[go: up one dir, main page]

CN108809957A - Method for preventing access request of wechat enterprise number from being forged - Google Patents

Method for preventing access request of wechat enterprise number from being forged Download PDF

Info

Publication number
CN108809957A
CN108809957A CN201810500409.8A CN201810500409A CN108809957A CN 108809957 A CN108809957 A CN 108809957A CN 201810500409 A CN201810500409 A CN 201810500409A CN 108809957 A CN108809957 A CN 108809957A
Authority
CN
China
Prior art keywords
enterprise number
temporary authorization
information
user
authorization instruction
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810500409.8A
Other languages
Chinese (zh)
Inventor
杨高岭
侯永松
陈倩
林汉升
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong Weixiao Information Technology Co ltd
Original Assignee
Guangdong Weixiao Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong Weixiao Information Technology Co ltd filed Critical Guangdong Weixiao Information Technology Co ltd
Priority to CN201810500409.8A priority Critical patent/CN108809957A/en
Publication of CN108809957A publication Critical patent/CN108809957A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/52User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail for supporting social networking services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint

Landscapes

  • Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a method for preventing a forged WeChat enterprise number access request, which comprises a first process chain and a second process chain; the first flow chain comprises the following steps: the front end logs in the server through the enterprise number, and obtains user ID information of the enterprise number based on OAUTH single sign-on; generating a temporary authorization instruction by using the user ID information; storing temporary authorization instructions to front-end local cookies; the second process chain comprises the following steps: the front end sends out the operation of requesting the data interface to the server through the enterprise number; judging whether temporary authorization instructions corresponding to the request operation exist in the cookies or not, if not, the front end has no operation authority, and if so, the corresponding data interface returns the service data to the enterprise number of the front end; the design is equivalent to encrypting the ID information of the user, and an attacker cannot acquire the ID information of the user, so that access requests of forged WeChat enterprise numbers are prevented, and the intrusiveness to the original service interface is low.

Description

一种防止伪造微信企业号访问请求的方法A method to prevent forged WeChat enterprise account access requests

技术领域technical field

本发明涉及网络通信技术领域,特别是一种防止伪造微信企业号访问请求的方法。The invention relates to the technical field of network communication, in particular to a method for preventing forged WeChat enterprise account access requests.

背景技术Background technique

企业号是微信为企业客户提供的移动应用入口,基于OAUTH的跳转(OAUTH单点登录),可以在企业号推送的消息或企业号应用下的菜单获取用户的信息,例如用户的ID信息等等。企业号内触发跳转到业务产品的H5页面的过程,通过OAUTH机制的确可以确保用户信息的可靠性,但跳转之后的H5页面以及H5页面里面的跳转及相关接口请求,很难确保客户端用户的可靠真实性。一般市场上的处理方法有以下两种,第一、通过屏蔽H5页面的分享操作,确实可以隐藏H5页面的信息,但屏蔽H5页面的分享操作是微信客户端的原生操作,有一定的延迟性,当用户操作得足够快,还是有可能复制出链接,第二、混淆H5前端代码,一定程度可以弱化前端代码的可读性,增加攻击者对前端代码以及数据流的分析,进而增加阅读的成本,但往往攻击者通过数据模拟或抓包工具,还是有可能模拟到用户信息,从而达到攻击的目的。The enterprise account is the mobile application portal provided by WeChat for enterprise customers. Based on the OAUTH jump (OAUTH single sign-on), the user's information can be obtained from the message pushed by the enterprise account or the menu under the enterprise account application, such as the user's ID information, etc. Wait. The process of jumping to the H5 page of the business product triggered in the enterprise account can indeed ensure the reliability of user information through the OAUTH mechanism, but it is difficult to ensure the reliability of the H5 page after the jump and the jump and related interface requests in the H5 page. Reliable authenticity for end users. Generally, there are two processing methods in the market. First, by blocking the sharing operation of the H5 page, the information of the H5 page can indeed be hidden, but blocking the sharing operation of the H5 page is a native operation of the WeChat client, and there is a certain delay. When the user operates fast enough, it is still possible to copy the link. Second, obfuscating the H5 front-end code can weaken the readability of the front-end code to a certain extent, increase the attacker's analysis of the front-end code and data flow, and increase the cost of reading. , but it is often possible for an attacker to simulate user information through data simulation or packet capture tools, thereby achieving the purpose of the attack.

发明内容Contents of the invention

为解决上述技术问题,本发明的目的是提供一种防止伪造微信企业号访问请求的方法。In order to solve the above-mentioned technical problems, the object of the present invention is to provide a method for preventing forged WeChat enterprise account access requests.

本发明采用的技术方案是:The technical scheme adopted in the present invention is:

一种防止伪造微信企业号访问请求的方法,包括第一流程链和第二流程链;A method for preventing forged WeChat enterprise account access requests, including a first process chain and a second process chain;

第一流程链包括以下步骤:The first process chain includes the following steps:

前端通过企业号登录服务端,基于OAUTH单点登录获取企业号的用户ID信息;The front end logs in to the server through the enterprise number, and obtains the user ID information of the enterprise number based on OAUTH single sign-on;

使用用户ID信息生成临时授权指令;Generate temporary authorization instructions using user ID information;

保存临时授权指令到前端本地cookies;Save the temporary authorization instruction to the front-end local cookies;

第二流程链包括以下步骤:The second process chain includes the following steps:

前端通过企业号向服务器发出请求数据接口的操作;The front end sends a request data interface operation to the server through the enterprise number;

判断cookies中是否存在对应该请求操作的临时授权指令,Determine whether there is a temporary authorization instruction corresponding to the requested operation in the cookies,

若否,则前端无操作权限,If not, the front end has no operation authority,

若是,则对应的数据接口返回业务数据到前端的企业号。If so, the corresponding data interface returns business data to the front-end enterprise number.

在第一流程链中,使用用户ID信息生成临时授权指令的同时,设置临时授权指令的有效时间;In the first process chain, while using the user ID information to generate the temporary authorization instruction, set the effective time of the temporary authorization instruction;

在第二流程链中,若cookies中存在对应该请求操作的临时授权指令,则还要根据临时授权指令的有效时间判断临时授权指令是否过期,In the second process chain, if there is a temporary authorization instruction corresponding to the requested operation in the cookies, it is also necessary to judge whether the temporary authorization instruction has expired according to the effective time of the temporary authorization instruction.

若否,则对应的数据接口返回业务数据到前端的企业号,If not, the corresponding data interface returns the business data to the front-end enterprise number,

若是,则返回第一流程链,并且需要企业号重新登录服务端以重新生成临时授权指令。If yes, return to the first process chain, and need the enterprise number to re-login to the server to regenerate the temporary authorization instruction.

在第二流程链中,前端通过企业号登录跳转进入H5页面,H5页面向服务器请求数据接口。In the second process chain, the front end jumps to the H5 page through the login of the enterprise number, and the H5 page requests a data interface from the server.

本发明的有益效果:Beneficial effects of the present invention:

本发明访问请求的方法,在第一流程链中,用户通过企业号登陆服务端时,基于OAUTH单点登录获取企业号的用户ID信息,并且将用户ID信息生成临时授权指令,而在以后的访问请求中,为第二流程链,跳转到H5页面,前端通过企业号向服务器发出请求数据接口的操作,对cookies中的临时授权指令进行判断,当存在对应该请求操作的临时授权指令时,对应的数据接口返回业务数据到前端的企业号,此处相当于对用户的ID信息进行了加密,攻击者无法获取到用户的ID信息,从而防止伪造微信企业号进行访问请求,对原业务接口入侵性低。In the access request method of the present invention, in the first process chain, when the user logs in to the server through the enterprise number, the user ID information of the enterprise number is obtained based on OAUTH single sign-on, and the user ID information is generated into a temporary authorization instruction, and in the future In the access request, it is the second process chain, jumping to the H5 page, the front end sends the request data interface operation to the server through the enterprise number, and judges the temporary authorization instruction in the cookies, when there is a temporary authorization instruction corresponding to the requested operation , the corresponding data interface returns the business data to the front-end enterprise number, which is equivalent to encrypting the user’s ID information, and the attacker cannot obtain the user’s ID information, thereby preventing forged WeChat enterprise numbers from making access requests and affecting the original business The interface is less intrusive.

附图说明Description of drawings

下面结合附图对本发明的具体实施方式做进一步的说明。The specific embodiments of the present invention will be further described below in conjunction with the accompanying drawings.

图1是本发明访问请求方法的流程示意图。Fig. 1 is a schematic flowchart of the access request method of the present invention.

具体实施方式Detailed ways

如图1所示,本发明包括第一流程链和第二流程链;As shown in Figure 1, the present invention includes a first process chain and a second process chain;

第一流程链包括以下步骤:The first process chain includes the following steps:

前端通过企业号登录服务端,基于OAUTH单点登录获取企业号的用户ID信息;The front end logs in to the server through the enterprise number, and obtains the user ID information of the enterprise number based on OAUTH single sign-on;

使用用户ID信息生成临时授权指令;Generate temporary authorization instructions using user ID information;

保存临时授权指令到前端本地cookies;Save the temporary authorization instruction to the front-end local cookies;

第二流程链包括以下步骤:The second process chain includes the following steps:

前端通过企业号向服务器发出请求数据接口的操作;The front end sends a request data interface operation to the server through the enterprise number;

判断cookies中是否存在对应该请求操作的临时授权指令,Determine whether there is a temporary authorization instruction corresponding to the requested operation in the cookies,

若否,则前端无操作权限,也相应地会向前端返回错误码202,标记其无权限调用接口。If not, the front end has no operation authority, and correspondingly returns an error code 202 to the front end, marking that it has no authority to call the interface.

若是,则对应的数据接口返回业务数据到前端的企业号。If so, the corresponding data interface returns business data to the front-end enterprise number.

其中,OAUTH单点登陆是为用户资源的授权提供了一个安全的、开放而又简易的标准。任何第三方使用OAUTH认证服务,任何服务提供商都可以实现自身的OAUTH认证服务,因而OAUTH是开放的。业界提供了OAUTH的多种实现如PHP、JavaScript,Java,Ruby等各种语言开发包,大大节约了程序员的时间,因而OAUTH是简易的。互联网很多服务如Open API,很多大公司如Google,Yahoo,Microsoft等都提供了OAUTH认证服务,此处在微信提供的公众号下,用户能够基于OAUTH输入帐号、密码,进行单点登录,微信内部从而获取到用户ID信息,并且返回临时授权指令到服务端,服务端不会直接获取到用户ID信息。Among them, OAUTH single sign-on provides a safe, open and simple standard for authorization of user resources. Any third party uses the OAUTH authentication service, and any service provider can implement its own OAUTH authentication service, so OAUTH is open. The industry provides multiple implementations of OAUTH such as PHP, JavaScript, Java, Ruby and other language development kits, which greatly saves programmers' time, so OAuth is simple. Many Internet services such as Open API, and many large companies such as Google, Yahoo, Microsoft, etc. provide OAUTH authentication services. Here, under the official account provided by WeChat, users can enter account numbers and passwords based on OAUTH to perform single sign-on. In this way, the user ID information is obtained, and the temporary authorization instruction is returned to the server, and the server does not directly obtain the user ID information.

在第二流程链中,前端通过企业号登录跳转进入H5页面,H5页面向服务器请求数据接口,此处会通过AOP(spring切面方法),注解到每一个接口方法,通过AOP注解的好处是对原接口无入侵性。In the second process chain, the front end jumps to the H5 page through the enterprise account login, and the H5 page requests the data interface from the server. Here, each interface method will be annotated through AOP (spring aspect method). The benefits of the AOP annotation are: No intrusion to the original interface.

进一步地,在第一流程链中,使用用户ID信息生成临时授权指令的同时,设置临时授权指令的有效时间,此处的有效时间可由开发人员进行制定;Further, in the first process chain, while using the user ID information to generate the temporary authorization instruction, set the effective time of the temporary authorization instruction, where the effective time can be formulated by the developer;

在第二流程链中,若cookies中存在对应该请求操作的临时授权指令,则还要根据临时授权指令的有效时间判断临时授权指令是否过期,In the second process chain, if there is a temporary authorization instruction corresponding to the requested operation in the cookies, it is also necessary to judge whether the temporary authorization instruction has expired according to the effective time of the temporary authorization instruction.

若否,则对应的数据接口返回业务数据到前端的企业号,If not, the corresponding data interface returns the business data to the front-end enterprise number,

若是,则返回第一流程链,并且需要企业号重新登录服务端以重新生成临时授权指令,返回错误码203。If so, return to the first process chain, and need to re-login the server with the enterprise number to regenerate the temporary authorization instruction, and return error code 203.

本发明访问请求的方法,在第一流程链中,用户通过企业号登陆服务端时,基于OAUTH单点登录获取企业号的用户ID信息,并且将用户ID信息生成临时授权指令,而在以后的访问请求中,为第二流程链,跳转到H5页面,前端通过企业号向服务器发出请求数据接口的操作,对cookies中的临时授权指令进行判断,当存在对应该请求操作的临时授权指令时,对应的数据接口返回业务数据到前端的企业号,此处相当于对用户的ID信息进行了加密,攻击者无法获取到用户的ID信息,从而防止伪造微信企业号进行访问请求,对原业务接口入侵性低。In the access request method of the present invention, in the first process chain, when the user logs in to the server through the enterprise number, the user ID information of the enterprise number is obtained based on OAUTH single sign-on, and the user ID information is generated into a temporary authorization instruction, and in the future In the access request, it is the second process chain, jumping to the H5 page, the front end sends the request data interface operation to the server through the enterprise number, and judges the temporary authorization instruction in the cookies, when there is a temporary authorization instruction corresponding to the requested operation , the corresponding data interface returns the business data to the front-end enterprise number, which is equivalent to encrypting the user’s ID information, and the attacker cannot obtain the user’s ID information, thereby preventing forged WeChat enterprise numbers from making access requests and affecting the original business The interface is less intrusive.

以上所述仅为本发明的优先实施方式,本发明并不限定于上述实施方式,只要以基本相同手段实现本发明目的的技术方案都属于本发明的保护范围之内。The above descriptions are only preferred implementations of the present invention, and the present invention is not limited to the above-mentioned implementations, as long as the technical solutions that achieve the purpose of the present invention by basically the same means fall within the protection scope of the present invention.

Claims (3)

1. a kind of method for preventing from forging wechat enterprise number access request, which is characterized in that including first pass chain and second Journey chain;
First pass chain includes the following steps:
Front end obtains user's id information of enterprise number based on OAUTH single-sign-ons by enterprise number login service end;
Temporary Authorization is generated using user's id information to instruct;
Temporary Authorization instruction is preserved to front-end local cookies;
Second procedure chain includes the following steps:
Front end sends out the operation of request data interface by enterprise number to server;
Judge to instruct with the presence or absence of the temporary Authorization of corresponding request operation in cookies,
If it is not, then front end without operating right,
If so, corresponding data-interface returns to business datum to the enterprise number of front end.
2. a kind of method for preventing from forging wechat enterprise number access request according to claim 1, it is characterised in that:? In one flow chain, while generating temporary Authorization instruction using user's id information, the effective time of setting temporary Authorization instruction;
It, will also be according to interim if there is the temporary Authorization instruction of corresponding request operation in cookies in second procedure chain The effective time of authorized order judges whether temporary Authorization instruction is expired,
If it is not, then corresponding data-interface return business datum to front end enterprise number,
If so, return first pass chain, and need enterprise number again login service end with regenerate temporary Authorization instruction.
3. a kind of method for preventing from forging wechat enterprise number access request according to claim 1, it is characterised in that:? In two flow chains, front end is redirected by enterprise number login into the H5 pages, and the H5 pages are to server request data interface.
CN201810500409.8A 2018-05-23 2018-05-23 Method for preventing access request of wechat enterprise number from being forged Pending CN108809957A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810500409.8A CN108809957A (en) 2018-05-23 2018-05-23 Method for preventing access request of wechat enterprise number from being forged

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810500409.8A CN108809957A (en) 2018-05-23 2018-05-23 Method for preventing access request of wechat enterprise number from being forged

Publications (1)

Publication Number Publication Date
CN108809957A true CN108809957A (en) 2018-11-13

Family

ID=64092723

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810500409.8A Pending CN108809957A (en) 2018-05-23 2018-05-23 Method for preventing access request of wechat enterprise number from being forged

Country Status (1)

Country Link
CN (1) CN108809957A (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1812403A (en) * 2005-01-28 2006-08-02 广东省电信有限公司科学技术研究院 Single-point logging method for realizing identification across management field
CN103179134A (en) * 2013-04-19 2013-06-26 中国建设银行股份有限公司 Single sign on method and system based on Cookie and application server thereof
CN105072108A (en) * 2015-08-04 2015-11-18 小米科技有限责任公司 User information transmission method, device and system
CN105812350A (en) * 2016-02-03 2016-07-27 北京中搜云商网络技术有限公司 Cross-platform single-point registration system
US20160277390A1 (en) * 2013-12-27 2016-09-22 Sap Se Multi-domain applications with authorization and authentication in cloud environment
US20170093989A1 (en) * 2015-09-25 2017-03-30 International Business Machines Corporation Data sharing
CN106713271A (en) * 2016-11-25 2017-05-24 国云科技股份有限公司 A Web System Login Constraint Method Based on Single Sign-On
CN107483489A (en) * 2017-09-18 2017-12-15 上海上实龙创智慧能源科技股份有限公司 A kind of wisdom office system authentication method based on wechat enterprise number
CN107819570A (en) * 2016-09-10 2018-03-20 长沙有干货网络技术有限公司 A kind of cross-domain single login method based on variable C ookie

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1812403A (en) * 2005-01-28 2006-08-02 广东省电信有限公司科学技术研究院 Single-point logging method for realizing identification across management field
CN103179134A (en) * 2013-04-19 2013-06-26 中国建设银行股份有限公司 Single sign on method and system based on Cookie and application server thereof
US20160277390A1 (en) * 2013-12-27 2016-09-22 Sap Se Multi-domain applications with authorization and authentication in cloud environment
CN105072108A (en) * 2015-08-04 2015-11-18 小米科技有限责任公司 User information transmission method, device and system
US20170093989A1 (en) * 2015-09-25 2017-03-30 International Business Machines Corporation Data sharing
CN105812350A (en) * 2016-02-03 2016-07-27 北京中搜云商网络技术有限公司 Cross-platform single-point registration system
CN107819570A (en) * 2016-09-10 2018-03-20 长沙有干货网络技术有限公司 A kind of cross-domain single login method based on variable C ookie
CN106713271A (en) * 2016-11-25 2017-05-24 国云科技股份有限公司 A Web System Login Constraint Method Based on Single Sign-On
CN107483489A (en) * 2017-09-18 2017-12-15 上海上实龙创智慧能源科技股份有限公司 A kind of wisdom office system authentication method based on wechat enterprise number

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
LEAPMIE: "企业微信号开发(二)", 《HTTPS://WWW.CNBLOGS.COM/LEAP/P/5913027.HTML》 *

Similar Documents

Publication Publication Date Title
JP7610609B2 (en) Detecting and preventing metadata-based phishing attacks
Senol et al. Leaky forms: A study of email and password exfiltration before form submission
US8078880B2 (en) Portable personal identity information
CN112131564B (en) Method, device, equipment and medium for encrypting data communication
CN110839087B (en) Interface calling method and device, electronic equipment and computer readable storage medium
CN115225707B (en) Resource access method and device
US20040186912A1 (en) Method and system for transparently supporting digital signatures associated with web transactions
US20140282464A1 (en) Systems and methods for intercepting, processing, and protecting user data through web application pattern detection
CN103179134A (en) Single sign on method and system based on Cookie and application server thereof
CN110851800B (en) Code protection method, device, system and readable storage medium
CN106559405B (en) A Portal authentication method and device
US20130185645A1 (en) Determining repeat website users via browser uniqueness tracking
JP7157258B2 (en) Fraud Prevention in Aggregated Network Measurements
US20150067772A1 (en) Apparatus, method and computer-readable storage medium for providing notification of login from new device
US8996715B2 (en) Application firewall validation bypass for impromptu components
US7974956B2 (en) Authenticating a site while protecting against security holes by handling common web server configurations
US12386971B2 (en) Verifying the trustworthiness of web applications
Yin et al. Scanner++: Enhanced vulnerability detection of web applications with attack intent synchronization
Wedman et al. An analytical study of web application session management mechanisms and HTTP session hijacking attacks
Wang et al. A framework for formal analysis of privacy on SSO protocols
Senol et al. Unveiling the Impact of User-Agent Reduction and Client Hints: A Measurement Study
Benachenhou et al. Protection of a mobile agent with a reference clone
CN116582298A (en) A cross-domain login method, server and readable storage medium
CN108809957A (en) Method for preventing access request of wechat enterprise number from being forged
CN114238932A (en) Verification code verification method, device, storage medium and computer equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20181113