CN107204982B - Interactive data system universal safety guard system - Google Patents

Interactive data system universal safety guard system Download PDF

Info

Publication number
CN107204982B
CN107204982B CN201710443668.7A CN201710443668A CN107204982B CN 107204982 B CN107204982 B CN 107204982B CN 201710443668 A CN201710443668 A CN 201710443668A CN 107204982 B CN107204982 B CN 107204982B
Authority
CN
China
Prior art keywords
module
data
protection module
protection
interactive data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710443668.7A
Other languages
Chinese (zh)
Other versions
CN107204982A (en
Inventor
王纯斌
张艳
尹寿长
赵神州
王建洪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Sefon Software Co Ltd
Original Assignee
Chengdu Sefon Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Sefon Software Co Ltd filed Critical Chengdu Sefon Software Co Ltd
Priority to CN201710443668.7A priority Critical patent/CN107204982B/en
Publication of CN107204982A publication Critical patent/CN107204982A/en
Application granted granted Critical
Publication of CN107204982B publication Critical patent/CN107204982B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • H04L63/0421Anonymous communication, i.e. the party's identifiers are hidden from the other party or parties, e.g. using an anonymizer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention relates to interactive data visualization application field, in particular to a kind of interactive data system universal safety guard system.The present invention may make arranging service personnel not needing to know that the present invention provides the specific development technique of security system by providing a kind of interactive data system universal safety guard system, only it should be understood that under the premise of function, interface and application method that security protection system provided by the invention provides, it can be by the way that security system interface provided by the invention be docked with interactive data system, to independently arrange the interactive data WEB application system with security capabilities.And for the interactive data application platform of data visualization, the present invention provides security system and uses loosely coupled design, resolves into multiple standalone modules, as long as platform has the energy of expansion module, modules can organically be combined, generate the WEB application system with security capabilities.

Description

Interactive data system universal safety guard system
Technical field
The present invention relates to interactive data visualization application field, in particular to a kind of interactive data system universal safety Guard system.
Background technique
The safety of application system has been to be concerned by more and more people, and is invaded, is seeped using the loophole of WEB application system Have become one of internet security hidden danger thoroughly, how safeguards system safety and enterprise key data are not damaged, it has also become enterprise The focal issue of industry information departments.
The information security of software systems, including information privacy, integrality and availability.Confidentiality: refer to level information Client's body of low level is only flowed under authorization conditions;Integrality: refer to that information will not be by unauthorized update, being consistent property of information Deng;Availability: refer to that the normal request of legitimate user in time, correctly, safely can be serviced or be responded.Traditional WEB application system The way of system is that IT personnel according to demand, decomposite the demand for security of system in advance, and are customized and melt to demand for security The problem of security module and system other parts customized development are an entirety, done so by hair is answered for different WEB With system, though its face be same or like demand for security when, be required to customized development again, cause development resources Waste.
Summary of the invention
It is an object of the invention to overcome the different demands for security for needing the WEB system different to each in the prior art Customized development is done, even if difference WEB system demand for security is similar to be also required to the problem of re-starting whole design, providing one kind can With the interactive data WEB system universal safety guard system protected for multiple systems.
In order to achieve the above-mentioned object of the invention, the present invention provides following technical schemes:
A kind of interactive data system universal safety guard system successively includes,
Data Input Interface, the human-computer interaction with interactive data system, which inputs, to be connected;
The data of protection module, the input of subdata input interface carry out safety detection, will pass through the data of safety detection It is exported from data output interface;
Data output interface is connect with the data processing module of interactive data system.
Further, the protection module includes authentication resource registering module, CSRF attack protection module, parameter verification mould Block, logs in inspection module, SQL injection protection module, XML Entity injection attacks protection module at cross-site scripting attack protection module In at least two;Modules successively carry out safety detection to input data according to specified sequence;
The authentication resource registering module be used for the URL of the menu request data of interactive data system and input into Row authentication;
The CSRF attack protection module is used to carry out data CSRF attack protection detection;
The parameter verification module is used to carry out parameter verification to the parameter of received all URL;
Cross-site scripting attack protection module carries out cross-site scripting attack protection for receiving data;
Correction verification module is logged in for detecting to the permission of login user;
SQL injection protection module is for preventing SQL injection from attacking;
XML Entity injection attacks protection module is for preventing XML Entity injection attacks.
Further, the CSRF attack protection module verifies the token value carried in the parameter of each request; The token value is secure random number;
The method of token value is added in request are as follows: current CsrfToken is obtained using csrf request attribute;Or, making With the csfrInput label in the JSP tag library of SpringSecurity.
Further, the SQL injection protection module is attacked using PreparedStatement prevention SQL injection, or, SQL prevention SQL injection is executed using the NamedParameterJdbcTemplate class that Spring is provided to attack.
Further, the XML Entity injection attacks protection module passes through XML structure ginseng in parsing http/https request Number prevents the static XML configuration file of XML Entity injection, parsing from preventing, and XML Entity from injecting or parsing Excel prevents XML Entity from infusing Enter.
Further, the protection module includes secret protection module, and the secret protection module is used for according to user's Setting carries out Hide All to specified parameter and shows or partially hide display.
Further, the protection module includes personal settings module, and the personal settings module is set for user Set the type of the required item of parameter and/or parameter in interactive data system, value range.
Further, the protection module includes running log protective module for all behaviour to interactive data system It notes down log, and the access of log is controlled, meanwhile, anonymization processing is carried out to the sensitive data in log.
Further, the protection module includes operation state processing module, and the operation state processing module is for assisting Adjust the operation of each functional module of other in the protection module
Compared with prior art, beneficial effects of the present invention: the present invention is general by providing a kind of interactive data system Security protection system can reach following effect:
1, for arranging service personnel: not needing to know that the present invention provides the specific development technique of security system, it is only necessary to Understand function, interface and application method that security protection system provided by the invention provides, can pass through will be provided by the invention Security system interface is docked with interactive data system, to independently arrange the interactive data WEB with security capabilities Application system.
2, for the interactive data application platform of data visualization: the present invention is provided security system and is set using loose coupling Meter, resolves into multiple standalone modules, as long as platform has the energy of expansion module, modules organically can combine, Generate the WEB application system with security capabilities.
3, for project team: each module that the present invention provides security system has high reusability, and Development of Module completion can answer For all WEB application systems, manpower no longer is put into for each interactive data application (APP) customized development, greatly Improve development efficiency, saving is exploited natural resources, the Speeding up development period.
4, for the upgrading of interactive data application: each module that the present invention provides security system has Stand-alone distribution, solely The ability of vertical installation.So as to avoid interactive data using the predicament that must bundle publication with safety, enterprise is greatly promoted IT Integration Data Model ability.
Detailed description of the invention:
Fig. 1 is interactive data system universal safety guard system application schematic diagram provided by the invention.
Fig. 2 is interactive data system universal safety guard system safe handling flow example provided by the invention.
Fig. 3 is the dynamic resolution of interactive data system universal safety guard system personalized secure demand provided by the invention Analysis and checking treatment.
Fig. 4 is that security protection system is loaded into the flow embodiment in concrete application in the present invention.
Specific embodiment
With reference to the accompanying drawing and specific embodiment the present invention is described in further detail.But this should not be interpreted as to this The range for inventing above-mentioned theme is only limitted to embodiment below, all to belong to the present invention based on the technology that the content of present invention is realized Range.
As shown in Figure 1, successively include the present embodiment provides a kind of interactive data system universal safety guard system,
Data Input Interface, the human-computer interaction with interactive data system, which inputs, to be connected;
The data of protection module, the input of subdata input interface carry out safety detection, will pass through the data of safety detection It is exported from data output interface;
Data output interface is connect with the data processing module of interactive data system.
The protection module attacks protection module, parameter verification module including authentication resource registering module, CSRF, across station foot This attack protection module logs in inspection module, SQL injection protection module, XML Entity injection attacks protection module, we will be with The aggregate of upper all modules is referred to as WEB security module;WEB security module modules are according to specified sequence successively to input Data carry out safety detection.In addition, protection module further includes secret protection module, personal settings module, fortune in the present embodiment Row log protective module and operation state processing module;It should be noted that user can be according to the specific needs pair of oneself APP Above-mentioned module select all enabling or part enables, and in the present embodiment, is explained for all enabling.
It may be noted that authentication resource registering module is used for the menu request data of interactive data system and input URL authenticated;Theoretically, the menu of all concrete applications (APP) of data visualization platform (interactive data system) And the URL request at interface requires the authentication by authenticating resource registering;Specifically, user needs first by all URL of APP It is configured according to its security configuration template;And when compiling is packaged and generates specific APP, the URL resource that parsing APP includes is believed Breath, the URL resource definition SQL script of dynamic generation INSTALL and UNINSTALL are placed under the correspondence catalogue of APP installation kit; It include interface framework, interface navigation tree, function in the resource information of registration, to realize fining access safety control;Installation When APP, above-mentioned SQL script is written in the correspondence table of database;Corresponding table such as can be resource definition information table, resource and Role's attaching relation table, resource definition statement one of table or a variety of etc..
The CSRF attack protection module is used to carry out data CSRF attack protection detection, the CSRF attack protection mould Block verifies the token value carried in the parameter of each request;The token value is secure random number;It is added in request The method of token value are as follows: current CsrfToken is obtained using csrf request attribute;Or, using SpringSecurity's CsfrInput label in JSP tag library;If token information can be put into request header using JSON.A kind of typical case Mode be that CSRF token is introduced into the label of source.All token can be introduced into all Ajax requests.
The parameter verification module is used to carry out parameter verification to the parameter of received all URL;Include safe system Concrete application compiling be packaged generate APP when, copy validate-common-config.xml file to APP WEB- INF under validate catalogue, that it's not true is newly-built for validate file.Parameter verification WEB is most important anti-together safely Imperial, stringent parameter verification can prevent common sql from injecting, OS injection, directory traversal attack, cross-site scripting attack etc.;Ginseng The naming rule that number verifies regular configuration file is validate-rule_xxx.xml, as long as with validate-rule beginning Xml document;This document be also required to be put into APP WEB-INF under validate catalogue;Compiling copies when being packaged Validate-rule_xxx.xml file defines parameter verification rule fixed in APP, moves to validate catalogue in file The parameter verification of state realizes (can hereinafter describe) using other scheme.It should be noted that after the configuration file is incorporated into, it should The parameter of all URL of reception of APP can all carry out parameter verification.
Cross-site scripting attack protection module carries out cross-site scripting attack protection for receiving data;Cross-site scripting attack is anti- Shield module encapsulates the tool assembly of an anti-XSS attack, it realizes the escape method of common anti-XSS attack;Anti- XSS is attacked Hit there are three types of escape types: HTML carries out escape, HTMLAttribute carries out escape, JavaScript carries out escape.
Correction verification module is logged in for detecting to the permission of login user;After APP is installed, registered when based on installation To the URL resource definition information of interactive data system, it is APP to other angles that system manager, which can log in interactive data system, Color authorization;After role with APP access authority logins successfully, the function in its extent of competence can be used;Interactive data The login and security control of system, the unified security module by interactive data system provide service;The login of security module takes In business, the functions such as " login authentication anti-violence cracks ", " authentication management ", " entry password protection ", " session management " are realized;It is flat Authorized user's interface of platform includes two kinds of interface modes of one-point safety login mode and single system secure log mode, meanwhile, this Security system is the function pages that user role configures accessible resource, can after there is the other user of system administrator level to log in Power is assigned to other lower-level user roles in the functional module;Specifically, whether verifying login user is in system when logging in User, inactive users then prompt identity invalid, rest on login page;Whether validated user then verifies password correct, correctly then Single-sign-on voucher is generated for user;Permission filter assemblies determine currently logged on user's identity, his addressable money is finally presented Source;After user logs in, the request that all operations in system are initiated can pass through the peace of WEB security framework as the case may be Whole assembly verifies request.
For preventing SQL injection from attacking, the SQL injection protection module uses SQL injection protection module PreparedStatement takes precautions against SQL injection attack, or, provided using Spring NamedParameterJdbcTemplate class executes SQL prevention SQL injection attack.
For XML Entity injection attacks protection module for preventing XML Entity injection attacks, the XML Entity injection attacks are anti- Shield module prevents XML Entity injection by XML structure parameter in parsing http/https request, parses static XML configuration file Preventing XML Entity from injecting or parsing Excel prevents XML Entity from injecting.
The secret protection module, the secret protection module are used for the setting according to user, carry out to specified parameter Hide All is shown or part hides display.Default is needed to user identifier (individual when interactive data system creates role Data Identification) shielding, if the role is shielding for user identifier, the user under the role logs in be seen when platform Personal data should be shielding (anonymization).Secret protection module is divided into personal data in personal data secret protection and log Anonymization;When for personal data: being related to privacy of user personal data parameter for common, need to do when the interface APP is presented Anonymization processing.Such as MSISDN (telephone number) 18912345678, if end shields 4, after anonymization will be presented in interface Result 18912345****.For the data of anonymization, the method for calling platform tool assembly is needed to do carry out anonymization.It compiles When arranging APP, those data, which are arranged, need to carry out anonymization;When APP is run, dynamic analysis anonymization configuration information, invoking privacy is protected It protects module and completes anonymization processing.It is operated for personal data anonymization in operation log, operation log different from WEB interface Middle personal data anonymity Switching is in Setting- > safety management -> personal data anonymization configuration interface.
The protection module includes personal settings module, and the personal settings module is used for user setting interactive mode number According to the required item of system parameters and/or type, the value range of parameter specifically, the UI designer of data visualization platform is compiled When arranging the page, the personalized secure demand that can be applied according to APP, configuration parameter verification rule.For example, layout personnel can be APP Some control (such as text box), which is arranged, in the page to fill out, legal identification card number, the address IP, email, length limitation, value range Etc. common inspection rule, these rules are selected with Option Form.Beyond custom composition, layout personnel can customize regular expressions Formula finishing service demand;For may be a control specify multiple parameters verification rule, such as certain parameter both needed to fill out it is defeated Entering value again must be within the specified range.The safety regulation of configuration exists in page source file together when saving the page.Work as APP When compiling publication, the safety regulation information being arranged in source file is isolated, the foundation as the verification of APP runtime parameter.
The protection module includes running log protective module for all operation note days to interactive data system Will, and the access of log is controlled, specific operation is as shown in Table 1.
Table one
The protection module includes operation state processing module, and the operation state processing module is for coordinating the protection The operation of each functional module of other in module
Security system provided by the invention is integrated by configuring introducing module with specific APP configuration, specifically such as Fig. 4 institute Show, configured and introduced using web.xml: compiling is packaged the APP generated, which does not need to modify, and is copied directly to APP's WEB-INF under catalogue;Relevant configuration comprising safety in web.xml: configuration single-sign-on/exit, data visualization are flat The customized log component of platform, security request prefix verification component, each intermodule session corresponding relationship component of processing, judgement The URL of application whether chartered component, component of interception request etc.;Wherein, it is mono- by CAS to configure single-sign-on/exit Point exits filter completion, and all requests can all pass through this filter process in system, it mainly completes currently logged on user Queued session it is whether effective, if invalid just cancel logging on authentication, and turn login page automatically;Data visualization platform is certainly The log component of definition is used for record log, according to log file size and generates the setting of the threshold values such as duration come compress backup log File;It is request prefix checksum filter device that security request prefix, which verifies component, is used for the request of calling system interface, needs to verify Initiate the user identity voucher of request;It is from that each intermodule session corresponding relationship component is handled for checking request for which page Face chain is taken over, and all requests can all pass through this filter process in system, and whether its checking request is from the page of trust What link was initiated;Judge the URL verifying filtering whether chartered component has been configured for URL in system of application Device, all requests can all pass through this filter process in system, and whether the URL of its checking request is authentication resource in system (when APP is installed, its URL is registered in system);It then lets pass if it is authentication resource, otherwise ending request.
Spring-security.xml configuration file introduces: compiling can be by the WEB- of this document Copy to APP when being packaged INF under conf catalogue;Main configuration includes: security tool component, registration and configures anti-CSRF attack component, registration simultaneously Configuration dos attack component, registration and configuration parameter verification component, registration simultaneously configure Cookie filter, registration and configuring request Head verification component, registration and configuration file upload checking assembly, registration and configure the entrance of user authentication, registration and configure system Access URL resource checking assembly, registration simultaneously configure system external interface checking assembly, registration and configure integrated sso cas component Etc.;These components for registering configuration complete safety filtering effect in APP operation.For example, when the upper transmitting file of user, root According to the personalized secure configuration information (file type, the file size that such as allow to upload) of APP layout, upload validation group is used Part completes verification.Verification passes through, and continues to execute follow-up business logic;Verification failure, ending request simultaneously prompt user.
Parameter verification component: first verify whether request URL is white list, if just not doing parameter verification, if not will Do parameter verification;Required parameter verification configuration information is found according to URL, parameters are verified;Verifying is not by tying then Beam request;White list and parameter verification configuration information respectively WEB-INF validate validate-common- Config.xml, WEB-INF validate in validate-rule-app.xml configuration file, configuration file is by spring Frame load;Parameter verification rule is configured to regular expression, by parameter value and regular expression matching when verifying, if can match Expression is verified, and is otherwise verified and is not passed through.
Anti- CSRF attacks component: all requests in verifying system, inquiry current request URL first whether mirror in systems Power exists in the library resource URL, then lets pass if it exists;If it does not exist, need to verifying current request URL, whether to be arranged to system anti- CSRF attacks white list, is that white list is then let pass, and is not then ending request.
Anti- CSRF attack white list configuration WEB-INF conf in spring-security.xml configuration file, configuration File is loaded by spring frame.
Anti- DOC attacks component: whether initiation number of all requests within the time cycle is more than attack time in verifying system Number threshold value, is less than, continues to let pass;It has been more than then to terminate each request, until access frequency restores normal.To prevent from disliking Meaning attack.
Time cycle and number of times of attack threshold value configuration WEB-INF conf spring-security.xml configuration file In (profile name and path are only for example, and corresponding function can be achieved in any specified path and profile name, because This this example does not represent any restriction), configuration file is loaded by spring frame.
Cookie security handler component: whether system detection current request is the safe white list of Cookie, if it is white name Dan Ze is not dealt with;If not white list, then be arranged response Cookie be Secure Cookie: setting secure and HttpOnly attribute is true;Secure is true, indicate Cookie can by the form of safety to server transport, that is, Server end can only be transmitted to by browser in HTTPS connection to conversate verifying, will not then transmit if it is HTTP connection The information, so the particular content for getting Cookie will not be stolen.HttpOnly is true, then by program (JS script, Applet etc.) it will be unable to read cookie information, XSS attack can be effectively prevented in this way.
Permission filter assemblies: all resources and permission corresponding relationship are set up, that is, defining a certain resource can be by Which role access.When equal logging in system by user, the role that active user has is determined, if there are enough permissions to go to access certain A little resources;His addressable resource is finally presented.After user enters system, all requests of initiation will also pass through the component, certainly Determine whether active user has initiated request more than its permission.
When specific running, as shown in Fig. 2, the user of APP is to the APP page, (human-computer interaction of interactive data system is defeated Enter) request is inputted, which is sent to protection module by Data Input Interface by the APP page, each mould in protection module Block successively carries out safety detection to request data according to specified sequence, gives the example that modules are detected in Fig. 2, such as Whether URL authorizes detection, and whether request has Detection by the method for attack, and parametric test detects ..., until completing all detections Afterwards, will test by result and data by data output interface be returned to the specific enforcement engine of APP (interactive data system Data processing module);Response results are fed back to the page by engine;In some cases, feedback result need to whether cross site scripting Attack handled, at this point, the page by cross site scripting attack data to be tested by Data Input Interface be sent to protection module into Row detection, by being shown after detection in the page.It should be noted that any one detection does not have in the detection process of protection module Have and pass through, then the request or data will not be passed to the specific enforcement engine of APP (the data processing mould of interactive data system Block), to prevent the specific core processing module of APP from being attacked.
In another specific example, after user's operation initiates request, (1) is handled in accordance with the following steps into CAS single-point Exit filter.If it is the request to log off, then cancel logging on authentication, and turns login page automatically;(2) enter and ask Seek prefix checksum filter device.If it is calling system interface requests, then whether the user identity voucher of checking request is legal;(3) Into the verifying filter to come from which page link, ensure what whether request was initiated from the page link of trust;(4) enter The verifying filter whether URL has been configured in system, ensure request is legal resource;(5) enter parameter verification component, protect It is legal effectively to hinder required parameter;(6) enter anti-CSRF and attack component;(7) enter anti-DOC and attack component;(8) access entitlements filter Component;(9) if when layout is configured with personalization/secret protection security capabilities, enter personalization/secret protection secure group Part;(10) practical business treatment process (such as data query or api interface calling etc.);During handling herein, log is called Component records operation log and running log;(11) after finishing service processing, into Cookie security handler component;(12) most Response user request eventually.
Fig. 3 then gives the dynamic analysis and checking treatment process of personalized secure demand;The user of APP sends out to the page It requests out;Security module receives the information of page transmission, and carries out safety inspection to it;It is executed if by checking by APP The relevance between request and security configuration information is found in engine processing;Corresponding security configuration information is sent to storage medium; Safe handling type is parsed by APP enforcement engine;Dynamic Execution safety inspection;After verifying, the UI runtime is called to execute industry Business;Return response result is simultaneously shown in the page.

Claims (6)

1. a kind of interactive data system universal safety guard system, which is characterized in that successively include,
Data Input Interface, the human-computer interaction with interactive data system, which inputs, to be connected;
Protection module carries out safety detection to the data of Data Input Interface input, by by the data of safety detection from data Output interface output;
Data output interface is connect with the data processing module of interactive data system;
The protection module includes authenticating resource registering module, CSRF attack protection module, parameter verification module, cross site scripting to attack It hits protection module, log in inspection module, SQL injection protection module, at least two in XML Entity injection attacks protection module;
Modules successively carry out safety detection to input data according to specified sequence;
The authentication resource registering module is for reflecting to the menu request data of interactive data system and the URL of input Power;
The CSRF attack protection module is used to carry out data CSRF attack protection detection;
The parameter verification module is used to carry out parameter verification to the parameter of received all URL;
Cross-site scripting attack protection module be used for receive data carry out cross-site scripting attack protection;
Correction verification module is logged in for detecting to the permission of login user;
SQL injection protection module is for preventing SQL injection from attacking;
XML Entity injection attacks protection module is for preventing XML Entity injection attacks;
The protection module includes personal settings module, and the personal settings module is used for user setting interactive data system The type of the required item of parameter and/or parameter, value range in system;
The protection module includes operation state processing module, and the operation state processing module is for coordinating the protection module In other each functional modules operation.
2. security protection system as described in claim 1, which is characterized in that the CSRF attack protection module is to each request Parameter in the token value that carries verified;The token value is secure random number;
The method of token value is added in request are as follows: current CsrfToken is obtained using csrf request attribute;Or, using CsrfInput label in the JSP tag library of SpringSecurity.
3. security protection system as described in claim 1, which is characterized in that the SQL injection protection module uses PreparedStatement takes precautions against SQL injection attack, or, provided using Spring NamedParameterJdbcTemplate class executes SQL prevention SQL injection attack.
4. security protection system as described in claim 1, which is characterized in that the XML Entity injection attacks protection module is logical Crossing XML structure parameter in parsing http/https request prevents the static XML configuration file of XML Entity injection, parsing from preventing XML real Body injection or parsing Excel prevent XML Entity from injecting.
5. security protection system as described in claim 1, which is characterized in that the protection module includes secret protection module, The secret protection module is used for the setting according to user, shows to specified parameter progress Hide All or part hides and shows Show.
6. security protection system as described in claim 1, which is characterized in that the protection module includes running log protection mould Block controls the access of log for all operation note logs to interactive data system, meanwhile, in log Sensitive data carry out anonymization processing.
CN201710443668.7A 2017-06-13 2017-06-13 Interactive data system universal safety guard system Active CN107204982B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710443668.7A CN107204982B (en) 2017-06-13 2017-06-13 Interactive data system universal safety guard system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710443668.7A CN107204982B (en) 2017-06-13 2017-06-13 Interactive data system universal safety guard system

Publications (2)

Publication Number Publication Date
CN107204982A CN107204982A (en) 2017-09-26
CN107204982B true CN107204982B (en) 2019-02-05

Family

ID=59906891

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710443668.7A Active CN107204982B (en) 2017-06-13 2017-06-13 Interactive data system universal safety guard system

Country Status (1)

Country Link
CN (1) CN107204982B (en)

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107682346B (en) * 2017-10-19 2021-06-25 南京大学 System and method for rapidly positioning and identifying CSRF attack
CN107948163A (en) * 2017-11-29 2018-04-20 中科信息安全共性技术国家工程研究中心有限公司 A kind of XML injection loopholes detection and defence method
CN107944009A (en) * 2017-12-08 2018-04-20 郑州云海信息技术有限公司 A kind of system and method for record web application operating daily records
CN108200147A (en) * 2017-12-28 2018-06-22 珠海华发新科技投资控股有限公司 Enterprises Integrated Service System and method
CN108769087B (en) * 2018-02-23 2020-12-22 福建天晴数码有限公司 Development method of interactive system and server
CN109347820B (en) * 2018-10-12 2021-10-22 江苏满运软件科技有限公司 Application security defense method and system
CN110135132A (en) * 2019-05-13 2019-08-16 重庆八戒传媒有限公司 A kind of quick method, apparatus for solving the problems, such as project convention security and storage medium
CN110177089A (en) * 2019-05-20 2019-08-27 维沃移动通信有限公司 A kind of page access method and terminal device
CN110516444B (en) * 2019-07-23 2023-04-07 成都理工大学 Cross-terminal and cross-version Root attack detection and protection system based on kernel
CN110677415A (en) * 2019-09-29 2020-01-10 信阳农林学院 Network information safety protection system
CN111953668B (en) * 2020-07-30 2023-04-07 中国工商银行股份有限公司 Network security information processing method and device
CN113778991A (en) * 2021-09-14 2021-12-10 珠海市新德汇信息技术有限公司 Method for realizing resource access control of big data

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104079528A (en) * 2013-03-26 2014-10-01 北大方正集团有限公司 Method and system of safety protection of Web application
CN105786630A (en) * 2016-02-26 2016-07-20 浪潮通用软件有限公司 Web API regulating and controlling method based on middleware
CN106209746A (en) * 2015-05-07 2016-12-07 阿里巴巴集团控股有限公司 A kind of safety service provides method and server
CN106790007A (en) * 2016-12-13 2017-05-31 武汉虹旭信息技术有限责任公司 Web attack defending systems and its method based on XSS and CSRF

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102082780B (en) * 2009-11-30 2014-03-05 国际商业机器公司 Method and device for verifying security

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104079528A (en) * 2013-03-26 2014-10-01 北大方正集团有限公司 Method and system of safety protection of Web application
CN106209746A (en) * 2015-05-07 2016-12-07 阿里巴巴集团控股有限公司 A kind of safety service provides method and server
CN105786630A (en) * 2016-02-26 2016-07-20 浪潮通用软件有限公司 Web API regulating and controlling method based on middleware
CN106790007A (en) * 2016-12-13 2017-05-31 武汉虹旭信息技术有限责任公司 Web attack defending systems and its method based on XSS and CSRF

Also Published As

Publication number Publication date
CN107204982A (en) 2017-09-26

Similar Documents

Publication Publication Date Title
CN107204982B (en) Interactive data system universal safety guard system
Marback et al. A threat model‐based approach to security testing
Li et al. A survey on server-side approaches to securing web applications
Akhawe et al. Towards a formal foundation of web security
Kemalis et al. SQL-IDS: a specification-based approach for SQL-injection detection
Li et al. A survey on web application security
Al-Khurafi et al. Survey of web application vulnerability attacks
US11783016B2 (en) Computing system and method for verification of access permissions
Blankstein et al. Automating isolation and least privilege in web services
Blome et al. Vera: A flexible model-based vulnerability testing tool
Bach-Nutman Understanding the top 10 owasp vulnerabilities
Mainka et al. Your software at my service: Security analysis of saas single sign-on solutions in the cloud
Toreini et al. DOMtegrity: ensuring web page integrity against malicious browser extensions
Knittel et al. Xsinator. com: From a formal model to the automatic evaluation of cross-site leaks in web browsers
Van Acker et al. Password meters and generators on the web: From large-scale empirical study to getting it right
Rocchetto et al. Model-based detection of CSRF
Ravindran et al. A Review on Web Application Vulnerability Assessment and Penetration Testing.
Pelizzi et al. A server-and browser-transparent CSRF defense for web 2.0 applications
Srivani et al. A survey on client side and server side approaches to secure web applications
Falah et al. An Alternative Threat Model-based Approach for Security Testing
Chen et al. Research on SQL injection and defense technology
Hedin et al. Web application security using JSFlow
Jaamour Securing web services
US11575687B2 (en) Holistic and verified security of monitoring protocols
Reintjes et al. a Benchmark Approach To Analysis the Security of Web Frameworks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant