CN107204982B - Interactive data system universal safety guard system - Google Patents
Interactive data system universal safety guard system Download PDFInfo
- Publication number
- CN107204982B CN107204982B CN201710443668.7A CN201710443668A CN107204982B CN 107204982 B CN107204982 B CN 107204982B CN 201710443668 A CN201710443668 A CN 201710443668A CN 107204982 B CN107204982 B CN 107204982B
- Authority
- CN
- China
- Prior art keywords
- module
- data
- protection module
- protection
- interactive data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0407—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
- H04L63/0421—Anonymous communication, i.e. the party's identifiers are hidden from the other party or parties, e.g. using an anonymizer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
Abstract
The present invention relates to interactive data visualization application field, in particular to a kind of interactive data system universal safety guard system.The present invention may make arranging service personnel not needing to know that the present invention provides the specific development technique of security system by providing a kind of interactive data system universal safety guard system, only it should be understood that under the premise of function, interface and application method that security protection system provided by the invention provides, it can be by the way that security system interface provided by the invention be docked with interactive data system, to independently arrange the interactive data WEB application system with security capabilities.And for the interactive data application platform of data visualization, the present invention provides security system and uses loosely coupled design, resolves into multiple standalone modules, as long as platform has the energy of expansion module, modules can organically be combined, generate the WEB application system with security capabilities.
Description
Technical field
The present invention relates to interactive data visualization application field, in particular to a kind of interactive data system universal safety
Guard system.
Background technique
The safety of application system has been to be concerned by more and more people, and is invaded, is seeped using the loophole of WEB application system
Have become one of internet security hidden danger thoroughly, how safeguards system safety and enterprise key data are not damaged, it has also become enterprise
The focal issue of industry information departments.
The information security of software systems, including information privacy, integrality and availability.Confidentiality: refer to level information
Client's body of low level is only flowed under authorization conditions;Integrality: refer to that information will not be by unauthorized update, being consistent property of information
Deng;Availability: refer to that the normal request of legitimate user in time, correctly, safely can be serviced or be responded.Traditional WEB application system
The way of system is that IT personnel according to demand, decomposite the demand for security of system in advance, and are customized and melt to demand for security
The problem of security module and system other parts customized development are an entirety, done so by hair is answered for different WEB
With system, though its face be same or like demand for security when, be required to customized development again, cause development resources
Waste.
Summary of the invention
It is an object of the invention to overcome the different demands for security for needing the WEB system different to each in the prior art
Customized development is done, even if difference WEB system demand for security is similar to be also required to the problem of re-starting whole design, providing one kind can
With the interactive data WEB system universal safety guard system protected for multiple systems.
In order to achieve the above-mentioned object of the invention, the present invention provides following technical schemes:
A kind of interactive data system universal safety guard system successively includes,
Data Input Interface, the human-computer interaction with interactive data system, which inputs, to be connected;
The data of protection module, the input of subdata input interface carry out safety detection, will pass through the data of safety detection
It is exported from data output interface;
Data output interface is connect with the data processing module of interactive data system.
Further, the protection module includes authentication resource registering module, CSRF attack protection module, parameter verification mould
Block, logs in inspection module, SQL injection protection module, XML Entity injection attacks protection module at cross-site scripting attack protection module
In at least two;Modules successively carry out safety detection to input data according to specified sequence;
The authentication resource registering module be used for the URL of the menu request data of interactive data system and input into
Row authentication;
The CSRF attack protection module is used to carry out data CSRF attack protection detection;
The parameter verification module is used to carry out parameter verification to the parameter of received all URL;
Cross-site scripting attack protection module carries out cross-site scripting attack protection for receiving data;
Correction verification module is logged in for detecting to the permission of login user;
SQL injection protection module is for preventing SQL injection from attacking;
XML Entity injection attacks protection module is for preventing XML Entity injection attacks.
Further, the CSRF attack protection module verifies the token value carried in the parameter of each request;
The token value is secure random number;
The method of token value is added in request are as follows: current CsrfToken is obtained using csrf request attribute;Or, making
With the csfrInput label in the JSP tag library of SpringSecurity.
Further, the SQL injection protection module is attacked using PreparedStatement prevention SQL injection, or,
SQL prevention SQL injection is executed using the NamedParameterJdbcTemplate class that Spring is provided to attack.
Further, the XML Entity injection attacks protection module passes through XML structure ginseng in parsing http/https request
Number prevents the static XML configuration file of XML Entity injection, parsing from preventing, and XML Entity from injecting or parsing Excel prevents XML Entity from infusing
Enter.
Further, the protection module includes secret protection module, and the secret protection module is used for according to user's
Setting carries out Hide All to specified parameter and shows or partially hide display.
Further, the protection module includes personal settings module, and the personal settings module is set for user
Set the type of the required item of parameter and/or parameter in interactive data system, value range.
Further, the protection module includes running log protective module for all behaviour to interactive data system
It notes down log, and the access of log is controlled, meanwhile, anonymization processing is carried out to the sensitive data in log.
Further, the protection module includes operation state processing module, and the operation state processing module is for assisting
Adjust the operation of each functional module of other in the protection module
Compared with prior art, beneficial effects of the present invention: the present invention is general by providing a kind of interactive data system
Security protection system can reach following effect:
1, for arranging service personnel: not needing to know that the present invention provides the specific development technique of security system, it is only necessary to
Understand function, interface and application method that security protection system provided by the invention provides, can pass through will be provided by the invention
Security system interface is docked with interactive data system, to independently arrange the interactive data WEB with security capabilities
Application system.
2, for the interactive data application platform of data visualization: the present invention is provided security system and is set using loose coupling
Meter, resolves into multiple standalone modules, as long as platform has the energy of expansion module, modules organically can combine,
Generate the WEB application system with security capabilities.
3, for project team: each module that the present invention provides security system has high reusability, and Development of Module completion can answer
For all WEB application systems, manpower no longer is put into for each interactive data application (APP) customized development, greatly
Improve development efficiency, saving is exploited natural resources, the Speeding up development period.
4, for the upgrading of interactive data application: each module that the present invention provides security system has Stand-alone distribution, solely
The ability of vertical installation.So as to avoid interactive data using the predicament that must bundle publication with safety, enterprise is greatly promoted
IT Integration Data Model ability.
Detailed description of the invention:
Fig. 1 is interactive data system universal safety guard system application schematic diagram provided by the invention.
Fig. 2 is interactive data system universal safety guard system safe handling flow example provided by the invention.
Fig. 3 is the dynamic resolution of interactive data system universal safety guard system personalized secure demand provided by the invention
Analysis and checking treatment.
Fig. 4 is that security protection system is loaded into the flow embodiment in concrete application in the present invention.
Specific embodiment
With reference to the accompanying drawing and specific embodiment the present invention is described in further detail.But this should not be interpreted as to this
The range for inventing above-mentioned theme is only limitted to embodiment below, all to belong to the present invention based on the technology that the content of present invention is realized
Range.
As shown in Figure 1, successively include the present embodiment provides a kind of interactive data system universal safety guard system,
Data Input Interface, the human-computer interaction with interactive data system, which inputs, to be connected;
The data of protection module, the input of subdata input interface carry out safety detection, will pass through the data of safety detection
It is exported from data output interface;
Data output interface is connect with the data processing module of interactive data system.
The protection module attacks protection module, parameter verification module including authentication resource registering module, CSRF, across station foot
This attack protection module logs in inspection module, SQL injection protection module, XML Entity injection attacks protection module, we will be with
The aggregate of upper all modules is referred to as WEB security module;WEB security module modules are according to specified sequence successively to input
Data carry out safety detection.In addition, protection module further includes secret protection module, personal settings module, fortune in the present embodiment
Row log protective module and operation state processing module;It should be noted that user can be according to the specific needs pair of oneself APP
Above-mentioned module select all enabling or part enables, and in the present embodiment, is explained for all enabling.
It may be noted that authentication resource registering module is used for the menu request data of interactive data system and input
URL authenticated;Theoretically, the menu of all concrete applications (APP) of data visualization platform (interactive data system)
And the URL request at interface requires the authentication by authenticating resource registering;Specifically, user needs first by all URL of APP
It is configured according to its security configuration template;And when compiling is packaged and generates specific APP, the URL resource that parsing APP includes is believed
Breath, the URL resource definition SQL script of dynamic generation INSTALL and UNINSTALL are placed under the correspondence catalogue of APP installation kit;
It include interface framework, interface navigation tree, function in the resource information of registration, to realize fining access safety control;Installation
When APP, above-mentioned SQL script is written in the correspondence table of database;Corresponding table such as can be resource definition information table, resource and
Role's attaching relation table, resource definition statement one of table or a variety of etc..
The CSRF attack protection module is used to carry out data CSRF attack protection detection, the CSRF attack protection mould
Block verifies the token value carried in the parameter of each request;The token value is secure random number;It is added in request
The method of token value are as follows: current CsrfToken is obtained using csrf request attribute;Or, using SpringSecurity's
CsfrInput label in JSP tag library;If token information can be put into request header using JSON.A kind of typical case
Mode be that CSRF token is introduced into the label of source.All token can be introduced into all Ajax requests.
The parameter verification module is used to carry out parameter verification to the parameter of received all URL;Include safe system
Concrete application compiling be packaged generate APP when, copy validate-common-config.xml file to APP WEB-
INF under validate catalogue, that it's not true is newly-built for validate file.Parameter verification WEB is most important anti-together safely
Imperial, stringent parameter verification can prevent common sql from injecting, OS injection, directory traversal attack, cross-site scripting attack etc.;Ginseng
The naming rule that number verifies regular configuration file is validate-rule_xxx.xml, as long as with validate-rule beginning
Xml document;This document be also required to be put into APP WEB-INF under validate catalogue;Compiling copies when being packaged
Validate-rule_xxx.xml file defines parameter verification rule fixed in APP, moves to validate catalogue in file
The parameter verification of state realizes (can hereinafter describe) using other scheme.It should be noted that after the configuration file is incorporated into, it should
The parameter of all URL of reception of APP can all carry out parameter verification.
Cross-site scripting attack protection module carries out cross-site scripting attack protection for receiving data;Cross-site scripting attack is anti-
Shield module encapsulates the tool assembly of an anti-XSS attack, it realizes the escape method of common anti-XSS attack;Anti- XSS is attacked
Hit there are three types of escape types: HTML carries out escape, HTMLAttribute carries out escape, JavaScript carries out escape.
Correction verification module is logged in for detecting to the permission of login user;After APP is installed, registered when based on installation
To the URL resource definition information of interactive data system, it is APP to other angles that system manager, which can log in interactive data system,
Color authorization;After role with APP access authority logins successfully, the function in its extent of competence can be used;Interactive data
The login and security control of system, the unified security module by interactive data system provide service;The login of security module takes
In business, the functions such as " login authentication anti-violence cracks ", " authentication management ", " entry password protection ", " session management " are realized;It is flat
Authorized user's interface of platform includes two kinds of interface modes of one-point safety login mode and single system secure log mode, meanwhile, this
Security system is the function pages that user role configures accessible resource, can after there is the other user of system administrator level to log in
Power is assigned to other lower-level user roles in the functional module;Specifically, whether verifying login user is in system when logging in
User, inactive users then prompt identity invalid, rest on login page;Whether validated user then verifies password correct, correctly then
Single-sign-on voucher is generated for user;Permission filter assemblies determine currently logged on user's identity, his addressable money is finally presented
Source;After user logs in, the request that all operations in system are initiated can pass through the peace of WEB security framework as the case may be
Whole assembly verifies request.
For preventing SQL injection from attacking, the SQL injection protection module uses SQL injection protection module
PreparedStatement takes precautions against SQL injection attack, or, provided using Spring
NamedParameterJdbcTemplate class executes SQL prevention SQL injection attack.
For XML Entity injection attacks protection module for preventing XML Entity injection attacks, the XML Entity injection attacks are anti-
Shield module prevents XML Entity injection by XML structure parameter in parsing http/https request, parses static XML configuration file
Preventing XML Entity from injecting or parsing Excel prevents XML Entity from injecting.
The secret protection module, the secret protection module are used for the setting according to user, carry out to specified parameter
Hide All is shown or part hides display.Default is needed to user identifier (individual when interactive data system creates role
Data Identification) shielding, if the role is shielding for user identifier, the user under the role logs in be seen when platform
Personal data should be shielding (anonymization).Secret protection module is divided into personal data in personal data secret protection and log
Anonymization;When for personal data: being related to privacy of user personal data parameter for common, need to do when the interface APP is presented
Anonymization processing.Such as MSISDN (telephone number) 18912345678, if end shields 4, after anonymization will be presented in interface
Result 18912345****.For the data of anonymization, the method for calling platform tool assembly is needed to do carry out anonymization.It compiles
When arranging APP, those data, which are arranged, need to carry out anonymization;When APP is run, dynamic analysis anonymization configuration information, invoking privacy is protected
It protects module and completes anonymization processing.It is operated for personal data anonymization in operation log, operation log different from WEB interface
Middle personal data anonymity Switching is in Setting- > safety management -> personal data anonymization configuration interface.
The protection module includes personal settings module, and the personal settings module is used for user setting interactive mode number
According to the required item of system parameters and/or type, the value range of parameter specifically, the UI designer of data visualization platform is compiled
When arranging the page, the personalized secure demand that can be applied according to APP, configuration parameter verification rule.For example, layout personnel can be APP
Some control (such as text box), which is arranged, in the page to fill out, legal identification card number, the address IP, email, length limitation, value range
Etc. common inspection rule, these rules are selected with Option Form.Beyond custom composition, layout personnel can customize regular expressions
Formula finishing service demand;For may be a control specify multiple parameters verification rule, such as certain parameter both needed to fill out it is defeated
Entering value again must be within the specified range.The safety regulation of configuration exists in page source file together when saving the page.Work as APP
When compiling publication, the safety regulation information being arranged in source file is isolated, the foundation as the verification of APP runtime parameter.
The protection module includes running log protective module for all operation note days to interactive data system
Will, and the access of log is controlled, specific operation is as shown in Table 1.
Table one
The protection module includes operation state processing module, and the operation state processing module is for coordinating the protection
The operation of each functional module of other in module
Security system provided by the invention is integrated by configuring introducing module with specific APP configuration, specifically such as Fig. 4 institute
Show, configured and introduced using web.xml: compiling is packaged the APP generated, which does not need to modify, and is copied directly to APP's
WEB-INF under catalogue;Relevant configuration comprising safety in web.xml: configuration single-sign-on/exit, data visualization are flat
The customized log component of platform, security request prefix verification component, each intermodule session corresponding relationship component of processing, judgement
The URL of application whether chartered component, component of interception request etc.;Wherein, it is mono- by CAS to configure single-sign-on/exit
Point exits filter completion, and all requests can all pass through this filter process in system, it mainly completes currently logged on user
Queued session it is whether effective, if invalid just cancel logging on authentication, and turn login page automatically;Data visualization platform is certainly
The log component of definition is used for record log, according to log file size and generates the setting of the threshold values such as duration come compress backup log
File;It is request prefix checksum filter device that security request prefix, which verifies component, is used for the request of calling system interface, needs to verify
Initiate the user identity voucher of request;It is from that each intermodule session corresponding relationship component is handled for checking request for which page
Face chain is taken over, and all requests can all pass through this filter process in system, and whether its checking request is from the page of trust
What link was initiated;Judge the URL verifying filtering whether chartered component has been configured for URL in system of application
Device, all requests can all pass through this filter process in system, and whether the URL of its checking request is authentication resource in system
(when APP is installed, its URL is registered in system);It then lets pass if it is authentication resource, otherwise ending request.
Spring-security.xml configuration file introduces: compiling can be by the WEB- of this document Copy to APP when being packaged
INF under conf catalogue;Main configuration includes: security tool component, registration and configures anti-CSRF attack component, registration simultaneously
Configuration dos attack component, registration and configuration parameter verification component, registration simultaneously configure Cookie filter, registration and configuring request
Head verification component, registration and configuration file upload checking assembly, registration and configure the entrance of user authentication, registration and configure system
Access URL resource checking assembly, registration simultaneously configure system external interface checking assembly, registration and configure integrated sso cas component
Etc.;These components for registering configuration complete safety filtering effect in APP operation.For example, when the upper transmitting file of user, root
According to the personalized secure configuration information (file type, the file size that such as allow to upload) of APP layout, upload validation group is used
Part completes verification.Verification passes through, and continues to execute follow-up business logic;Verification failure, ending request simultaneously prompt user.
Parameter verification component: first verify whether request URL is white list, if just not doing parameter verification, if not will
Do parameter verification;Required parameter verification configuration information is found according to URL, parameters are verified;Verifying is not by tying then
Beam request;White list and parameter verification configuration information respectively WEB-INF validate validate-common-
Config.xml, WEB-INF validate in validate-rule-app.xml configuration file, configuration file is by spring
Frame load;Parameter verification rule is configured to regular expression, by parameter value and regular expression matching when verifying, if can match
Expression is verified, and is otherwise verified and is not passed through.
Anti- CSRF attacks component: all requests in verifying system, inquiry current request URL first whether mirror in systems
Power exists in the library resource URL, then lets pass if it exists;If it does not exist, need to verifying current request URL, whether to be arranged to system anti-
CSRF attacks white list, is that white list is then let pass, and is not then ending request.
Anti- CSRF attack white list configuration WEB-INF conf in spring-security.xml configuration file, configuration
File is loaded by spring frame.
Anti- DOC attacks component: whether initiation number of all requests within the time cycle is more than attack time in verifying system
Number threshold value, is less than, continues to let pass;It has been more than then to terminate each request, until access frequency restores normal.To prevent from disliking
Meaning attack.
Time cycle and number of times of attack threshold value configuration WEB-INF conf spring-security.xml configuration file
In (profile name and path are only for example, and corresponding function can be achieved in any specified path and profile name, because
This this example does not represent any restriction), configuration file is loaded by spring frame.
Cookie security handler component: whether system detection current request is the safe white list of Cookie, if it is white name
Dan Ze is not dealt with;If not white list, then be arranged response Cookie be Secure Cookie: setting secure and
HttpOnly attribute is true;Secure is true, indicate Cookie can by the form of safety to server transport, that is,
Server end can only be transmitted to by browser in HTTPS connection to conversate verifying, will not then transmit if it is HTTP connection
The information, so the particular content for getting Cookie will not be stolen.HttpOnly is true, then by program (JS script,
Applet etc.) it will be unable to read cookie information, XSS attack can be effectively prevented in this way.
Permission filter assemblies: all resources and permission corresponding relationship are set up, that is, defining a certain resource can be by
Which role access.When equal logging in system by user, the role that active user has is determined, if there are enough permissions to go to access certain
A little resources;His addressable resource is finally presented.After user enters system, all requests of initiation will also pass through the component, certainly
Determine whether active user has initiated request more than its permission.
When specific running, as shown in Fig. 2, the user of APP is to the APP page, (human-computer interaction of interactive data system is defeated
Enter) request is inputted, which is sent to protection module by Data Input Interface by the APP page, each mould in protection module
Block successively carries out safety detection to request data according to specified sequence, gives the example that modules are detected in Fig. 2, such as
Whether URL authorizes detection, and whether request has Detection by the method for attack, and parametric test detects ..., until completing all detections
Afterwards, will test by result and data by data output interface be returned to the specific enforcement engine of APP (interactive data system
Data processing module);Response results are fed back to the page by engine;In some cases, feedback result need to whether cross site scripting
Attack handled, at this point, the page by cross site scripting attack data to be tested by Data Input Interface be sent to protection module into
Row detection, by being shown after detection in the page.It should be noted that any one detection does not have in the detection process of protection module
Have and pass through, then the request or data will not be passed to the specific enforcement engine of APP (the data processing mould of interactive data system
Block), to prevent the specific core processing module of APP from being attacked.
In another specific example, after user's operation initiates request, (1) is handled in accordance with the following steps into CAS single-point
Exit filter.If it is the request to log off, then cancel logging on authentication, and turns login page automatically;(2) enter and ask
Seek prefix checksum filter device.If it is calling system interface requests, then whether the user identity voucher of checking request is legal;(3)
Into the verifying filter to come from which page link, ensure what whether request was initiated from the page link of trust;(4) enter
The verifying filter whether URL has been configured in system, ensure request is legal resource;(5) enter parameter verification component, protect
It is legal effectively to hinder required parameter;(6) enter anti-CSRF and attack component;(7) enter anti-DOC and attack component;(8) access entitlements filter
Component;(9) if when layout is configured with personalization/secret protection security capabilities, enter personalization/secret protection secure group
Part;(10) practical business treatment process (such as data query or api interface calling etc.);During handling herein, log is called
Component records operation log and running log;(11) after finishing service processing, into Cookie security handler component;(12) most
Response user request eventually.
Fig. 3 then gives the dynamic analysis and checking treatment process of personalized secure demand;The user of APP sends out to the page
It requests out;Security module receives the information of page transmission, and carries out safety inspection to it;It is executed if by checking by APP
The relevance between request and security configuration information is found in engine processing;Corresponding security configuration information is sent to storage medium;
Safe handling type is parsed by APP enforcement engine;Dynamic Execution safety inspection;After verifying, the UI runtime is called to execute industry
Business;Return response result is simultaneously shown in the page.
Claims (6)
1. a kind of interactive data system universal safety guard system, which is characterized in that successively include,
Data Input Interface, the human-computer interaction with interactive data system, which inputs, to be connected;
Protection module carries out safety detection to the data of Data Input Interface input, by by the data of safety detection from data
Output interface output;
Data output interface is connect with the data processing module of interactive data system;
The protection module includes authenticating resource registering module, CSRF attack protection module, parameter verification module, cross site scripting to attack
It hits protection module, log in inspection module, SQL injection protection module, at least two in XML Entity injection attacks protection module;
Modules successively carry out safety detection to input data according to specified sequence;
The authentication resource registering module is for reflecting to the menu request data of interactive data system and the URL of input
Power;
The CSRF attack protection module is used to carry out data CSRF attack protection detection;
The parameter verification module is used to carry out parameter verification to the parameter of received all URL;
Cross-site scripting attack protection module be used for receive data carry out cross-site scripting attack protection;
Correction verification module is logged in for detecting to the permission of login user;
SQL injection protection module is for preventing SQL injection from attacking;
XML Entity injection attacks protection module is for preventing XML Entity injection attacks;
The protection module includes personal settings module, and the personal settings module is used for user setting interactive data system
The type of the required item of parameter and/or parameter, value range in system;
The protection module includes operation state processing module, and the operation state processing module is for coordinating the protection module
In other each functional modules operation.
2. security protection system as described in claim 1, which is characterized in that the CSRF attack protection module is to each request
Parameter in the token value that carries verified;The token value is secure random number;
The method of token value is added in request are as follows: current CsrfToken is obtained using csrf request attribute;Or, using
CsrfInput label in the JSP tag library of SpringSecurity.
3. security protection system as described in claim 1, which is characterized in that the SQL injection protection module uses
PreparedStatement takes precautions against SQL injection attack, or, provided using Spring
NamedParameterJdbcTemplate class executes SQL prevention SQL injection attack.
4. security protection system as described in claim 1, which is characterized in that the XML Entity injection attacks protection module is logical
Crossing XML structure parameter in parsing http/https request prevents the static XML configuration file of XML Entity injection, parsing from preventing XML real
Body injection or parsing Excel prevent XML Entity from injecting.
5. security protection system as described in claim 1, which is characterized in that the protection module includes secret protection module,
The secret protection module is used for the setting according to user, shows to specified parameter progress Hide All or part hides and shows
Show.
6. security protection system as described in claim 1, which is characterized in that the protection module includes running log protection mould
Block controls the access of log for all operation note logs to interactive data system, meanwhile, in log
Sensitive data carry out anonymization processing.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710443668.7A CN107204982B (en) | 2017-06-13 | 2017-06-13 | Interactive data system universal safety guard system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710443668.7A CN107204982B (en) | 2017-06-13 | 2017-06-13 | Interactive data system universal safety guard system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107204982A CN107204982A (en) | 2017-09-26 |
CN107204982B true CN107204982B (en) | 2019-02-05 |
Family
ID=59906891
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710443668.7A Active CN107204982B (en) | 2017-06-13 | 2017-06-13 | Interactive data system universal safety guard system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107204982B (en) |
Families Citing this family (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107682346B (en) * | 2017-10-19 | 2021-06-25 | 南京大学 | System and method for rapidly positioning and identifying CSRF attack |
CN107948163A (en) * | 2017-11-29 | 2018-04-20 | 中科信息安全共性技术国家工程研究中心有限公司 | A kind of XML injection loopholes detection and defence method |
CN107944009A (en) * | 2017-12-08 | 2018-04-20 | 郑州云海信息技术有限公司 | A kind of system and method for record web application operating daily records |
CN108200147A (en) * | 2017-12-28 | 2018-06-22 | 珠海华发新科技投资控股有限公司 | Enterprises Integrated Service System and method |
CN108769087B (en) * | 2018-02-23 | 2020-12-22 | 福建天晴数码有限公司 | Development method of interactive system and server |
CN109347820B (en) * | 2018-10-12 | 2021-10-22 | 江苏满运软件科技有限公司 | Application security defense method and system |
CN110135132A (en) * | 2019-05-13 | 2019-08-16 | 重庆八戒传媒有限公司 | A kind of quick method, apparatus for solving the problems, such as project convention security and storage medium |
CN110177089A (en) * | 2019-05-20 | 2019-08-27 | 维沃移动通信有限公司 | A kind of page access method and terminal device |
CN110516444B (en) * | 2019-07-23 | 2023-04-07 | 成都理工大学 | Cross-terminal and cross-version Root attack detection and protection system based on kernel |
CN110677415A (en) * | 2019-09-29 | 2020-01-10 | 信阳农林学院 | Network information safety protection system |
CN111953668B (en) * | 2020-07-30 | 2023-04-07 | 中国工商银行股份有限公司 | Network security information processing method and device |
CN113778991A (en) * | 2021-09-14 | 2021-12-10 | 珠海市新德汇信息技术有限公司 | Method for realizing resource access control of big data |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104079528A (en) * | 2013-03-26 | 2014-10-01 | 北大方正集团有限公司 | Method and system of safety protection of Web application |
CN105786630A (en) * | 2016-02-26 | 2016-07-20 | 浪潮通用软件有限公司 | Web API regulating and controlling method based on middleware |
CN106209746A (en) * | 2015-05-07 | 2016-12-07 | 阿里巴巴集团控股有限公司 | A kind of safety service provides method and server |
CN106790007A (en) * | 2016-12-13 | 2017-05-31 | 武汉虹旭信息技术有限责任公司 | Web attack defending systems and its method based on XSS and CSRF |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102082780B (en) * | 2009-11-30 | 2014-03-05 | 国际商业机器公司 | Method and device for verifying security |
-
2017
- 2017-06-13 CN CN201710443668.7A patent/CN107204982B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104079528A (en) * | 2013-03-26 | 2014-10-01 | 北大方正集团有限公司 | Method and system of safety protection of Web application |
CN106209746A (en) * | 2015-05-07 | 2016-12-07 | 阿里巴巴集团控股有限公司 | A kind of safety service provides method and server |
CN105786630A (en) * | 2016-02-26 | 2016-07-20 | 浪潮通用软件有限公司 | Web API regulating and controlling method based on middleware |
CN106790007A (en) * | 2016-12-13 | 2017-05-31 | 武汉虹旭信息技术有限责任公司 | Web attack defending systems and its method based on XSS and CSRF |
Also Published As
Publication number | Publication date |
---|---|
CN107204982A (en) | 2017-09-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107204982B (en) | Interactive data system universal safety guard system | |
Marback et al. | A threat model‐based approach to security testing | |
Li et al. | A survey on server-side approaches to securing web applications | |
Akhawe et al. | Towards a formal foundation of web security | |
Kemalis et al. | SQL-IDS: a specification-based approach for SQL-injection detection | |
Li et al. | A survey on web application security | |
Al-Khurafi et al. | Survey of web application vulnerability attacks | |
US11783016B2 (en) | Computing system and method for verification of access permissions | |
Blankstein et al. | Automating isolation and least privilege in web services | |
Blome et al. | Vera: A flexible model-based vulnerability testing tool | |
Bach-Nutman | Understanding the top 10 owasp vulnerabilities | |
Mainka et al. | Your software at my service: Security analysis of saas single sign-on solutions in the cloud | |
Toreini et al. | DOMtegrity: ensuring web page integrity against malicious browser extensions | |
Knittel et al. | Xsinator. com: From a formal model to the automatic evaluation of cross-site leaks in web browsers | |
Van Acker et al. | Password meters and generators on the web: From large-scale empirical study to getting it right | |
Rocchetto et al. | Model-based detection of CSRF | |
Ravindran et al. | A Review on Web Application Vulnerability Assessment and Penetration Testing. | |
Pelizzi et al. | A server-and browser-transparent CSRF defense for web 2.0 applications | |
Srivani et al. | A survey on client side and server side approaches to secure web applications | |
Falah et al. | An Alternative Threat Model-based Approach for Security Testing | |
Chen et al. | Research on SQL injection and defense technology | |
Hedin et al. | Web application security using JSFlow | |
Jaamour | Securing web services | |
US11575687B2 (en) | Holistic and verified security of monitoring protocols | |
Reintjes et al. | a Benchmark Approach To Analysis the Security of Web Frameworks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |