CN103605925A - Webpage tampering detecting method and device - Google Patents
Webpage tampering detecting method and device Download PDFInfo
- Publication number
- CN103605925A CN103605925A CN201310629297.3A CN201310629297A CN103605925A CN 103605925 A CN103605925 A CN 103605925A CN 201310629297 A CN201310629297 A CN 201310629297A CN 103605925 A CN103605925 A CN 103605925A
- Authority
- CN
- China
- Prior art keywords
- webpage
- chain
- black
- detection
- distorting
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Abstract
The invention discloses a webpage tampering detecting method and device. The method comprises the steps that tempered detection scripts are inserted in webpages; a browser executes the tampered detection scripts and detects whether the webpages are tampered or not; the webpages are reported to a detection server if the webpages are tampered. According to the technical scheme, the webpage tempering detecting method solves the problem that in the prior art, efficiency is low due to centralized detection, and greatly improves webpage safety on the condition of not influencing a user to access the webpages.
Description
Technical field
The present invention relates to security fields, computer website, particularly relate to a kind of detection method and device of webpage tamper.
Background technology
Along with the fast development of internet, on internet, Websites quantity is also more and more.Many websites are all physical mechanism and are organized in the image display in internet.And some have bad attempt tissue or individual by weak passwurd, the leak of scanning server, then attack website and it carried out to malice and distort.
Although safety precaution means such as existing fire wall, intrusion detections at present, the complicacy of modern operating system and diversity cause system vulnerability to emerge in an endless stream, hard to guard against.Hacker attacks happens occasionally with the event of distorting the page.For this, webpage tamper resistant systems is arisen at the historic moment.For example, to webpage, hang malice link, as black chain, the link of extension horse etc., these are main forms of webpage tamper.
At present, below main employing, two class modes detect webpage tamper content both at home and abroad:
(1) static nature matching way:
By the HTML text in feature string (key word artificially collecting in a large number) coupling webpage, to judge whether it is added into malice link.
(2) in web page distribution system, increase web page contents audit and verification scheme:
In web page distribution system, build a web page contents real-time detecting system, the content of all webpage issues is all passed through this system, after confirming, could issue, also set up web page contents fingerprint base simultaneously, distort detection system by periodic scanning web page contents and fingerprint base content to recently finding whether webpage is distorted by black chain.
In prior art, conventionally by special webpage tamper resistant systems or search engine, webpage tamper is detected.It is by first by the webpage from source station download user request, and utilize the web page contents described in feature rule match of distorting distort in feature database, if find with described in distort the content that feature rule matches, think that this webpage is tampered, otherwise send it to user.The described feature rule of distorting is represented by regular expression conventionally, and use matching regular expressions web page contents is more consuming time, inefficiency, and real-time is poor.Webpage tamper mode emerges in an endless stream at present, day by day change, distort distorting feature rule and also will increase thereupon in feature rule base, this just means that detection all will expend ample resources each time, and user experiences not good, cause user to decline to the expectation value of website, for some business websites, this will be fatal.
Therefore need a kind of method of new detection webpage tamper, do not affecting under the prerequisite of user's accessed web page speed, the security of website is provided, for user provides service better.
Summary of the invention
For solving the above-mentioned problems in the prior art, the present invention proposes a kind of detection method of webpage tamper, in the situation that having no to perceive, user detects the content of distorting in webpage, for user provides best security service.
According to an aspect of the present invention, the detection method that it provides a kind of webpage tamper, comprising:
In webpage, embed and distort detection script;
Whether browser is distorted detection script described in carrying out, detect described webpage and be tampered;
If described webpage is tampered, described webpage is reported to detection server.
Alternatively, described in, distort detection script by judging whether whether detected described webpage by extension Malaysia in described webpage is tampered.
Alternatively, described in, distort detection script by judging whether whether exist black chain to detect described webpage in described webpage is tampered.
Alternatively, also comprise:
Whether the webpage that judgement reports is present in white list or blacklist, and wherein, described white list and blacklist are stored in described detection server;
If described webpage is present in white list, do not deal with;
If described webpage is present in blacklist, deposits altered data storehouse in, and give the alarm.
Alternatively, also comprise:
In described detection server, reported webpage is further detected.
Alternatively, described webpage is carried out further detecting and comprising in described detection server:
According to distorting feature database, detect the content of distorting in webpage, distort the black word-Hei chain pair in content described in extraction, described black word-Hei chain is to being comprised of black word and corresponding black chain thereof;
If the right frequency of occurrences of described black word-Hei chain, higher than predetermined threshold, is deposited in black word-Hei chain storehouse;
According to black word-Hei chain storehouse, detect the content of distorting in webpage;
If link corresponding to black word occurring in webpage to be detected is present in the black chain that in described black word-Hei chain storehouse, this black word is corresponding, concentrate, determine that this webpage to be detected is tampered.
Alternatively, described in, give the alarm and comprise:
The information of distorting is sent to announcement server;
Described announcement server sends described warning information by mail/short message mode to webmaster.
Alternatively, described in, distorting detection script is Javascript script.
According to a further aspect in the invention, the pick-up unit that it also provides a kind of webpage tamper, comprising:
Merge module, for embedding and distort detection script at webpage;
Whether browser module is distorted detection script described in carrying out, detect described webpage and be tampered;
Reporting module, if described webpage is tampered, it reports detection server by described webpage.
Alternatively, described in, distort detection script by judging whether whether detected described webpage by extension Malaysia in described webpage is tampered.
Alternatively, described in, distort detection script by judging whether whether exist black chain to detect described webpage in described webpage is tampered.
Alternatively, also comprise:
Judge module, for judging whether reported webpage is present in white list or blacklist, wherein, described white list and blacklist are stored in described detection server; If described webpage is present in white list, do not deal with; If described webpage is present in blacklist, deposits altered data storehouse in, and give the alarm.
Alternatively, also comprise:
Detection module, further detects for the webpage to reported.
Alternatively, described detection module comprises:
Extraction module, it detects the content of distorting in webpage according to distorting feature database, distorts the black word-Hei chain pair in content described in extraction, and described black word-Hei chain is to being comprised of black word and corresponding black chain thereof;
Storehouse generation module, it, deposits black word-Hei chain in black word-Hei chain storehouse in during higher than predetermined threshold in the right frequency of occurrences of described black word-Hei chain;
Detection sub-module: it detects the content of distorting in webpage according to black word-Hei chain storehouse, concentrates if link corresponding to black word occurring in webpage to be detected is present in the black chain that in described black word-Hei chain storehouse, this black word is corresponding, determines that this webpage to be detected is tampered.
Alternatively, described judge module further comprises:
Alarm modules, it is sent to notification module by the information of distorting;
Notification module, it sends described warning information by mail/short message mode to webmaster.
Alternatively, described in, distorting detection script is Javascript script.
Visible, detection method and the device of the above-mentioned webpage tamper that the present invention proposes by embedding and distort detection script in webpage source code, are detected webpage by browser in user's open any browser.And the detection script of distorting in the such scheme that the present invention proposes adopts javascript script, and it is only carried out on backstage afterwards in startup, on user, can not produce any impact.This detection method has overcome the inefficiency problem that in prior art, centralized detecting is brought, and has greatly improved web portal security when not affecting user's accessed web page.
Accompanying drawing explanation
Fig. 1 is the detection method process flow diagram of a kind of webpage tamper of proposing of the present invention;
Fig. 2 detects server according to the method flow diagram that content is processed of distorting that reports webpage in the embodiment of the present invention;
Fig. 3 detects server to reporting the further detection method process flow diagram of webpage in the embodiment of the present invention;
Fig. 4 is the structure of the detecting device figure of a kind of webpage tamper of proposing of the present invention;
Fig. 5 detects in the present invention in server reporting webpage to do the structure drawing of device of further detection.
Embodiment
For making the object, technical solutions and advantages of the present invention clearer, below in conjunction with specific embodiment, and with reference to accompanying drawing, the present invention is described in further detail.
Fig. 1 shows the detection method process flow diagram of a kind of webpage tamper of the present invention's proposition.As shown in Figure 1, the method comprises:
Step 101: embed and distort detection script in webpage;
Step 102: distort detection script described in browser execution, detect described webpage and whether be tampered;
Step 103: if described webpage is tampered, described webpage is reported to detection server.
Each step that according to specific embodiment, the present invention is proposed the detection method of above-mentioned webpage tamper is below elaborated.
In step 101, in webpage, embed and distort detection script.
So-called webpage tamper is exactly that some have the tissue of bad attempt or individual by weak passwurd, the leak of scanning server, obtains after the account authority of website, and the webpage source code of website is carried out to malicious modification.Most typical a kind of alter mode is exactly in webpage source code, to insert malice link, as hung horse link and black chain etc.
Webpage is the fundamental element that forms website, and webpage is all to write by HTML (Hypertext Markup Language) (html language) file forming conventionally, and it need to be read by browser.And while opening certain webpage by browser, browser is carried out corresponding html file, according to the word of the form display web page in html file, picture etc.Hacker obtains by variety of way after the administrator right of website, to the webpage source code on this website, is that its corresponding html file is modified, and some bad elements therein, as black chain with hang horse link etc.And the black chain that hacker implants in webpage and extension horse link user often cannot discover, it may be by rewriting html file corresponding to webpage, black chain or the link of extension horse are stashed, as the display format of black chain or the link of extension horse is set to outside invisible or browser display area, or be hidden in pictures bottom etc.When user opens by browser the webpage that this is tampered, just may directly turn to the malicious websites with trojan horse, or directly carry out trojan horse etc.
To the testing mechanism of webpage tamper, is at present by special testing tool or search engine centralized detecting, to detecting after the first pre-download of the webpage of user's request, and detect by after send to user.This can cause user's access speed to decline when more and/or access websites user is more in website.
Given this, the present invention proposes the detection script of distorting that detects webpage tamper content to be directly embedded in the html file that webpage source code is webpage, particularly, can directly scripted code be inserted in the leader label head or content tab body of html file.Like this, the testing of webpage tamper can be distributed to each user side, can improve detection efficiency.
Alternatively, in the present invention, distorting detection script adopts Javascript script to realize.Javascript is a kind of based on object and event-driven and have the client script language of relative safety.Also be a kind of script that is widely used in client Web exploitation, be commonly used to add dynamic function to Html webpage simultaneously.
Javascript shell script is plain text statement, do not need compiling, so it can directly explain execution by browser.At the Javascript statement whether detection webpage is tampered, be embedded in the html file that webpage is corresponding, whether user just can trigger this Javascript script and carry out corresponding operating when opening this webpage, with the content detecting in webpage, be tampered.
Adopt the mode of Javascript script embedding except improving detection speed, another advantage is that Javascript shell script is only carried out on backstage, and user is invisible to it, therefore can not hinder other operation of user.
With embedding Javascript script, illustrate and how in the leader label head of html file, to embed and to distort detection script below:
For html file:
<html?xmlns=
http://www.XXXX.cn/xhtml>
<head>
<title> welcomes access XXXX website! </title>
</head>
Embed Javascript script afterwards as follows:
In the present invention, except using Javascript script, can also use other any scripts that can be embedded in webpage, as long as browser can be explained execution, the present invention does not do concrete restriction to this.
Step 102: distort detection script described in browser execution, detect described webpage and whether be tampered.
Browser receives after webpage html file, load this html file and show corresponding web page, start afterwards to carry out the detection script of distorting of inserting in html file leader label head, by the described detection script of distorting, detect in the webpage source code that user opens and whether exist and distort content.
Described detection mode of distorting detection script can have multiple, in one embodiment of the invention, distorts detection script by judging whether whether detected described webpage by extension Malaysia in described webpage is tampered.
So-called extension horse, be exactly that hacker is by various means, comprise that SQL injects, the scanning of website sensitive document, server leak, the whole bag of tricks such as procedure site Oday obtain webmaster's account, then log in backstage, website, by state's database backup/restoration or upload leak and obtain a webshell, utilize the webshell obtaining to revise the content of Website page, in webpage, add malice to turn to code, hang horse link.When user's access is added into the page of hanging horse link, accesses automatically the address being diverted or download trojan horse.If entered the website that is hung horse, trojan horse be can infect, and a large amount of valuable documentation and account password lost, it is very harmful.
Hang horse link fundamental purpose and be and disseminate trojan horse or gain flow by cheating and clicking rate etc.The inserted mode of hanging horse link is varied, as hung the insertion of horse link by iframe framework:
<iframe?src=http://www.xxx.com/example.html?width=Oheight=O><iframe>
The above-mentioned statement list being inserted in webpage source code be shown in open a certain website "
www.xxx.com" time, open another webpage " example.html ", and " example.html " webpage very likely comprises a large amount of trojan horses, also may be only used to defraud of flow or clicking rate.Hang Malaysia side formula varied, above only for illustrating, those skilled in the art are to be understood that the extension Malaysia side formula relating in the present invention is not limited to this.
In another embodiment of the present invention, distort detection script by judging whether whether exist black chain to detect described webpage in described webpage is tampered.
The main target of inserting black chain is exactly to promote own rank in search engine.WWW becomes the carrier of bulk information, and for effectively extracting and utilize these information, search engine (Search Engine), as the instrument of auxiliary people's retrieving information, becomes entrance and guide that user accesses WWW.
For example, after certain website of newly opening rank in search engine is leaned on very much, high (rank is good for certain right afterwards, quality is high) website and this website of newly opening link, since search engine will think that this website of newly opening can do upper link with the high website of such weight so, its weight can be not low yet so, so the rank of this website in search engine will promote.If there is the website that a plurality of weights are high also all to link with this website, its rank will rise very soon so.
Otherwise the weight of a new website can be very not high, so search engine can not given its very high rank, after its rank in Search Results will relatively be leaned on.This specific character for search engine, some instrument provides black chain technology at present, by the invasion high website of some weights, after invading successfully, the link of website is inserted in the page of invaded website, thereby realize the effect of link, and by hiding web site url, make others can't see any link.
Yet, adopt at present black chain technology to realize that search rank promotes, quite a few is that game private takes the dangerous websites such as website, Trojan for stealing numbers website, fishing website and advertisement website.For these dangerous websites, search engine can not given their very high ranks, but by " black chain ", their rank will be very forward, in this case, when using search engine, click open the probability of these websites will be very high, if user does not carry out security protection work, will easily will infect the virus on website so.
In existing black chain technology, hiding chain is connected to some fixedly skills, and for example search engine is not fine to the identification of javascript, by javascript, exports hiding div.Like this, manually directly by the page, cannot see these links, and search engine to confirm as these links be effective.Code is: first by javascript, write div above, it is none that display is set.Then export a table, in table, comprised the black chain that will hang.Finally by javascript, export latter half div again.
For example, statement below hacker inserts by the source code at webpage, realize the object of inserting black chain in target web:
<a href=" http://www.45u.com " style=" margin-left:-83791; " the private clothes issue of > legend </a>
Wherein, by style=is set " margin-left:-83791; ", make this black chain invisible in webpage.
In the embodiment of the present invention, for black chain and/or hang horse and connect and wait malice link, distorting detection script can be by the html file of webpage being resolved to DOMTree, and the DOMTree file obtaining after parsing is detected.DOM is the abbreviation of document object mould model (Document ObjectModel), and DOM Tree refers to by DOM html page is resolved, and generates HTML tree tree structure and corresponding access method.By DOM Tree, can be directly and operate easily each tag content on html page.
The black chain of take detects as example and is illustrated.For the black chain form below of inserting in webpage:
<a href=" http://www.45u.com " style=" display:none; " the private clothes issue of > legend </a>.
Distorting detection script can write as follows:
The above-mentioned detection script of distorting is obtained " a " mark by the DOM Tree file from parsing when carrying out, and this mark heel with style be " display:none ", the display format of the content after this mark, for not showing, tentatively assert that it is for distorting content.Because hacker finds the black chain of its insertion and hangs horse link in order to prevent user, its display format is set to invisible conventionally.Therefore distorting detection script can the inserted mode based on black chain and/or malice link write.
Step 103: if described webpage is tampered, described webpage is reported to detection server.
In this step, browser utilization is distorted after detection script detects described webpage and be tampered, and the webpage that this is tampered reports detection server.
Described detection server, after the webpage being tampered described in receiving, is notified the portal management personnel of this webpage, and described keeper can repair leak by revising webpage source code and administration authority.In order to reduce rate of false alarm, alternatively, described detection server is according to reporting the content of distorting of webpage to do further processing.
Fig. 2 shows in the present invention and detects server according to the method flow diagram that content is processed of distorting that reports webpage.As shown in Figure 2, the method comprises:
Step 201: distorting content and whether be present in white list or blacklist in the webpage that reports of judgement, wherein, described white list and blacklist are stored in described detection server;
Step 202: if the content of distorting of described webpage is present in white list, do not deal with;
Step 203: if the content of distorting of described webpage is present in blacklist, deposits altered data storehouse in, and give the alarm.
Described blacklist and white list can be collected acquisition by empirical value and from reliable third party, in white list storage, be defined as the link of normal website, and in blacklist, store some viral websites, sex service website or the link of definite malicious websites etc. in the process detecting.The renewal of blacklist and white list can also be undertaken by each webmaster's feedback.
Alternatively, in order to improve accuracy rate, detect server and also the webpage reporting is done to further detection.Owing to distorting detection script, be the detection script being embedded in webpage, as javascript script, its detectability is limited after all, in order to ensure accuracy rate, detects server the webpage reporting is done to further detection.
The black chain of take below in tamper detection content detects server to reporting the further testing process of webpage as example illustrates.Although it will be appreciated by those skilled in the art that below the method step of introducing for black chain, be not limited to detect black chain, use similar method can also detect other and maliciously link as hung horse link etc.In addition, can also adopt corresponding mode to detect other and distort content.
Fig. 3 shows in the embodiment of the present invention and detects server to reporting the further detection method process flow diagram of webpage.As shown in Figure 3, the method comprises:
Step 301: detect the content of distorting in webpage according to distorting feature database, distort the black word-Hei chain pair in content described in extraction, described black word-Hei chain is to being comprised of black word and corresponding black chain thereof;
Step 302: if the right frequency of occurrences of described black word-Hei chain is higher than predetermined threshold, deposited in black word-Hei chain storehouse;
Step 303: detect the content of distorting in webpage according to black word-Hei chain storehouse;
Step 304: concentrate if link corresponding to black word occurring in webpage to be detected is present in the black chain that in described black word-Hei chain storehouse, this black word is corresponding, determine that this webpage to be detected is tampered.
In the present invention, described detection server first detects the content of distorting in webpage according to distorting feature database.The described feature database of distorting is comprised of a plurality of regular expressions of distorting keyword and/or malice link.For webpage to be detected, first obtain its source code, then utilize source code described in the existing matching regular expressions of distorting in feature database, to obtain the content consistent with regular expression.If hit the content in webpage to be detected by the regular expression of distorting in feature database, illustrate in this webpage to be detected and exist and distort content.
Regular expression is for carrying out the instrument of text matches, conventionally some common characters and some metacharacters (metacharacters), consists of.Common character comprises the letter and number of capital and small letter, and metacharacter has special implication.The coupling of regular expression can be understood as, and in given character string, finds the part matching with given regular expression.Likely in character string, have a more than part to meet given regular expression, at this moment each such part is called as a coupling.Coupling can comprise three kinds of implications in this paper: a kind of part of speech of describing, such as expression formula of a string matching; Be a verb, such as in character string, mate regular expression; It is nominal also having a kind of, is exactly " the meeting a part for given regular expression in character string " just having mentioned.
Below by way of example the create-rule of regular expression is described.
Suppose to search hi, can use regular expression hi.This regular expression can the such character string of exact matching: two characters, consist of, previous character is h, and latter one is i.In practice, regular expression can ignorecase.If all comprise these two continuous characters of hi in a lot of words, such as him, history, high etc.With hi, search, the hi of this this word the inside also can be found out.If accurately search this word of hi, should use bhi b.Wherein, b be a metacharacter of regular expression, it is representing beginning or the ending of word, the namely boundary of word.Although conventionally English word is separated by space or punctuation mark or line feed, b does not mate any one in these word separators, and it only mates a position.If that look for is an and then Lucy nearby after hi, should with bhi b.* bLucv b.Wherein. be another metacharacter, any character of coupling except newline.* be metacharacter equally, what its represented is quantity---specify * content in front can repeat continuously any time so that whole expression formula is mated.Now bhi b.* bLucv b the meaning just clearly: then a word hi is before this any character (but can not be line feed) arbitrarily, is finally this word of Lucy.
For example, distort that in feature database, to distort regular expression corresponding to feature rule as follows:
<script.*?>document\.write.*?\(.*?\+.*?\+.*?\+.*?\+.*?\+.*?\).*?</script>([\S\s]+?)</div>
The web page element of this regular expression match hit in webpage can be:
<script>document.write(′<d′+′iv?st′+′yle′+′=″po′+′si′+′tio′+′n:a′+′bso′+′lu′+′te;l′+′ef+′t:′+′-′+′10′+′00′+′0′+′p′+′x;′+″′′+′>′)>××××<script>document.write(′<′+′/d′+′i′+′v>′);</script>
Visible, distort regular expression corresponding to feature rule and for mating webpage, there is the web page contents of specific format, as have " <script>document.write " and " <script>document.write (' < '+'/d '+' i '+' v> '); </script> " content etc. of element.
Or as, it is as follows that another distorts regular expression corresponding to feature rule:
<a\s*href\s*=[″\′].+?[″\′]\s*style=[″\′][\w+\-]+:-[0-9]+.*?[″\′].*?>.*?</a>。
By this, distorting the page elements that feature rule can hit can be:
<a?href=“http://www.45u.com”style=”margin-left:-83791;”>;
This regular expression is used for mating webpage and occurs having the negative value web page contents of (negative value represent it in viewing area do not show) in " <a href=" and its value of distorting keyword " style " of following below.
Certainly, the expression mode of above-mentioned regular expression is only as example, and it is all feasible that those skilled in the art adopt the expression mode of any regular expression according to actual conditions, the application to this without being limited.
In the embodiment of the present invention, detect server and can analyze page elements position and the display mode in described webpage to be detected by described matching regular expressions, judge whether it is the content being tampered.For example, judge when black chain is distorted, whether the position that can judge the page elements in described webpage to be detected by matching regular expressions is within the scope of predetermined threshold value, or whether described page elements has sightless attribute, and/or, whether described page elements is hidden etc. browser, if so, judges that described page elements in the described page to be detected is as being tampered content.For example, if the hyperlink of certain page detected, be sightless, or in the page, the length and width height of certain html tag element is negative value, can judge the content that this page is tampered.
Whether in the embodiment of the present invention, detecting server can also by there is the keyword of distorting of fixed malice link and/or its correspondence in webpage to be detected described in matching regular expressions, and whether it is tampered to carry out interpretation.Detect server and also from described distorting content, extract black word-Hei chain pair, described black word-Hei chain is to being comprised of black word and corresponding black chain thereof.For example, above-mentioned hit content ' <ahref=" http://www.45u.com " style=that distorts " margin-left:-83791; " black word-Hei chain in the private clothes issue of > legend </a> ' is to being: the private clothes issue of legend-
http:// www.45u.com.In existing page detection method, conventionally be all that the feature rule of distorting of distorting in feature database is mated the source code of webpage to be detected, the described feature rule of distorting is for having the connection of certain format for mating web page contents, in testing process, if hit, distort feature rule and think that this webpage is tampered, if do not hit, think that webpage to be detected is safe, displays it to user.But the inserted mode of current black chain emerges in an endless stream, day by day change.And fixing the distorting feature database or utilize manually and upgrade and distort the paces that feature database does not obviously catch up with hacker of use.
Based on this, detection server of the present invention, after detecting webpage and being tampered, also extracts black word-Hei chain pair from distort content, so as afterwards according to this black word-Hei chain to webpage is further detected.
Generally, in the web page contents being tampered, black word-Hei chain all can correspondence specifically be distorted keyword.Alternatively, when extracting black word-Hei chain, extract the distort keyword corresponding with it, to further utilize.
For example: black chain below:
<a href=" http://www.45u.com " style=" display:none; " the private clothes issue of > legend </a>.
The keyword of distorting therefrom extracting can be " display:none ", and it represents that the display properties of this black word-Hei chain is invisible.
In step 301, black word-Hei chain pair of every extraction, is all stored in data storage server.
In the solution of the present invention, in order to improve the accuracy rate of detection, be specially provided with black word-Hei chain storehouse.In described black word-Hei chain storehouse for storing black word-Hei chain pair of frequent appearance.In the embodiment of the present invention, by extracted black word-Hei chain to when being stored in data storage server, also add up the number of times of its appearance, if count the right occurrence number of certain black word-Hei chain, surpass the first predetermined threshold, by this black word-Hei chain to being stored in black word-Hei chain storehouse.
Black word-Hei chain can be selected according to specific needs to the storage mode in black word-Hei chain storehouse.Alternatively, can be by described black word-Hei chain to being stored as the mode of black chain collection, the mode of the corresponding black chain collection of each black word is stored.
For example: the black word-Hei chain in black word-Hei chain storehouse is to following storage:
Black word 1---and black chain 1, black chain 2, black chain 3 ..., black chain m1}
……
Black word n---and black chain 1, black chain 2, black chain 3 ..., black chain mn}
Alternatively, the black chain set in described black word-Hei chain storehouse can be ordered set, and the number of times of concentrating black chain to occur according to black chain sorts to it, and what number of times was maximum makes number one, and as black chain 1, coming of least number of times is last, as black chain n.In storing process, black word-Hei chain pair of every acquisition, according to black word wherein, search in black word-Hei chain storehouse whether had this black word, if existed, search the black chain that this black word is corresponding and concentrate the black chain that whether has described black word-Hei chain centering, if exist, upgrade the rank of this black chain, otherwise be inserted into the tail end at black chain collection; If there is not the described black word of black word-Hei chain centering in black word-Hei chain storehouse, re-establish a black word with and corresponding black chain collection.
Alternatively, for improving the accuracy rate detecting, the present invention not only utilizes and distorts the content of distorting that feature database detects webpage, and it also utilizes black word-Hei chain storehouse to detect webpage.Owing to distorting, feature database is relatively stable and upgrade not in time, therefore for a lot of emerging black word-Hei chains, utilizes and distorts feature database and cannot detect in time and distort content.Therefore,, in the solution of the present invention, to distorting the content of distorting that rule base detects according to described, also according to described black word-Hei chain storehouse, detect.
In the embodiment of the present invention, utilize black word-Hei chain storehouse to detect webpage, to mate described web page contents by the black word in black word-Hei chain storehouse, if the content that the black word in webpage in existence and described black word-Hei chain storehouse matches, tentatively assert that this webpage is tampered, extract and tentatively distort accordingly content.
Alternatively, for tentatively distorting content, further check again this tentatively distorts in content whether have the black chain that described black word is corresponding, can mate black chain that black chain that this black word is corresponding concentrates and whether be present in this and tentatively distort in content, if the match is successful, think that this webpage is tampered.
Alternatively, the black chain coupling of utilizing black chain that black word is corresponding to concentrate is of living in while tentatively distorting content, described tentatively distorting in content can be set and have the forward black chain of rank, while there is the black chain before the concentrated precalculated position of black chain that described black word is corresponding, just think that this webpage is tampered.Described precalculated position can be as required and experience preset, if the object detecting is to look into as much as possible entirely, what described precalculated position can arrange is relatively large, if the object detecting is to look into as much as possible standard, what described precalculated position can arrange is relatively little.
Detecting server to reporting in the further testing process of webpage, why select first with black word, to mate, is because black word matching speed is fast and directly do not use black chain to mate, and efficiency is higher.If directly by black chain coupling, owing to forming, the character of black chain and/or letter etc. are more, and matching speed is obviously not as good as being directly that black word mates with word.Visible, the such scheme that the present invention proposes has been taken into account accuracy rate and efficiency that webpage tamper detects, makes whole testing process consumption of natural resource less, and accuracy rate also has greatly raising.
In such scheme of the present invention, once detect definite the reporting in webpage of server, really exist and distort after content, will give the alarm.Described alarm can first send to announcement server, distorts the warning informations such as content, corresponding info web and send to announcement server described in being about to, and announcement server sends to webmaster by the information of distorting described in the mode general of mail or note.Webmaster repairs by revising the modes such as webpage source code, webmaster's account password after receiving warning information.
In the such scheme that the present invention proposes, by embedding and distort detection script in webpage, distorting of webpage detected and be distributed to each user side execution, and the form of using webpage to embed script is carried out trace routine on backstage, invisible to user, do not hinder other operation of user.The browser of user side is carried out and is distorted after detection script detects webpage and be tampered by explanation, reported detection server, detect server and send a warning by it is further detected to backward portal management personnel, for website provides web portal security, detect service.This programme has not only improved the detection efficiency that web portal security detects, and also the further detection by black and white lists and this mode of chain as black in black word has improved the accuracy rate detecting.
Fig. 4 shows the structure of the detecting device figure of the webpage tamper of the present invention's proposition.As shown in Figure 4, this device comprises:
Whether browser module 402 is distorted detection script described in carrying out, detect described webpage and be tampered;
Described in embodiment of the method as shown in Figure 1, in said apparatus of the present invention, merge module 401 is directly embedded into the detection script of distorting that detects webpage tamper content in the html file that webpage source code is webpage.Like this, the testing of webpage tamper can be distributed to each user side, can improve detection efficiency.
Alternatively, in the present invention, distorting detection script adopts Javascript script to realize.Javascript shell script is plain text statement, do not need compiling, so it can directly explain execution by browser.At the Javascript statement whether detection webpage is tampered, be embedded in the html file that webpage is corresponding, whether user just can trigger this Javascript script and carry out corresponding operating when opening this webpage, with the content detecting in webpage, be tampered.
Adopt the mode of Javascript script embedding except improving detection speed, another advantage is that Javascript shell script is only carried out on backstage, and user is invisible to it, therefore can not hinder other operation of user.
In the present invention, except using Javascript script, can also use other any scripts that can be embedded in webpage, as long as browser can be explained execution, the present invention does not do concrete restriction to this.
Described detection mode of distorting detection script can have multiple, according to one embodiment of the invention, distorts detection script by judging whether whether detected described webpage by extension Malaysia in described webpage is tampered; According to another embodiment of the present invention, distort detection script by judging whether whether exist black chain to detect described webpage in described webpage is tampered.
In the embodiment of the present invention, for black chain and/or hang horse and connect and wait malice link, distorting detection script can be by the html file of webpage being resolved to DOM Tree, and the DOMTree file obtaining after parsing is detected.
The black chain of take detects as example and is illustrated.For the black chain form below of inserting in webpage:
<a href=" http://www.45u.com " style=" display:none; " the private clothes issue of > legend </a>.
Distorting detection script can write as follows:
It is above-mentioned that what distort detection script is by obtaining " a " mark the DOM Tree file from parsing, and this mark heel with style be " display:none ", the display format of the content after this mark, for not showing, tentatively assert that it is for distorting content.Because hacker finds the black chain of its insertion and hangs horse link in order to prevent user, its display format is set to invisible conventionally.Therefore distorting detection script can the inserted mode based on black chain and/or malice link write.
In this step, browser module 402 utilization is distorted after detection script detects described webpage and be tampered, and the webpage that reporting module 403 is tampered this reports detection server.
In the pick-up unit of above-mentioned webpage tamper disclosed by the invention, described merge module 401 can be positioned at and detect server, Website server or client, its particular location does not limit in the present invention, so long as have authority and can embed the turpitude script of distorting that detects webpage tamper content in the webpage of user request, all can.And described browser module 402 normally can be explained the browser of carrying out webpage source code, it is positioned at the client of sending request of access, and this module can be carried out the detection script of distorting being embedded in webpage.Described reporting module 403 is to be also positioned at the client of sending request of access conventionally, and it is distorted by executions in browser module 402 after detection script detects webpage and be tampered, and can report webpage to detection server.
Described detection server, after the webpage being tampered described in receiving, is notified the portal management personnel of this webpage, and described keeper can repair leak by revising webpage source code and administration authority.In order to reduce rate of false alarm, alternatively, described detection server is according to reporting the content of distorting of webpage to do further processing.
Described detection server comprises judge module, and described judge module is for judging distorting content and whether being present in white list or blacklist of reported webpage, and wherein, described white list and blacklist are stored in described detection server; If the content of distorting of described webpage is present in white list, do not deal with; If the content of distorting of described webpage is present in blacklist, deposits altered data storehouse in, and give the alarm.Described blacklist and white list can be collected acquisition by empirical value and from reliable third party, in white list storage, be defined as the link of normal website, and in blacklist, store some viral websites, sex service website or the link of definite malicious websites etc. in the process detecting.The renewal of blacklist and white list can also be undertaken by each webmaster's feedback.
Described judge module also comprises alarm modules and notification module, once definite, report in webpage and really exists and distort after content, and described alarm modules will give the alarm.Described in described alarm modules general, distort the warning informations such as content, corresponding info web and send to notification module, notification module sends to webmaster by the information of distorting described in the mode general of mail or note.Webmaster repairs by revising the modes such as webpage source code, webmaster's account password after receiving warning information.
Alternatively, in order to improve accuracy rate, detect server and also comprise that the webpage to reporting does the device of further detection.Owing to distorting detection script, be the detection script being embedded in webpage, as javascript script, its detectability is limited after all, in order to ensure accuracy rate, detects server and also comprises that the webpage to reporting does the device of further detection.
The black chain of take below in tamper detection content detects in server reporting webpage to do the device of further detection as example illustrates.Although it will be appreciated by those skilled in the art that below that by the device of introducing, for black chain, it is not limited to detect black chain, uses similar device can also detect other and maliciously links as hung horse link etc.In addition, can also adopt corresponding mode to detect other and distort content.
Fig. 5 shows in the embodiment of the present invention and detects on server reporting webpage to do the structure drawing of device of further detection.As shown in Figure 5, this device comprises:
Extraction module 501: detect the content of distorting in webpage according to distorting feature database, distort the black word-Hei chain pair in content described in extraction, described black word-Hei chain is to being comprised of black word and corresponding black chain thereof;
Storehouse generation module 502: if the right frequency of occurrences of described black word-Hei chain is higher than predetermined threshold, black word-Hei chain is deposited in black word-Hei chain storehouse;
Detection sub-module 503: detect the content of distorting in webpage according to black word-Hei chain storehouse, concentrate if link corresponding to black word occurring in webpage to be detected is present in the black chain that in described black word-Hei chain storehouse, this black word is corresponding, determine that this webpage to be detected is tampered.
In the embodiment of the present invention, described extraction module 501 can be analyzed page elements position and the display mode in described webpage to be detected by described matching regular expressions, judges whether it is the content being tampered.For example, judge when black chain is distorted, whether the position that can judge the page elements in described webpage to be detected by matching regular expressions is within the scope of predetermined threshold value, or whether described page elements has sightless attribute, and/or, whether described page elements is hidden etc. browser, if so, judges that described page elements in the described page to be detected is as being tampered content.For example, if the hyperlink of certain page detected, be sightless, or in the page, the length and width height of certain html tag element is negative value, can judge the content that this page is tampered.
In the embodiment of the present invention, whether described extraction module 501 can also by there is the keyword of distorting of fixed malice link and/or its correspondence in webpage to be detected described in matching regular expressions, and whether it is tampered to carry out interpretation.
In the present invention, described extraction module 501 extracts black word-Hei chain pair from described distorting content, and described black word-Hei chain is to being comprised of black word and corresponding black chain thereof.For example, above-mentioned hit content ' <a href=" http://www.45u.com " style=that distorts " margin-left:-83791; " black word-Hei chain in the private clothes issue of > legend </a> ' is to being: the private clothes issue of legend-
http:// www.45u.com.In existing page detection method, conventionally be all that the feature rule of distorting of distorting in feature database is mated the source code of webpage to be detected, the described feature rule of distorting is for having the connection of certain format for mating web page contents, in testing process, if hit, distort feature rule and think that this webpage is tampered, if do not hit, think that webpage to be detected is safe, displays it to user.But the inserted mode of current black chain emerges in an endless stream, day by day change.And use fixing distorting feature database or utilize renewal manually to distort feature database obviously not catch up with paces.
Based on this, the present invention is after detecting webpage and being tampered, and extraction module 501 extracts black word-Hei chain pair from distort content, so as afterwards according to this black word-Hei chain to webpage is further detected.
Generally, in the web page contents being tampered, black word-Hei chain all can correspondence specifically be distorted keyword.Alternatively, when extracting black word-Hei chain, extract the distort keyword corresponding with it, to further utilize.
For example: black chain below:
<a href=" http://www.45u.com " style=" display:none; " the private clothes issue of > legend </a>.
The keyword of distorting therefrom extracting can be " display:none ", and it represents that the display properties of this black word-Hei chain is invisible.
Black word-Hei chain pair of the every extraction of extraction module 501, is all stored in data storage server.
In the solution of the present invention, in order to improve the accuracy rate of detection, be specially provided with black word-Hei chain storehouse.In described black word-Hei chain storehouse for storing black word-Hei chain pair of frequent appearance.In the embodiment of the present invention, by extracted black word-Hei chain to when being stored in data storage server, described storehouse generation module 502 is also added up the number of times of its appearance, if count the right occurrence number of certain black word-Hei chain, surpass the first predetermined threshold, by this black word-Hei chain to being stored in black word-Hei chain storehouse.
Black word-Hei chain can be selected according to specific needs to the storage mode in black word-Hei chain storehouse.Alternatively, can be by described black word-Hei chain to being stored as the mode of black chain collection, the mode of the corresponding black chain collection of each black word is stored.
For example: the black word-Hei chain in black word-Hei chain storehouse is to following storage:
Black word 1---and black chain 1, black chain 2, black chain 3 ..., black chain m1}
……
Black word n---and black chain 1, black chain 2, black chain 3 ..., black chain mn}
Alternatively, the black chain set in described black word-Hei chain storehouse can be ordered set, and the number of times of concentrating black chain to occur according to black chain sorts to it, and number of times is maximum comes the-position, and as black chain 1, coming of least number of times is last, as black chain n.In storing process, black word-Hei chain pair of every acquisition, according to black word wherein, search in black word-Hei chain storehouse whether had this black word, if existed, search the black chain that this black word is corresponding and concentrate the black chain that whether has described black word-Hei chain centering, if exist, upgrade the rank of this black chain, otherwise be inserted into the tail end at black chain collection; If there is not the described black word of black word-Hei chain centering in black word-Hei chain storehouse, re-establish a black word with and corresponding black chain collection.
Alternatively, for improving the accuracy rate detecting, the present invention not only utilizes and distorts the content of distorting that feature database detects webpage, and it also utilizes black word-Hei chain storehouse to detect webpage.Owing to distorting, feature database is relatively stable and upgrade not in time, therefore for a lot of emerging black word-Hei chains, utilizes and distorts feature database and cannot detect in time and distort content.Therefore,, in the solution of the present invention, to distorting the content of distorting that rule base detects according to described, described detection sub-module 503 also detects according to described black word-Hei chain storehouse.
In the embodiment of the present invention, described detection sub-module 503 utilizes black word-Hei chain storehouse to detect webpage, to mate described web page contents by the black word in black word-Hei chain storehouse, if the content that the black word in webpage in existence and described black word-Hei chain storehouse matches, tentatively assert that this webpage is tampered, extract and tentatively distort accordingly content.
Alternatively, for tentatively distorting content, further check again this tentatively distorts in content whether have the black chain that described black word is corresponding, can mate black chain that black chain that this black word is corresponding concentrates and whether be present in this and tentatively distort in content, if the match is successful, think that this webpage is tampered.
Alternatively, the black chain coupling of utilizing black chain that black word is corresponding to concentrate is of living in while tentatively distorting content, described tentatively distorting in content can be set and have the forward black chain of rank, while there is the black chain before the concentrated precalculated position of black chain that described black word is corresponding, just think that this webpage is tampered.Described precalculated position can be as required and experience preset, if the object detecting is to look into as much as possible entirely, what described precalculated position can arrange is relatively large, if the object detecting is to look into as much as possible standard, what described precalculated position can arrange is relatively little.
In detection server, to reporting webpage to do the device of further detection, why selecting first with black word, to mate, is because black word matching speed is fast and directly do not use black chain to mate, and efficiency is higher.If directly by black chain coupling, owing to forming, the character of black chain and/or letter etc. are more, and matching speed is obviously not as good as being directly that black word mates with word.Visible, the such scheme that the present invention proposes has been taken into account accuracy rate and efficiency that webpage tamper detects, makes whole testing process consumption of natural resource less, and accuracy rate also has greatly raising.
Because described device embodiment is substantially corresponding to the embodiment of the method shown in earlier figures 1, therefore not detailed part in the description of the present embodiment can, referring to the related description in previous embodiment, just not repeat at this.
The detection method of A1, a kind of webpage tamper, comprising:
In webpage, embed and distort detection script;
Whether browser is distorted detection script described in carrying out, detect described webpage and be tampered;
If described webpage is tampered, described webpage is reported to detection server.
The detection method of A2, webpage tamper as claimed in claim 1, wherein, described in distort detection script by judging in described webpage that whether being hung Malaysia detects described webpage and whether be tampered.
The detection method of A3, webpage tamper as claimed in claim 1, wherein, described in distort detection script by judging whether whether exist black chain to detect described webpage in described webpage is tampered.
The detection method of A4, webpage tamper as claimed in claim 1, also comprises:
Distorting content and whether be present in white list or blacklist in the webpage that reports of judgement, wherein, described white list and blacklist are stored in described detection server;
If the content of distorting of described webpage is present in white list, do not deal with;
If the content of distorting of described webpage is present in blacklist, deposits altered data storehouse in, and give the alarm.
The detection method of A5, the webpage tamper as described in any one in claim 1-4, also comprises:
In described detection server, reported webpage is further detected.
The detection method of A6, webpage tamper as claimed in claim 5, wherein, described webpage is carried out further detecting and comprising in described detection server:
According to distorting feature database, detect the content of distorting in webpage, distort the black word-Hei chain pair in content described in extraction, described black word-Hei chain is to being comprised of black word and corresponding black chain thereof;
If the right frequency of occurrences of described black word-Hei chain, higher than predetermined threshold, is deposited in black word-Hei chain storehouse;
According to black word-Hei chain storehouse, detect the content of distorting in webpage;
If link corresponding to black word occurring in webpage to be detected is present in the black chain that in described black word-Hei chain storehouse, this black word is corresponding, concentrate, determine that this webpage to be detected is tampered.
The detection method of A7, webpage tamper as claimed in claim 4, wherein, described in give the alarm and comprise:
The information of distorting is sent to announcement server;
Described announcement server sends described warning information by mail/short message mode to webmaster.
The detection method of A8, the webpage tamper as described in any one in claim 1-4, wherein, described in to distort detection script be Javascript script.
The pick-up unit of A9, a kind of webpage tamper, comprising:
Merge module, for embedding and distort detection script at webpage;
Whether browser module is distorted detection script described in carrying out, detect described webpage and be tampered;
Reporting module, if described webpage is tampered, it reports detection server by described webpage.
The pick-up unit of A10, webpage tamper as claimed in claim 9, wherein, described in distort detection script by judging in described webpage that whether being hung Malaysia detects described webpage and whether be tampered.
The pick-up unit of A11, webpage tamper as claimed in claim 9, wherein, described in distort detection script by judging whether whether exist black chain to detect described webpage in described webpage is tampered.
The pick-up unit of A12, webpage tamper as claimed in claim 9, also comprises:
Judge module, for judging distorting content and whether being present in white list or blacklist of reported webpage, wherein, described white list and blacklist are stored in described detection server; If the content of distorting of described webpage is present in white list, do not deal with; If the content of distorting of described webpage is present in blacklist, deposits altered data storehouse in, and give the alarm.
The pick-up unit of A13, the webpage tamper as described in any one in claim 9-12, also comprises:
Detection module, further detects for the webpage to reported.
The pick-up unit of A14, webpage tamper as claimed in claim 13, wherein, described detection module comprises:
Extraction module, it detects the content of distorting in webpage according to distorting feature database, distorts the black word-Hei chain pair in content described in extraction, and described black word-Hei chain is to being comprised of black word and corresponding black chain thereof;
Storehouse generation module, it, deposits black word-Hei chain in black word-Hei chain storehouse in during higher than predetermined threshold in the right frequency of occurrences of described black word-Hei chain;
Detection sub-module: it detects the content of distorting in webpage according to black word-Hei chain storehouse, concentrates if link corresponding to black word occurring in webpage to be detected is present in the black chain that in described black word-Hei chain storehouse, this black word is corresponding, determines that this webpage to be detected is tampered.
The pick-up unit of A15, webpage tamper as claimed in claim 12, wherein, described judge module further comprises:
Alarm modules, it is sent to notification module by the information of distorting;
Notification module, it sends described warning information by mail/short message mode to webmaster.
The pick-up unit of A16, the webpage tamper as described in any one in claim 9-12, wherein, described in to distort detection script be Javascript script.
The such scheme that the present invention proposes can be used in numerous general or special purpose computingasystem environment or configuration.For example: personal computer, server computer, handheld device or portable set, plate equipment, multicomputer system, the system based on microprocessor, Set Top Box, programmable consumer-elcetronics devices, network PC, small-size computer, mainframe computer, comprise distributed computing environment of above any system or equipment etc.
The present invention can describe in the general context of the computer executable instructions of being carried out by computing machine, for example program module.Usually, program module comprises the routine carrying out particular task or realize particular abstract data type, program, object, assembly, data structure etc.Also can in distributed computing environment, put into practice the application, in these distributed computing environment, by the teleprocessing equipment being connected by communication network, be executed the task.In distributed computing environment, program module can be arranged in the local and remote computer-readable storage medium that comprises memory device.
Finally, also it should be noted that, in this article, relational terms such as the first and second grades is only used for an entity or operation to separate with another entity or operational zone, and not necessarily requires or imply and between these entities or operation, have the relation of any this reality or sequentially.And, term " comprises ", " comprising " or its any other variant are intended to contain comprising of nonexcludability, thereby the process, method, article or the equipment that make to comprise a series of key elements not only comprise those key elements, but also comprise other key elements of clearly not listing, or be also included as the intrinsic key element of this process, method, article or equipment.The in the situation that of more restrictions not, the key element being limited by statement " comprising ... ", and be not precluded within process, method, article or the equipment that comprises described key element and also have other identical element.
Above-described specific embodiment; object of the present invention, technical scheme and beneficial effect are further described; be understood that; the foregoing is only specific embodiments of the invention; be not limited to the present invention; within the spirit and principles in the present invention all, any modification of making, be equal to replacement, improvement etc., within all should being included in protection scope of the present invention.
Claims (10)
1. a detection method for webpage tamper, comprising:
In webpage, embed and distort detection script;
Whether browser is distorted detection script described in carrying out, detect described webpage and be tampered;
If described webpage is tampered, described webpage is reported to detection server.
2. the detection method of webpage tamper as claimed in claim 1, wherein, described in distort detection script by judging that whether being hung Malaysia in described webpage detects described webpage and whether be tampered.
3. the detection method of webpage tamper as claimed in claim 1, wherein, described in distort detection script by judging whether whether exist black chain to detect described webpage in described webpage is tampered.
4. the detection method of webpage tamper as claimed in claim 1, also comprises:
Distorting content and whether be present in white list or blacklist in the webpage that reports of judgement, wherein, described white list and blacklist are stored in described detection server;
If the content of distorting of described webpage is present in white list, do not deal with;
If the content of distorting of described webpage is present in blacklist, deposits altered data storehouse in, and give the alarm.
5. the detection method of the webpage tamper as described in any one in claim 1-4, also comprises:
In described detection server, reported webpage is further detected.
6. the detection method of webpage tamper as claimed in claim 5, wherein, described webpage is carried out further detecting and comprising in described detection server:
According to distorting feature database, detect the content of distorting in webpage, distort the black word-Hei chain pair in content described in extraction, described black word-Hei chain is to being comprised of black word and corresponding black chain thereof;
If the right frequency of occurrences of described black word-Hei chain, higher than predetermined threshold, is deposited in black word-Hei chain storehouse;
According to black word-Hei chain storehouse, detect the content of distorting in webpage;
If link corresponding to black word occurring in webpage to be detected is present in the black chain that in described black word-Hei chain storehouse, this black word is corresponding, concentrate, determine that this webpage to be detected is tampered.
7. the detection method of webpage tamper as claimed in claim 4, wherein, described in give the alarm and comprise:
The information of distorting is sent to announcement server;
Described announcement server sends described warning information by mail/short message mode to webmaster.
8. the detection method of the webpage tamper as described in any one in claim 1-4, wherein, described in to distort detection script be Javascript script.
9. a pick-up unit for webpage tamper, comprising:
Merge module, for embedding and distort detection script at webpage;
Whether browser module is distorted detection script described in carrying out, detect described webpage and be tampered;
Reporting module, if described webpage is tampered, it reports detection server by described webpage.
10. the pick-up unit of webpage tamper as claimed in claim 9, wherein, described in distort detection script by judging that whether being hung Malaysia in described webpage detects described webpage and whether be tampered.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310629297.3A CN103605925A (en) | 2013-11-29 | 2013-11-29 | Webpage tampering detecting method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310629297.3A CN103605925A (en) | 2013-11-29 | 2013-11-29 | Webpage tampering detecting method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103605925A true CN103605925A (en) | 2014-02-26 |
Family
ID=50124146
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310629297.3A Pending CN103605925A (en) | 2013-11-29 | 2013-11-29 | Webpage tampering detecting method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103605925A (en) |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104469496A (en) * | 2014-12-11 | 2015-03-25 | 北京国双科技有限公司 | Hotlinking detection method and device applied to video player |
| CN104484604A (en) * | 2014-12-31 | 2015-04-01 | 北京神州绿盟信息安全科技股份有限公司 | Method, scanner, device and system for identifying webpage distortion |
| CN104820589A (en) * | 2015-04-24 | 2015-08-05 | 美通云动(北京)科技有限公司 | Method and device for dynamically adapting webpage |
| CN105488091A (en) * | 2015-06-19 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Network data detection method and system based on keyword matching |
| CN105721249A (en) * | 2016-03-01 | 2016-06-29 | 浪潮软件集团有限公司 | Monitoring system and monitoring method for recovering external network webpage tampering and sending short message notification |
| CN106250761A (en) * | 2016-07-28 | 2016-12-21 | 广州爱九游信息技术有限公司 | A kind of unit identifying web automation tools and method |
| CN106326734A (en) * | 2015-06-30 | 2017-01-11 | 阿里巴巴集团控股有限公司 | Method and device for detecting sensitive information |
| CN106960058A (en) * | 2017-04-05 | 2017-07-18 | 金电联行(北京)信息技术有限公司 | A kind of structure of web page alteration detection method and system |
| CN107124430A (en) * | 2017-06-08 | 2017-09-01 | 腾讯科技(深圳)有限公司 | Pagejack monitoring method, device, system and storage medium |
| CN108156121A (en) * | 2016-12-02 | 2018-06-12 | 阿里巴巴集团控股有限公司 | The alarm method and device that the monitoring method and device of flow abduction, flow are kidnapped |
| CN109688130A (en) * | 2018-12-24 | 2019-04-26 | 北京奇虎科技有限公司 | Webpage kidnaps detection method, device and computer storage medium |
| CN110300111A (en) * | 2019-06-28 | 2019-10-01 | 北京金山云网络技术有限公司 | Page display method, device, terminal device and server |
| CN110968875A (en) * | 2019-12-03 | 2020-04-07 | 支付宝(杭州)信息技术有限公司 | Method and device for detecting permission vulnerability of webpage |
| CN111556036A (en) * | 2020-04-20 | 2020-08-18 | 杭州安恒信息技术股份有限公司 | Detection method, device and equipment for phishing attack |
| CN112152993A (en) * | 2020-08-17 | 2020-12-29 | 杭州安恒信息技术股份有限公司 | Method and device for detecting webpage hijacking, computer equipment and storage medium |
| CN113806732A (en) * | 2020-06-16 | 2021-12-17 | 深信服科技股份有限公司 | Webpage tampering detection method, device, equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102436563A (en) * | 2011-12-30 | 2012-05-02 | 奇智软件(北京)有限公司 | Method and device for detecting page tampering |
| CN102446255A (en) * | 2011-12-30 | 2012-05-09 | 奇智软件(北京)有限公司 | Method and device for detecting page tamper |
| CN102520985A (en) * | 2011-11-29 | 2012-06-27 | 深圳市万兴软件有限公司 | System and method for running client software |
| CN103259790A (en) * | 2013-04-28 | 2013-08-21 | 深圳市深信服电子科技有限公司 | Protective method and device for network security |
| CN103281177A (en) * | 2013-04-10 | 2013-09-04 | 广东电网公司信息中心 | Method and system for detecting hostile attack on Internet information system |
-
2013
- 2013-11-29 CN CN201310629297.3A patent/CN103605925A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102520985A (en) * | 2011-11-29 | 2012-06-27 | 深圳市万兴软件有限公司 | System and method for running client software |
| CN102436563A (en) * | 2011-12-30 | 2012-05-02 | 奇智软件(北京)有限公司 | Method and device for detecting page tampering |
| CN102446255A (en) * | 2011-12-30 | 2012-05-09 | 奇智软件(北京)有限公司 | Method and device for detecting page tamper |
| CN103281177A (en) * | 2013-04-10 | 2013-09-04 | 广东电网公司信息中心 | Method and system for detecting hostile attack on Internet information system |
| CN103259790A (en) * | 2013-04-28 | 2013-08-21 | 深圳市深信服电子科技有限公司 | Protective method and device for network security |
Non-Patent Citations (2)
| Title |
|---|
| MICHAEL HALE LIGH ET AL: "《恶意软件分析诀窍与工具箱-对抗"流氓"软件的技术与利器》", 31 January 2012 * |
| 陈冠军 等: "《JavaScript语法和对象速查手册》", 31 May 2010 * |
Cited By (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104469496A (en) * | 2014-12-11 | 2015-03-25 | 北京国双科技有限公司 | Hotlinking detection method and device applied to video player |
| CN104484604A (en) * | 2014-12-31 | 2015-04-01 | 北京神州绿盟信息安全科技股份有限公司 | Method, scanner, device and system for identifying webpage distortion |
| CN104484604B (en) * | 2014-12-31 | 2018-05-25 | 北京神州绿盟信息安全科技股份有限公司 | A kind of page tampering identification method, scanner, apparatus and system |
| CN104820589A (en) * | 2015-04-24 | 2015-08-05 | 美通云动(北京)科技有限公司 | Method and device for dynamically adapting webpage |
| CN104820589B (en) * | 2015-04-24 | 2018-11-09 | 美通云动(北京)科技有限公司 | A kind of method and its device of dynamic adaptation webpage |
| CN105488091A (en) * | 2015-06-19 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Network data detection method and system based on keyword matching |
| CN106326734A (en) * | 2015-06-30 | 2017-01-11 | 阿里巴巴集团控股有限公司 | Method and device for detecting sensitive information |
| CN105721249A (en) * | 2016-03-01 | 2016-06-29 | 浪潮软件集团有限公司 | Monitoring system and monitoring method for recovering external network webpage tampering and sending short message notification |
| CN106250761A (en) * | 2016-07-28 | 2016-12-21 | 广州爱九游信息技术有限公司 | A kind of unit identifying web automation tools and method |
| CN106250761B (en) * | 2016-07-28 | 2019-12-20 | 广州爱九游信息技术有限公司 | Equipment, device and method for identifying web automation tool |
| CN108156121A (en) * | 2016-12-02 | 2018-06-12 | 阿里巴巴集团控股有限公司 | The alarm method and device that the monitoring method and device of flow abduction, flow are kidnapped |
| CN106960058A (en) * | 2017-04-05 | 2017-07-18 | 金电联行(北京)信息技术有限公司 | A kind of structure of web page alteration detection method and system |
| CN106960058B (en) * | 2017-04-05 | 2021-01-12 | 金电联行(北京)信息技术有限公司 | Webpage structure change detection method and system |
| CN107124430A (en) * | 2017-06-08 | 2017-09-01 | 腾讯科技(深圳)有限公司 | Pagejack monitoring method, device, system and storage medium |
| CN107124430B (en) * | 2017-06-08 | 2021-07-06 | 腾讯科技(深圳)有限公司 | Page hijacking monitoring method, device, system and storage medium |
| CN109688130A (en) * | 2018-12-24 | 2019-04-26 | 北京奇虎科技有限公司 | Webpage kidnaps detection method, device and computer storage medium |
| CN110300111A (en) * | 2019-06-28 | 2019-10-01 | 北京金山云网络技术有限公司 | Page display method, device, terminal device and server |
| CN110968875A (en) * | 2019-12-03 | 2020-04-07 | 支付宝(杭州)信息技术有限公司 | Method and device for detecting permission vulnerability of webpage |
| CN111556036A (en) * | 2020-04-20 | 2020-08-18 | 杭州安恒信息技术股份有限公司 | Detection method, device and equipment for phishing attack |
| CN113806732A (en) * | 2020-06-16 | 2021-12-17 | 深信服科技股份有限公司 | Webpage tampering detection method, device, equipment and storage medium |
| CN113806732B (en) * | 2020-06-16 | 2023-11-03 | 深信服科技股份有限公司 | Webpage tampering detection method, device, equipment and storage medium |
| CN112152993A (en) * | 2020-08-17 | 2020-12-29 | 杭州安恒信息技术股份有限公司 | Method and device for detecting webpage hijacking, computer equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103605926A (en) | Webpage tampering detecting method and device | |
| CN103605925A (en) | Webpage tampering detecting method and device | |
| CN104767757B (en) | Various dimensions safety monitoring method and system based on WEB service | |
| CN102436563B (en) | Method and device for detecting page tampering | |
| CN103679053A (en) | Webpage tampering detection method and device | |
| AU2014337396B2 (en) | System for detecting classes of automated browser agents | |
| EP2729895B1 (en) | Syntactical fingerprinting | |
| US8683584B1 (en) | Risk assessment | |
| CN102591965B (en) | Method and device for detecting black chain | |
| CN102446255B (en) | Method and device for detecting page tamper | |
| CN103593615A (en) | Method and device for detecting webpage tampering | |
| CN105184159A (en) | Web page falsification identification method and apparatus | |
| CN102045319B (en) | Method and device for detecting SQL (Structured Query Language) injection attack | |
| CN105138907B (en) | A kind of active probe is attacked the method and system of website | |
| KR100912794B1 (en) | Web hacking management system and manegement method thereof for real time web server hacking analysis and homepage hacking search | |
| CN107786537B (en) | Isolated page implantation attack detection method based on Internet cross search | |
| CN102833269B (en) | The detection method of cross-site attack, device and there is the fire compartment wall of this device | |
| CN111159775A (en) | Webpage tampering detection method, system and device and computer readable storage medium | |
| CN104168293A (en) | Method and system for recognizing suspicious phishing web page in combination with local content rule base | |
| US20200336498A1 (en) | Method and apparatus for detecting hidden link in website | |
| CN105975523A (en) | Hidden hyperlink detection method based on stack | |
| CN108023868A (en) | Malice resource address detection method and device | |
| CN104158828A (en) | Method and system for identifying doubtful phishing webpage on basis of cloud content rule base | |
| CN105306467A (en) | Method and device for analyzing webpage data tampering | |
| CN103220277B (en) | The monitoring method of cross-site scripting attack, Apparatus and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20161128 Address after: 100016 Jiuxianqiao Chaoyang District Beijing Road No. 10, building 15, floor 17, layer 1701-26, 3 Applicant after: BEIJING QI'ANXIN SCIENCE & TECHNOLOGY CO., LTD. Address before: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park) Applicant before: Beijing Qihu Technology Co., Ltd. Applicant before: Qizhi Software (Beijing) Co., Ltd. |
|
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140226 |
|
| RJ01 | Rejection of invention patent application after publication |