|
Hello everyone, I am Piaomiao. For the Internet, as long as your system interface is exposed to the Internet, interface security issues are inevitable. If your interface is exposed on the Internet, it can be called as long as the address and parameters of the interface are known, which is simply a disaster. For example: when users register on your website, they need to fill in their mobile phone number and send a verification code. If the interface for sending the verification code has not undergone special security processing, then this SMS interface would have been stolen and used by others, wasting a lot of money. So how do we ensure interface security? Generally speaking, API interfaces exposed to the external network need to be tamper-proof and replay-proof to be called secure interfaces. Tamper-proof We know that http is a stateless protocol. The server does not know whether the request sent by the client is legal or not, nor does it know whether the parameters in the request are correct. For example, there is now a recharge interface, which can increase the corresponding balance of the user after calling it. http : // localhost / api / user / recharge?user_id = 1001 & amount = 10 If an illegal user obtains the interface parameters by capturing packets, he can modify the value of user_id or amount to add a balance to any account. How to solve it The https protocol can encrypt the transmitted plain text, but hackers can still intercept the transmitted data packets and further forge requests for replay attacks. If hackers use special means to make the requesting device use a forged certificate for communication, the https-encrypted content will also be decrypted. There are two general approaches: - The data of the interface is encrypted and transmitted using https. Even if it is cracked by hackers, it will take a lot of time and effort for the hackers to crack it.
- The interface backend verifies the interface request parameters to prevent tampering by hackers;
- Step 1: The client encrypts the transmitted parameters using the agreed key, obtains the signature value sign1, and puts the signature value into the request parameters, and sends the request to the server.
- Step 2: The server receives the request from the client, and then uses the agreed secret key to sign the requested parameters again to obtain the signature value sign2.
- Step 3: The server compares the values of sign1 and sign2. If they are inconsistent, it is considered to be tampered with and an illegal request.
Anti-replay Anti-replay is also called anti-reuse. In simple terms, after I get the request information, I don't change anything, and directly use the interface parameters to repeatedly request the recharge interface. At this time, my request is legal because all the parameters are exactly the same as the legal request. Replay attacks will cause two consequences: - Regarding the database insertion interface: replay attack, a large amount of duplicate data will appear, and even junk data will explode the database.
- Targeting query interfaces: Hackers usually focus on attacking slow query interfaces. For example, if a slow query interface takes 1s, as long as the hacker launches a replay attack, the system will inevitably be dragged down and the database query will be blocked.
There are generally two ways to deal with replay attacks: Timestamp-based solution Each HTTP request needs to add a timestamp parameter, and then the timestamp and other parameters are digitally signed. Because a normal HTTP request usually takes less than 60 seconds from the time it is sent to the server, after receiving the HTTP request, the server first determines whether the timestamp parameter is more than 60 seconds compared with the current time. If so, it is considered an illegal request. Generally, it takes hackers much longer than 60 seconds to replay the request from packet capture, so the timestamp parameter in the request is invalid. If hackers modify the timestamp parameter to the current timestamp, the digital signature corresponding to the sign1 parameter will be invalid, because hackers do not know the signature key and have no way to generate a new digital signature. However, the loopholes of this method are also obvious. If a replay attack is carried out within 60 seconds, there is no way to deal with it. Therefore, this method cannot guarantee that the request is valid only once. Veterans usually adopt the following solution, which can solve both the interface replay problem and the problem of one-time interface request being valid. Nonce + timestamp based solution Nonce means a random string that is valid only once and must be different for each request. In practice, user information + timestamp + random number are used to make a hash and then used as the nonce parameter. At this time, the processing flow of the server is as follows: - Go to redis to find out if there is a string with key nonce:{nonce}
- If not, create this key and make the expiration time of this key consistent with the expiration time of the verification timestamp, for example, 60s.
- If yes, it means that the key has been used within 60 seconds, and the request can be judged as a replay request.
In this scheme, both nonce and timestamp parameters are transmitted to the backend as part of the signature. The timestamp-based scheme allows hackers to perform replay attacks only within 60 seconds. Adding the nonce random number ensures that the interface can only be called once, which can effectively solve the replay attack problem. Code Implementation Next, let's take a look at how to implement anti-tampering and anti-replay of the interface through actual code. 1. Build a request header object @Data
@Builder
public class RequestHeader {
private String sign ;
private Long timestamp ;
private String nonce ;
} 2. The tool class obtains request parameters from HttpServletRequest @Slf4j
@UtilityClass
public class HttpDataUtil {
/**
* Post request processing: Get Body parameters and convert them into SortedMap
*
* @param request
*/
public SortedMap < String , String > getBodyParams ( final HttpServletRequest request ) throws IOException {
byte [ ] requestBody = StreamUtils .copyToByteArray ( request .getInputStream ( ) ) ;
String body = new String ( requestBody ) ;
return JsonUtil .json2Object ( body , SortedMap .class ) ;
}
/**
* Get request processing: convert URL request parameters into SortedMap
*/
public static SortedMap < String , String > getUrlParams ( HttpServletRequest request ) {
String param = "" ;
SortedMap < String , String > result = new TreeMap <> ( ) ;
if ( StringUtils .isEmpty ( request .getQueryString ( ) ) ) {
return result ;
}
try {
param = URLDecoder .decode ( request .getQueryString ( ) , "utf-8" ) ;
} catch ( UnsupportedEncodingException e ) {
e .printStackTrace ( ) ;
}
String [ ] params = param .split ( "&" ) ;
for ( String s : params ) {
String [ ] array = s .split ( "=" ) ;
result .put ( array [ 0 ] , array [ 1 ] ) ;
}
return result ;
}
} The parameters here are put into SortedMap and sorted in lexicographic order. The parameters also need to be sorted in lexicographic order when the front end builds the signature. 3. Signature verification tools @Slf4j
@UtilityClass
public class SignUtil {
/**
* Verify signature
* Verification algorithm: combine timestamp + JsonUtil.object2Json(SortedMap) into a string, then MD5
*/
@SneakyThrows
public boolean verifySign ( SortedMap < String , String > map , RequestHeader requestHeader ) {
String params = requestHeader .getNonce ( ) + requestHeader .getTimestamp ( ) + JsonUtil .object2Json ( map ) ;
return verifySign ( params , requestHeader ) ;
}
/**
* Verify signature
*/
public boolean verifySign ( String params , RequestHeader requestHeader ) {
log .debug ( "Client signature: {}" , requestHeader .getSign ( ) ) ;
if ( StringUtils .isEmpty ( params ) ) {
return false ;
}
log.info ( "Content uploaded by the client: {}" , params ) ;
String paramsSign = DigestUtils .md5DigestAsHex ( params .getBytes ( ) ) .toUpperCase ( ) ;
log.info ( "Signature result of encrypted content uploaded by the client: {}" , paramsSign ) ;
return requestHeader .getSign ( ) .equals ( paramsSign ) ;
}
} 4. HttpServletRequest wrapper class public class SignRequestWrapper extends HttpServletRequestWrapper {
// Used to save the stream
private byte [ ] requestBody = null ;
public SignRequestWrapper ( HttpServletRequest request ) throws IOException {
super ( request ) ;
requestBody = StreamUtils .copyToByteArray ( request .getInputStream ( ) ) ;
}
@Override
public ServletInputStream getInputStream ( ) throws IOException {
final ByteArrayInputStream bais = new ByteArrayInputStream ( requestBody ) ;
return new ServletInputStream ( ) {
@Override
public boolean isFinished ( ) {
return false ;
}
@Override
public boolean isReady ( ) {
return false ;
}
@Override
public void setReadListener ( ReadListener readListener ) {
}
@Override
public int read ( ) throws IOException {
return bais .read ( ) ;
}
} ;
}
@Override
public BufferedReader getReader ( ) throws IOException {
return new BufferedReader ( new InputStreamReader ( getInputStream ( ) ) ) ;
}
} We will implement anti-tampering and anti-replay through SpringBoot Filter, and the filter we write needs to read the request data stream, but the request data stream can only be read once, so we need to implement HttpServletRequestWrapper to wrap the data stream in order to save the request stream. 5. Create filters to implement security verification @Configuration
public class SignFilterConfiguration {
@Value ( "${sign.maxTime}" )
private String signMaxTime ;
// Initialization parameters in filter
private Map < String , String > initParametersMap = new HashMap <> ( ) ;
@Bean
public FilterRegistrationBean contextFilterRegistrationBean ( ) {
initParametersMap .put ( "signMaxTime" , signMaxTime ) ;
FilterRegistrationBean registration = new FilterRegistrationBean ( ) ;
registration .setFilter ( signFilter ( ) ) ;
registration .setInitParameters ( initParametersMap ) ;
registration .addUrlPatterns ( "/sign/*" ) ;
registration .setName ( "SignFilter" ) ;
// Set the order in which filters are called
registration .setOrder ( 1 ) ;
return registration ;
}
@Bean
public Filter signFilter ( ) {
return new SignFilter ( ) ;
}
} @Slf4j
public class SignFilter implements Filter {
@Resource
private RedisUtil redisUtil ;
// Get the sign expiration time from the fitler configuration
private Long signMaxTime ;
private static final String NONCE_KEY = "x-nonce-" ;
@Override
public void doFilter ( ServletRequest servletRequest , ServletResponse servletResponse , FilterChain filterChain ) throws IOException , ServletException {
HttpServletRequest httpRequest = ( HttpServletRequest ) servletRequest ;
HttpServletResponse httpResponse = ( HttpServletResponse ) servletResponse ;
log .info ( "Filter URL:{}" , httpRequest .getRequestURI ( ) ) ;
HttpServletRequestWrapper requestWrapper = new SignRequestWrapper ( httpRequest ) ;
// Build the request header
RequestHeader requestHeader = RequestHeader .builder ( )
.nonce ( httpRequest .getHeader ( "x-Nonce" ) )
.timestamp ( Long .parseLong ( httpRequest .getHeader ( "X-Time" ) ) )
.sign ( httpRequest .getHeader ( "X-Sign" ) )
.build ( ) ;
// Verify that the request header exists
if ( StringUtils .isEmpty ( requestHeader .getSign ( ) ) || ObjectUtils .isEmpty ( requestHeader .getTimestamp ( ) ) || StringUtils .isEmpty ( requestHeader .getNonce ( ) ) ) {
responseFail ( httpResponse , ReturnCode .ILLEGAL_HEADER ) ;
return ;
}
/*
* 1. Replay verification
* Determine whether the timestamp and the current time are more than 60 seconds apart (the expiration time is set according to the business situation). If so, it will prompt that the signature is expired.
*/
long now = System .currentTimeMillis ( ) / 1000 ;
if ( now - requestHeader .getTimestamp ( ) > signMaxTime ) {
responseFail ( httpResponse , ReturnCode .REPLAY_ERROR ) ;
return ;
}
// 2. Determine nonce
boolean nonceExists = redisUtil .hasKey ( NONCE_KEY + requestHeader .getNonce ( ) ) ;
if ( nonceExists ) {
// Request repeat
responseFail ( httpResponse , ReturnCode .REPLAY_ERROR ) ;
return ;
} else {
redisUtil .set ( NONCE_KEY + requestHeader .getNonce ( ) , requestHeader .getNonce ( ) , signMaxTime ) ;
}
boolean accept ;
SortedMap < String , String > paramMap ;
switch ( httpRequest .getMethod ( ) ) {
case "GET" :
paramMap = HttpDataUtil .getUrlParams ( requestWrapper ) ;
accept = SignUtil .verifySign ( paramMap , requestHeader ) ;
break ;
case "POST" :
paramMap = HttpDataUtil .getBodyParams ( requestWrapper ) ;
accept = SignUtil .verifySign ( paramMap , requestHeader ) ;
break ;
default :
accept = true ;
break ;
}
if ( accept ) {
filterChain .doFilter ( requestWrapper , servletResponse ) ;
} else {
responseFail ( httpResponse , ReturnCode .ARGUMENT_ERROR ) ;
return ;
}
}
private void responseFail ( HttpServletResponse httpResponse , ReturnCode returnCode ) {
ResultData < Object > resultData = ResultData .fail ( returnCode .getCode ( ) , returnCode .getMessage ( ) ) ;
WebUtils .writeJson ( httpResponse , resultData ) ;
}
@Override
public void init ( FilterConfig filterConfig ) throws ServletException {
String signTime = filterConfig .getInitParameter ( "signMaxTime" ) ;
signMaxTime = Long .parseLong ( signTime ) ;
}
} 6. Redis Tools @Component
public class RedisUtil {
@Resource
private RedisTemplate < String , Object > redisTemplate ;
/**
* Check if the key exists
* @param key key
* @return true if exists, false if not exists
*/
public boolean hasKey ( String key ) {
try {
return Boolean .TRUE .equals ( redisTemplate .hasKey ( key ) ) ;
} catch ( Exception e ) {
e .printStackTrace ( ) ;
return false ;
}
}
/**
* Put in normal cache and set time
* @param key key
* @param value value
* @param time time (seconds) time must be greater than 0. If time is less than or equal to 0, it will be set to indefinite
* @return true if successful, false if failed
*/
public boolean set ( String key , Object value , long time ) {
try {
if ( time > 0 ) {
redisTemplate .opsForValue ( ) .set ( key , value , time , TimeUnit .SECONDS ) ;
} else {
set ( key , value ) ;
}
return true ;
} catch ( Exception e ) {
e .printStackTrace ( ) ;
return false ;
}
}
/**
* Normal cache is put
* @param key key
* @param value value
* @return true success false failure
*/
public boolean set ( String key , Object value ) {
try {
redisTemplate .opsForValue ( ) .set ( key , value ) ;
return true ;
} catch ( Exception e ) {
e .printStackTrace ( ) ;
return false ;
}
}
}
|
