Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Cross site request forgery vulnerability detection method and device

A technology for forging requests and vulnerability detection, applied in electrical components, transmission systems, etc., can solve problems such as false positives, false negatives, and token validity verification.

Active Publication Date: 2015-05-27
SHENZHEN TENCENT COMP SYST CO LTD
View PDF4 Cites 9 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0007] Even if the url address contains keywords similar to the token parameter, since the current target website does not verify the legitimacy of the token, for example, the token parameter pre-negotiated between the browser and the target website is "token=123456", and the attacker added in the url The token parameter is "token=111111", and the detection device detects that "token" is included in the url, and it is determined that there is no CSRF vulnerability, which leads to false negatives, and some cases of CSRF vulnerabilities are missed
[0008] In summary, the existing CSRF vulnerability detection scheme has a large number of false positives and missed negatives, resulting in high false positive rate and low accuracy rate

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Cross site request forgery vulnerability detection method and device
  • Cross site request forgery vulnerability detection method and device
  • Cross site request forgery vulnerability detection method and device

Examples

Experimental program
Comparison scheme
Effect test

example

[0050] Pass below figure 2 with Figure 5 The process of the present invention will illustrate the method of CSRF vulnerability detection. See figure 2 , Is an example of a flowchart for feature setting of the present invention, which includes the following steps:

[0051] Step 201: Obtain a webpage entry to be detected.

[0052] Step 202: It is judged whether the webpage entry to be detected meets the entry detection condition, if yes, then step 203 is executed; otherwise, the process ends.

[0053] Step 203: Send a webpage entry access request with login status to the target website, and receive the webpage entry content returned by the target website, denoted as content A.

[0054] That is, the user first logs in and stores the login authentication information in the browser cookie; then, with the login authentication information, sends an access request about a certain webpage entry to the target website; the target website will process the access request and return the abou...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a cross site request forgery vulnerability detection method and device. The method comprises the following steps: acquiring a webpage entrance to be detected, and generating a unique feature corresponding to the webpage entrance, wherein the feature comprises webpage entrance description information; taking the generated feature as the parameter content of the webpage entrance to be detected, including the generated feature in a webpage request, and submitting the webpage request to a target website; and crawling a webpage of the target website, looking up whether or not the feature is included on the webpage or not, and if so, determining a webpage entrance on which cross site request forgery vulnerability exists according to the webpage entrance description information included in the feature. Through adoption of the scheme of the invention, the accuracy of cross site request forgery vulnerability detection can be increased.

Description

Technical field [0001] The present invention relates to webpage safety detection technology, in particular to a method and device for detecting cross-site forged request vulnerabilities. Background technique [0002] Cross-site request forgery (CSRF, Cross Site Request Forgery) attack, mainly refers to the attacker can implant malicious code or link in the webpage, when the victim's browser visits the malicious code or clicks on the malicious link, the attacker uses the victim The legal identity verification carried by the browser (usually stored in the browser cookie) initiates a malicious operation request to the target site. When the web page of the target site does not verify the validity of the request source, the malicious operation request will be successfully executed. It is believed that the webpage of the target site has a CSRF vulnerability. [0003] A typical example of a CSRF attack is when a user logs on to a webpage of a bank website, and the legal identity verific...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06
CPCH04L63/1433
Inventor 翁家才
Owner SHENZHEN TENCENT COMP SYST CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com