic query syntax interpreter 200 can compile the query statement corresponding to the query request into a custom query script based on syntax parsing rules. The custom query script interpreter 300 can compile the custom query script into standard SQL query language. Compared with the prior art, where the target database 400 directly queries through the query statement sent by the web server 100, this solution dynamically encrypts the query statement based on syntax parsing rules, improving security during the query process and thus resisting XSS injection attacks and SQL injection attacks.
[0073] In another embodiment of this application, the attack defense device further includes a receiving unit and a display unit. The receiving unit, after obtaining the target query data, receives a custom front-end script sent by the web server and, based at least on the digital certificate, compiles the custom front-end script into a dynamic syntax front-end script. The custom front-end script is compiled by the web server based on the target query data sent by the target database. The display unit, based at least on the digital certificate, compiles the dynamic syntax front-end script into a front-end display page and displays the front-end display page on the client browser. In this embodiment, upon receiving the target query data from the target database, the web server compiles the target query data into a custom front-end script and then, based on the digital certificate, compiles the custom front-end script into a front-end display page. This achieves dynamic encryption of the front-end display page, further resisting XSS injection attacks and SQL injection attacks.
[0074] In order to obtain the dynamic syntax front-end script more easily, in another embodiment of this application, the receiving unit includes a second control module, which is used to control a custom front-end script interpreter to compile the custom front-end script into the dynamic syntax front-end script based on the digital certificate. The custom front-end script interpreter is a plugin that compiles the custom front-end script into the dynamic syntax front-end script based on the digital certificate.
[0075] Specifically, in the above embodiments, the custom front-end script interpreter compiles the target query data into a dynamic custom front-end script based on a digital certificate.
[0076] In one embodiment of this application, the display unit includes a third control module and a fourth control module. The third control module controls a dynamic front-end syntax interpreter to generate dynamic front-end parsing rules based at least on the digital certificate. The fourth control module controls the dynamic front-end syntax interpreter to compile the dynamic front-end script into a front-end display page according to the dynamic front-end parsing rules. The dynamic front-end syntax interpreter is a plugin that compiles the dynamic front-end script into a front-end display page based on the dynamic front-end parsing rules. In this embodiment, the dynamic front-end syntax interpreter compiles the dynamic front-end script into a front-end display page, i.e., standard HTML and JavaScript scripts, according to the dynamic front-end parsing rules. This not only achieves encryption processing of the target query statement but also achieves relatively accurate display of the front-end display page on the client browser.
[0077] In one specific embodiment of this application, dynamic front-end parsing rules can be generated based on a digital certificate and a dynamic front-end syntax library. The aforementioned dynamic front-end syntax library is a rule base that can be updated at any time and provides several front-end syntax rules.
[0078] In one specific embodiment of this application, such as Figure 4 As shown, a custom front-end script interpreter 600 and a dynamic front-end syntax interpreter 700 are respectively set between the web server 100 and the client browser 500. The custom front-end script interpreter 600, based on the aforementioned digital certificate, recompiles the custom front-end script compiled by the web server 100 into a dynamic syntax front-end script. The dynamic front-end syntax interpreter 700, based on the digital certificate, generates dynamic front-end parsing rules and, based on these rules, compiles the dynamic syntax front-end script into a front-end display page. This achieves dynamic encryption of the target query data, further protecting against XSS and SQL injection attacks.
[0079] In practical applications, to further improve system security, the aforementioned dynamic query syntax interpreter, custom query script interpreter, custom front-end script interpreter, and dynamic front-end syntax interpreter can all be collectively referred to as browser plugins, which can be directly distributed as customized browsers to specific client users.
[0080] Specifically, in existing technologies, the web server directly sends SQL query statements to the target database; the client browser's front-end script also directly uses JavaScript scripts obtained from the web server. This structural pattern is the root cause of SQL injection and XSS attacks. Therefore, this application sets up a dynamic query syntax interpreter and a custom query script interpreter between the web server and the target database, respectively, thereby compiling the query statement into a dynamic SQL query statement. A custom front-end script interpreter and a dynamic front-end syntax interpreter are also set up between the web server and the client browser, thereby compiling the target query statement into a dynamic front-end script. The attack defense method of this application performs dynamic syntax processing on the query statements and front-end page scripts at the application layer, and performs asymmetric obfuscation, encryption, and salting, etc., so that all query requests and front-end page scripts of the current client browser are customized as dynamic scripts, avoiding the possibility of attackers using existing general-purpose scripts, thus solving the problem of difficulty in defending against XSS attacks in existing technologies.
[0081] The aforementioned attack defense device includes a processor and a memory. The receiving unit, generating unit, and querying unit are all stored as program units in the memory, and the processor executes the aforementioned program units stored in the memory to achieve the corresponding functions.
[0082] The processor contains a kernel, which retrieves the corresponding program units from memory. One or more kernels can be configured, and adjusting kernel parameters can address the challenges of defending against XSS attacks in existing technologies.
[0083] The memory may include non-permanent memory in computer-readable media, such as random access memory (RAM) and / or non-volatile memory, such as read-only memory (ROM) or flash RAM, and the memory includes at least one memory chip.
[0084] This invention provides a computer-readable storage medium storing a program that, when executed by a processor, implements the aforementioned attack defense method.
[0085] This invention provides a processor for running a program, wherein the program executes the attack defense method described above.
[0086] In a typical embodiment of this application, an attack defense system is also provided, comprising an attack defense device, a web server, and a target database. The attack defense device is used to execute any of the attack defense methods described above; the web server communicates with the attack defense device; and the target database communicates with the web server.
[0087] The aforementioned attack defense system includes an attack defense device, which is used to execute any of the aforementioned attack defense methods. In the aforementioned attack defense method, firstly, a syntax parsing rule generated based on a randomly generated digital certificate of the client browser is received from a web server; then, based on the syntax parsing rule and the query statement corresponding to the query request, the query statement is compiled (or interpreted) to obtain a custom query script; finally, the custom query script is sent to the target database at least once, so that the target database, upon receiving the custom query script, performs a query based on the custom query script to obtain the target query data. In the attack defense method of this application, the query statement is compiled according to the syntax parsing rule sent by the web server to obtain a custom query script, thus achieving encryption of the query statement through syntax parsing rules to obtain a dynamic custom query script, thereby ensuring a high level of security for the obtained custom query script. Because the custom query script is obtained by compiling the corresponding query statement based on syntax parsing rules, XSS attack code injected from the front-end page cannot be executed, thereby avoiding XSS injection attacks and solving the problem of difficulty in defending against XSS attacks in the prior art.
[0088] This invention provides a device including a processor, a memory, and a program stored in the memory and executable on the processor. When the processor executes the program, it performs at least the following steps:
[0089] Step S101: Receive the syntax parsing rules sent by the Web server. The syntax parsing rules are dynamic syntax parsing rules generated by the Web server based on the randomly generated digital certificate of the client browser when it receives a query request sent by the client browser.
[0090] Step S102: Generate a custom query script based at least on the above syntax parsing rules and the query statement corresponding to the above query request;
[0091] Step S103: Send the above-mentioned custom query script to the target database at least once, so that the target database performs a query based on the above-mentioned custom query script and obtains the target query data.
[0092] The devices mentioned in this article can be servers, PCs, tablets, mobile phones, etc.
[0093] This application also provides a computer program product, which, when executed on a data processing device, is suitable for executing an initialization program having at least the following method steps:
[0094] Step S101: Receive the syntax parsing rules sent by the Web server. The syntax parsing rules are dynamic syntax parsing rules generated by the Web server based on the randomly generated digital certificate of the client browser when it receives a query request sent by the client browser.
[0095] Step S102: Generate a custom query script based at least on the above syntax parsing rules and the query statement corresponding to the above query request;
[0096] Step S103: Send the above-mentioned custom query script to the target database at least once, so that the target database performs a query based on the above-mentioned custom query script and obtains the target query data.
[0097] To enable those skilled in the art to better understand the technical solution of this application, the technical solution and technical effects of this application will be described below in conjunction with specific embodiments.
[0098] Example
[0099] like Figure 6 As shown, this relates to an attack defense method. Specifically, the client browser 500 sends a query request to the web server 100. Upon receiving the query request, the web server 100 generates syntax parsing rules based on the digital certificate sent by the CA server 101 and the dynamic query syntax library 800. The dynamic query syntax interpreter 200 compiles the query statement into a custom query script according to the syntax parsing rules. The custom query script interpreter 300 compiles the custom query script into standard SQL query language and sends the standard SQL query language to the target database 400, causing the target database 400 to perform a query based on the custom query script and obtain the target query data. The web server 100 compiles the target query data received from the target database 400 into a custom front-end script. The custom front-end script interpreter 600 compiles the custom front-end script into a dynamic syntax front-end script based on the digital certificate. The dynamic front-end syntax interpreter 700 generates dynamic front-end parsing rules based on the digital certificate sent by the CA server 101 and the dynamic front-end syntax library 900. According to the dynamic front-end parsing rules, the dynamic syntax front-end script is compiled into the front-end display page, so as to display the front-end display page on the client browser 500.
[0100] In the above embodiments of the present invention, the descriptions of each embodiment have different focuses. For parts not described in detail in a certain embodiment, please refer to the relevant descriptions of other embodiments.
[0101] In the several embodiments provided in this application, it should be understood that the disclosed technical content can be implemented in other ways. The device embodiments described above are merely illustrative; for example, the division of units described above can be a logical functional division, and in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the coupling or direct coupling or communication connection shown or discussed may be through some interfaces; the indirect coupling or communication connection between units or modules may be electrical or other forms.
[0102] The units described above as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple units. Some or all of the units can be selected to achieve the purpose of this embodiment according to actual needs.
[0103] Furthermore, the functional units in the various embodiments of the present invention can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit. The integrated unit can be implemented in hardware or as a software functional unit.
[0104] If the aforementioned integrated units are implemented as software functional units and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention, in essence, or the part that contributes to the prior art, or all or part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present invention. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, read-only memory (ROM), random access memory (RAM), portable hard drives, magnetic disks, or optical disks.
[0105] As can be seen from the above description, the embodiments of this application achieve the following technical effects:
[0106] 1) In the attack defense method of this application, firstly, a syntax parsing rule generated based on a randomly generated digital certificate of the client browser is received from a web server; then, based on the syntax parsing rule and the query statement corresponding to the query request, the query statement is compiled (or interpreted) to obtain a custom query script; finally, the custom query script is sent to the target database at least once, so that the target database, upon receiving the custom query script, will at least perform a query based on the custom query script to obtain the target query data. In the attack defense method of this application, the query statement is compiled according to the syntax parsing rule sent by the web server to obtain a custom query script, which realizes the encryption of the query statement through the syntax parsing rule to obtain a dynamic custom query script, thus ensuring a high level of security for the obtained custom query script. Since the custom query script is obtained by compiling the corresponding query statement based on the syntax parsing rule, XSS attack code injected from the front-end page cannot be executed, thereby avoiding XSS injection attacks and solving the problem of difficulty in defending against XSS attacks in the prior art.
[0107] 2) In the attack defense device of this application, the receiving unit is used to receive the syntax parsing rules generated by the web server based on the digital certificate of the randomly generated client browser; the generating unit is used to compile (or interpret) the query statement based on the syntax parsing rules and the query statement corresponding to the query request to obtain a custom query script; the query unit is used to send the custom query script to the target database at least once, so that the target database, upon receiving the custom query script, will at least perform a query based on the custom query script to obtain the target query data. In the attack defense method of this application, the query statement is compiled according to the syntax parsing rules sent by the web server to obtain a custom query script, which realizes the encryption of the query statement through the syntax parsing rules to obtain a dynamic custom query script, thus ensuring that the obtained custom query script has high security. Since the custom query script is obtained by compiling the corresponding query statement based on the syntax parsing rules, the XSS attack code injected from the front-end page cannot be executed, thereby avoiding XSS injection attacks and solving the problem of difficulty in defending against XSS attacks in the prior art.
[0108] 3) The attack defense system of this application includes an attack defense device, which is used to execute any of the above-described attack defense methods. In the above-described attack defense method, firstly, a syntax parsing rule generated based on a randomly generated digital certificate of the client browser is received from a web server; then, based on the syntax parsing rule and the query statement corresponding to the query request, the query statement is compiled (or interpreted) to obtain a custom query script; finally, the custom query script is sent to the target database at least once, so that the target database, upon receiving the custom query script, performs a query based on the custom query script to obtain the target query data. In the attack defense method of this application, the query statement is compiled according to the syntax parsing rule sent by the web server to obtain a custom query script, thus achieving encryption of the query statement through the syntax parsing rule to obtain a dynamic custom query script, thereby ensuring a high level of security for the obtained custom query script. Because the custom query script is obtained by compiling the corresponding query statement based on the syntax parsing rule, XSS attack code injected from the front-end page cannot be executed, thereby avoiding XSS injection attacks and solving the problem of difficulty in defending against XSS attacks in the prior art.
[0109] The above description is merely a preferred embodiment of this application and is not intended to limit this application. Various modifications and variations can be made to this application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this application should be included within the protection scope of this application.
Claims
1. An attack defense method, characterized in that, include: The system receives syntax parsing rules sent by a web server. These syntax parsing rules are dynamic rules generated by the web server based on the randomly generated digital certificate of the client browser when it receives a query request from the client browser. At least based on the syntax parsing rules and the query statement corresponding to the query request, a custom query script is generated; At least the custom query script is sent to the target database, so that the target database performs a query based on the custom query script to obtain the target query data; At least based on the syntax parsing rules and the query statement corresponding to the query request, a custom query script is generated, including: controlling a dynamic query syntax interpreter to compile the query statement into the custom query script according to the syntax parsing rules, wherein the dynamic query syntax interpreter is a plugin that compiles the query statement into the custom query script based on the syntax parsing rules; After obtaining the target query data, the attack defense method further includes: receiving a custom front-end script sent by the web server, and compiling the custom front-end script into a dynamic syntax front-end script based at least on the digital certificate, wherein the custom front-end script is compiled by the web server based on the target query data sent by the target database; compiling the dynamic syntax front-end script into a front-end display page based at least on the digital certificate, and displaying the front-end display page on the client browser.
2. The attack defense method according to claim 1, characterized in that, At least the custom query script is sent to the target database, so that the target database performs a query based on the custom query script to obtain the target query data, including: Control a custom query script interpreter to compile the custom query script into standard SQL query language; the custom query script interpreter is a plugin that compiles the custom query script into the standard SQL query language. The standard SQL query language is sent to the target database, so that the target database performs a query based on the standard SQL query language to obtain the target query data.
3. The attack defense method according to claim 1, characterized in that, At least based on the digital certificate, the custom front-end script is compiled into a dynamic syntax front-end script, including: The custom front-end script interpreter is controlled to compile the custom front-end script into the dynamic syntax front-end script based on the digital certificate. The custom front-end script interpreter is a plugin that compiles the custom front-end script into the dynamic syntax front-end script based on the digital certificate.
4. The attack defense method according to claim 1, characterized in that, At least based on the digital certificate, the dynamic syntax front-end script is compiled into a front-end display page, including: The dynamic front-end syntax interpreter is controlled to generate dynamic front-end parsing rules based at least on the digital certificate; The dynamic front-end syntax interpreter is controlled to compile the dynamic front-end script into the front-end display page according to the dynamic front-end parsing rules. The dynamic front-end syntax interpreter is a plugin that compiles the dynamic front-end script into the front-end display page based on the dynamic front-end parsing rules.
5. An attack defense device, characterized in that, include: The receiving unit is used to receive syntax parsing rules sent by the Web server. The syntax parsing rules are dynamic syntax parsing rules generated by the Web server based on the randomly generated digital certificate of the client browser when it receives a query request sent by the client browser. The generation unit is used to generate a custom query script based at least on the syntax parsing rules and the query statement corresponding to the query request; A query unit is configured to send the custom query script to the target database at least once, so that the target database performs a query based on the custom query script to obtain the target query data; The generation unit includes a compilation module, which controls a dynamic query syntax interpreter to compile the query statement into the custom query script according to syntax parsing rules. The dynamic query syntax interpreter is a plugin that compiles the query statement into the custom query script based on syntax parsing rules. The attack defense device further includes a receiving unit and a display unit. The receiving unit is used to receive a custom front-end script sent by the web server after obtaining the target query data, and compile the custom front-end script into a dynamic syntax front-end script based at least on the digital certificate. The custom front-end script is compiled by the web server based on the target query data sent by the target database. The display unit is used to compile the dynamic syntax front-end script into a front-end display page based at least on the digital certificate, and display the front-end display page on the client browser.
6. A computer-readable storage medium, characterized in that, The computer-readable storage medium includes a stored program, wherein the program executes the attack defense method according to any one of claims 1 to 4.
7. A processor, characterized in that, The processor is used to run a program, wherein the program executes the attack defense method according to any one of claims 1 to 4 when it runs.
8. An attack defense system, characterized in that, include: An attack defense device, said attack defense device being used to perform the attack defense method according to any one of claims 1 to 4; A web server, which communicates with the attack defense device; The target database communicates with the web server.