CN103605926A - Webpage tampering detecting method and device - Google Patents

Webpage tampering detecting method and device Download PDF

Info

Publication number
CN103605926A
CN103605926A CN201310631867.2A CN201310631867A CN103605926A CN 103605926 A CN103605926 A CN 103605926A CN 201310631867 A CN201310631867 A CN 201310631867A CN 103605926 A CN103605926 A CN 103605926A
Authority
CN
China
Prior art keywords
webpage
chain
black
detection
distorting
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201310631867.2A
Other languages
Chinese (zh)
Inventor
何振科
赵武
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qianxin Technology Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Qizhi Software Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd, Qizhi Software Beijing Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201310631867.2A priority Critical patent/CN103605926A/en
Publication of CN103605926A publication Critical patent/CN103605926A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention discloses a webpage tampering detecting method. The method comprises the steps that a proxy server obtains response webpages aiming at an access request; the proxy server inserts tempered detection scripts in the webpages; the webpages are sent to a client-side browser sending out the access request; the browser executes the tampered detection scripts and detects whether the webpages are tampered or not; the webpages are reported to a detection server if the webpages are tampered. According to the technical scheme, the webpage tempering detecting method solves the problem that in the prior art, efficiency is low due to the fact that a uniform webpage tampering detection server detects in a centralized mode, and the flexibility problem caused by the reason that tampered detection scripts need inserting into each webpage respectively, and greatly improves webpage safety on the condition of not influencing a user to access the webpages.

Description

A kind of detection method of webpage tamper and device
Technical field
The present invention relates to security fields, computer website, particularly relate to a kind of detection method and device of webpage tamper.
Background technology
Along with the fast development of internet, on internet, Websites quantity is also more and more.Many websites are all physical mechanism and are organized in the image display in internet.And some have bad attempt tissue or individual by weak passwurd, the leak of scanning server, then attack website and it carried out to malice and distort.
Although safety precaution means such as existing fire wall, intrusion detections at present, the complicacy of modern operating system and diversity cause system vulnerability to emerge in an endless stream, hard to guard against.Hacker attacks happens occasionally with the event of distorting the page.For this, webpage tamper resistant systems is arisen at the historic moment.For example, to webpage, hang malice link, as black chain, the link of extension horse etc., these are main forms of webpage tamper.
At present, below main employing, two class modes detect webpage tamper content both at home and abroad:
(1) static nature matching way:
By the HTML text in feature string (key word artificially collecting in a large number) coupling webpage, to judge whether it is added into malice link.
(2) in web page distribution system, increase web page contents audit and verification scheme:
In web page distribution system, build a web page contents real-time detecting system, the content of all webpage issues is all passed through this system, after confirming, could issue, also set up web page contents fingerprint base simultaneously, distort detection system by periodic scanning web page contents and fingerprint base content to recently finding whether webpage is distorted by black chain.
In prior art, conventionally by special webpage tamper resistant systems or search engine, webpage tamper is detected.It is by first by the webpage from source station download user request, and utilize the web page contents described in feature rule match of distorting distort in feature database, if find with described in distort the content that feature rule matches, think that this webpage is tampered, otherwise send it to user.The described feature rule of distorting is represented by regular expression conventionally, and use matching regular expressions web page contents is more consuming time, inefficiency, and real-time is poor.Webpage tamper mode emerges in an endless stream at present, day by day change, distort distorting feature rule and also will increase thereupon in feature rule base, this just means that detection all will expend ample resources each time, and user experiences not good, cause user to decline to the expectation value of website, for some business websites, this will be fatal.
Therefore need a kind of method of new detection webpage tamper, do not affecting under the prerequisite of user's accessed web page speed, the security of website is provided, for user provides service better.
Summary of the invention
For solving the above-mentioned problems in the prior art, the present invention proposes a kind of detection method of webpage tamper, in the situation that having no to perceive, user detects the content of distorting in webpage, for user provides best security service.
According to an aspect of the present invention, the detection method that it provides a kind of webpage tamper, comprising:
Proxy server obtains source station for the response webpage of request of access;
Described proxy server embeds and distorts detection script in described webpage;
Described webpage is sent to the client browser that sends request of access;
Whether described browser is distorted detection script described in carrying out, detect described webpage and be tampered;
If described webpage is tampered, described webpage is reported to detection server.
Alternatively, described in, distort detection script by judging whether whether detected described webpage by extension Malaysia in described webpage is tampered.
Alternatively, described in, distort detection script by judging whether whether exist black chain to detect described webpage in described webpage is tampered.
Alternatively, also comprise:
Whether the webpage that judgement reports is present in white list or blacklist, and wherein, described white list and blacklist are stored in described detection server;
If described webpage is present in white list, do not deal with;
If described webpage is present in blacklist, deposits altered data storehouse in, and give the alarm.
Alternatively, also comprise:
In described detection server, reported webpage is further detected.
Alternatively, described webpage is carried out further detecting and comprising in described detection server:
According to distorting feature database, detect the content of distorting in webpage, distort the black word-Hei chain pair in content described in extraction, described black word-Hei chain is to being comprised of black word and corresponding black chain thereof;
If the right frequency of occurrences of described black word-Hei chain, higher than predetermined threshold, is deposited in black word-Hei chain storehouse;
According to black word-Hei chain storehouse, detect the content of distorting in webpage;
If link corresponding to black word occurring in webpage to be detected is present in the black chain that in described black word-Hei chain storehouse, this black word is corresponding, concentrate, determine that this webpage to be detected is tampered.
Alternatively, described in, give the alarm and comprise:
The information of distorting is sent to announcement server;
Described announcement server sends described warning information by mail/short message mode to webmaster.
Alternatively, described in, distorting detection script is Javascript script.
According to a further aspect in the invention, the pick-up unit that it also provides a kind of webpage tamper, comprising:
Proxy module, it obtains source station for the response webpage of request of access, and embeds and distort detection script in webpage;
Sending module, it is sent to described webpage the browser module of sending request of access;
Browser module, whether it distorts detection script described in carrying out, detect described webpage and be tampered;
Reporting module, if described webpage is tampered, it reports detection server by described webpage.
Alternatively, described in, distort detection script by judging whether whether detected described webpage by extension Malaysia in described webpage is tampered.
Alternatively, described in, distort detection script by judging whether whether exist black chain to detect described webpage in described webpage is tampered.
Alternatively, also comprise:
Judge module, for judging whether reported webpage is present in white list or blacklist, wherein, described white list and blacklist are stored in described detection server; If described webpage is present in white list, do not deal with; If described webpage is present in blacklist, deposits altered data storehouse in, and give the alarm.
Alternatively, also comprise:
Detection module, further detects for the webpage to reported.
Alternatively, described detection module comprises:
Extraction module, it detects the content of distorting in webpage according to distorting feature database, distorts the black word-Hei chain pair in content described in extraction, and described black word-Hei chain is to being comprised of black word and corresponding black chain thereof;
Storehouse generation module, it, deposits black word-Hei chain in black word-Hei chain storehouse in during higher than predetermined threshold in the right frequency of occurrences of described black word-Hei chain;
Detection sub-module: it detects the content of distorting in webpage according to black word-Hei chain storehouse, concentrates if link corresponding to black word occurring in webpage to be detected is present in the black chain that in described black word-Hei chain storehouse, this black word is corresponding, determines that this webpage to be detected is tampered.
Alternatively, described judge module further comprises:
Alarm modules, it is sent to notification module by the information of distorting;
Notification module, it sends described warning information by mail/short message mode to webmaster.
Alternatively, described in, distorting detection script is Javascript script.
Visible, detection method and the device of the above-mentioned webpage tamper that the present invention proposes, proxy server by special setting embeds and distorts detection script in webpage source code, without webmaster, manually embed and distort detection script, described in being carried out by browser, distort detection script in user's open any browser webpage is detected.And the detection script of distorting in the such scheme that the present invention proposes is javascript script, it is only carried out on backstage afterwards in startup, on user, can not produce any impact.This detection method had both overcome the inefficiency problem of being brought by unified webpage tamper detection server centered detection in prior art, also overcome and needed each webmaster manually to embed the flexibility problem of distorting detection script and causing, it has greatly improved web portal security when not affecting user's accessed web page.
Accompanying drawing explanation
Fig. 1 is the detection method process flow diagram of a kind of webpage tamper of proposing of the present invention;
Fig. 2 detects server according to the method flow diagram that content is processed of distorting that reports webpage in the embodiment of the present invention;
Fig. 3 detects server to reporting the further detection method process flow diagram of webpage in the embodiment of the present invention;
Fig. 4 is the structure of the detecting device figure of a kind of webpage tamper of proposing of the present invention;
Fig. 5 detects in the present invention in server reporting webpage to do the structure drawing of device of further detection.
Embodiment
For making the object, technical solutions and advantages of the present invention clearer, below in conjunction with specific embodiment, and with reference to accompanying drawing, the present invention is described in further detail.
Fig. 1 shows the detection method process flow diagram of a kind of webpage tamper of the present invention's proposition.As shown in Figure 1, the method comprises:
Step 101: proxy server obtains source station for the response webpage of request of access;
Step 102: described proxy server embeds and distorts detection script in described webpage;
Step 103: described webpage is sent to the client browser that sends request of access;
Step 104: distort detection script described in described browser execution, detect described webpage and whether be tampered;
Step 105: if described webpage is tampered, described webpage is reported to detection server.
Each step that according to specific embodiment, the present invention is proposed the detection method of above-mentioned webpage tamper is below elaborated.
In step 101, proxy server obtains source station for the response webpage of request of access.
The common function of proxy server is that agency network user obtains the network information, proxy server is the station server between browser and Web Website server normally, after having had it, browser is not directly to Web Website server, to fetch webpage, but sending request to proxy server, proxy server obtains asked webpage and returns to browser from Web Website server according to described request.Conventionally proxy server all arranges a larger hard disk buffer zone, it constantly by the data storing of newly obtaining in the hard disk buffer zone of its this locality, if the data of browse request are on the storer of its machine, and be up-to-date, it is not just again from Web server district data so, and the direct browser that data on storer is sent to user so just can significantly improve browser speed and efficiency.
Step 102: described proxy server embeds and distorts detection script in described webpage.
So-called webpage tamper is exactly that some have the tissue of bad attempt or individual by weak passwurd, the leak of scanning server, obtains after the account authority of website, and the webpage source code of website is carried out to malicious modification.Most typical a kind of alter mode is exactly in webpage source code, to insert malice link, as hung horse link and black chain etc.
Webpage is the fundamental element that forms website, and webpage is all to write by HTML (Hypertext Markup Language) (html language) file forming conventionally, and it need to be read by browser.And while opening certain webpage by browser, browser is carried out corresponding html file, according to the word of the form display web page in html file, picture etc.Hacker obtains by variety of way after the administrator right of website, to the webpage source code on this website, is that its corresponding html file is modified, and some bad elements therein, as black chain with hang horse link etc.And the black chain that hacker implants in webpage and extension horse link user often cannot discover, it may be by rewriting html file corresponding to webpage, black chain or the link of extension horse are stashed, as the display format of black chain or the link of extension horse is set to outside invisible or browser display area, or be hidden in pictures bottom etc.When user opens by browser the webpage that this is tampered, just may directly turn to the malicious websites with trojan horse, or directly carry out trojan horse etc.
To the testing mechanism of webpage tamper, is at present by special testing tool or search engine centralized detecting, to detecting after the first pre-download of the webpage of user's request, and detect by after send to user.This can cause user's access speed to decline when more and/or access websites user is more in website.
Given this, the present invention utilizes the characteristic of proxy server, is embedded the detection script of distorting that detects webpage tamper content by proxy server in captured user's requested webpage source code.The advantage of adopting is in this way: one, without special server, the webpage of user's request is carried out to centralized detecting, improved efficiency; Two, without manually embedding and distort detection script, be convenient to unified management, and the embedding of script is all transparent to Website development personnel and user in webpage source code.
Proxy server is after having had and embedding and to distort this function of detection script, to embedding and distort detection script html file corresponding to the webpage capturing from Web Website server.Particularly, can in the leader label head of the html file obtaining, insert embedding and distort detection script.Alternatively, in the present invention, distorting detection script adopts Javascript script to realize.Javascript is a kind of based on object and event-driven and have the client script language of relative safety.Also be a kind of script that is widely used in client Web exploitation, be commonly used to add dynamic function to Html webpage simultaneously.
Javascript shell script is plain text statement, do not need compiling, so it can directly explain execution by browser.At the Javascript statement whether detection webpage is tampered, be embedded in the html file that webpage is corresponding, whether user just can trigger this Javascript script and carry out corresponding operating when opening this webpage, with the content detecting in webpage, be tampered.
With embedding Javascript script, illustrate and how in the leader label head of html file, to embed and to distort detection script below:
Suppose that html file is:
Above-mentioned example is only as illustrating, and the present invention is to the embedding form of script and be not specifically limited.
Adopt the mode of Javascript script embedding except improving detection speed, another advantage is that Javascript shell script is only carried out on backstage, and user is invisible to it, therefore can not hinder other operation of user.
In the present invention, except using Javascript script, can also use other any scripts that can be embedded in webpage, as long as browser can be explained execution, the present invention does not do concrete restriction to this.
Step 103: described webpage is sent to the client browser that sends request of access.In this step, proxy server embeds and distorts after detection script in the webpage html file obtaining, and described webpage html file is sent to the client browser of this webpage of request access.
Step 104: distort detection script described in described browser execution, detect described webpage and whether be tampered.
Browser is after receiving the webpage html file of proxy server transmission, after having loaded this html file, start to carry out the detection script of distorting of inserting in its leader label head and detect in the webpage source code that user opens and whether exist and distort content by the described detection script of distorting.
Described detection mode of distorting detection script can have multiple, in one embodiment of the invention, distorts detection script by judging whether whether detected described webpage by extension Malaysia in described webpage is tampered.
So-called hang horse, be exactly hacker by various means, comprise that SQL injects, the scanning of website sensitive document, server leak, the whole bag of tricks acquisition webmaster accounts such as procedure site 0day,
Then log in backstage, website, by state's database backup/restoration or upload leak and obtain a webshell, utilize the webshell obtaining to revise the content of Website page, in webpage, add malice to turn to code, hang horse link.When user's access is added into the page of hanging horse link, accesses automatically the address being diverted or download trojan horse.If entered the website that is hung horse, trojan horse be can infect, and a large amount of valuable documentation and account password lost, it is very harmful.
Hang horse link fundamental purpose and be and disseminate trojan horse or gain flow by cheating and clicking rate etc.The inserted mode of hanging horse link is varied, as hung the insertion of horse link by iframe framework:
<iframesrc=http://www.xxx.com/example.html
width=0height=0><iframe>
The above-mentioned statement list being inserted in webpage source code be shown in open a certain website " www.xxx.com" time, open another webpage " example.html ", and " example.html " webpage very likely comprises a large amount of trojan horses, also may be only used to defraud of flow or clicking rate.Hang Malaysia side formula varied, above only for illustrating, those skilled in the art are to be understood that the extension Malaysia side formula relating in the present invention is not limited to this.
In another embodiment of the present invention, distort detection script by judging whether whether exist black chain to detect described webpage in described webpage is tampered.
The main target of inserting black chain is exactly to promote own rank in search engine.WWW becomes the carrier of bulk information, and for effectively extracting and utilize these information, search engine (Search Engine), as the instrument of auxiliary people's retrieving information, becomes entrance and guide that user accesses WWW.
For example, after certain new website rank in search engine is leaned on very much, high (rank is good for certain right afterwards, quality is high) website and this website of newly opening link, since search engine will think that this website of newly opening can do upper link with the high website of such weight so, its weight can be not low yet so, so the rank of this website in search engine will promote.If there is the website that a plurality of weights are high also all to link with this website, its rank will rise very soon so.
Otherwise the weight of a new website can be very not high, search engine can not given its very high rank, after its rank in Search Results will relatively be leaned on.This specific character for search engine, some instrument provides black chain technology at present, by the invasion high website of some weights, after invading successfully, the link of website is inserted in the page of invaded website, thereby realize the effect of link, and by hiding web site url, make others can't see any link.
Yet, adopt at present black chain technology to realize that search rank promotes, quite a few is that game private takes the dangerous websites such as website, Trojan for stealing numbers website, fishing website and advertisement website.For these dangerous websites, search engine can not given their very high ranks, but by " black chain ", their rank will be very forward, in this case, when using search engine, click open the probability of these websites will be very high, if user does not carry out security protection work, will easily will infect the virus on website so.
In existing black chain technology, hiding chain is connected to some fixedly skills, and for example search engine is not fine to the identification of javascript, by javascript, exports hiding div.Like this, manually directly by the page, cannot see these links, and search engine to confirm as these links be effective.Code is: first by javascript, write div above, it is none that display is set.Then export a table, in table, comprised the black chain that will hang.Finally by javascript, export latter half div again.
For example, statement below hacker inserts by the source code at webpage, realize the object of inserting black chain in target web:
<a href=" http://www.45u.com " style=" margin-left:-83791; " the private clothes issue of > legend </a>
Wherein, by style=is set " margin-left:-83791; ", make this black chain invisible in webpage.
In the embodiment of the present invention, for black chain and/or hang horse and connect and wait malice link, distorting detection script can be by the html file of webpage being resolved to DOM Tree, and the DOMTree file obtaining after parsing is detected.DOM is the abbreviation of document object mould model (Document ObjectModel), and DOM Tree refers to by DOM html page is resolved, and generates HTML tree tree structure and corresponding access method.By DOM Tree, can be directly and operate easily each tag content on html page.
The black chain of take detects as example and is illustrated.For the black chain form below of inserting in webpage:
<a href=" http://www.45u.com " style=" display:none; " the private clothes issue of > legend </a>.
Distorting detection script can write as follows:
Figure BDA0000426801310000101
Proxy server can be inserted in above-mentioned scripted code in the leader label head of html file, also scripted code can be embedded in the principals tab body of html file.The above-mentioned detection script of distorting is to obtain " a " mark by the DOM Tree file from parsing when carrying out, and this mark heel with style be " display:none ", the display format of the content after this mark, for not showing, tentatively assert that it is for distorting content.Because hacker finds the black chain of its insertion and hangs horse link in order to prevent user, its display format is set to invisible conventionally.Therefore distorting detection script can the inserted mode based on black chain and/or malice link write.
Above code only judges the display format of black chain, it will be understood by those of skill in the art that the detection rule of black chain is varied, can detect by writing the mode of similar script embedded web page.
Step 105: if described webpage is tampered, described webpage is reported to detection server.
In this step, browser utilization is distorted after detection script detects described webpage and be tampered, and the webpage that this is tampered reports detection server.
Described detection server, after the webpage being tampered described in receiving, is notified the portal management personnel of this webpage, and described keeper can repair leak by revising webpage source code and administration authority.In order to reduce rate of false alarm, alternatively, described detection server is according to reporting the content of distorting of webpage to do further processing.
Fig. 2 shows in the present invention and detects server according to the method flow diagram that content is processed of distorting that reports webpage.As shown in Figure 2, the method comprises:
Step 201: distorting content and whether be present in white list or blacklist in the webpage that reports of judgement, wherein, described white list and blacklist are stored in described detection server;
Step 202: if the content of distorting of described webpage is present in white list, do not deal with;
Step 203: if the content of distorting of described webpage is present in blacklist, deposits altered data storehouse in, and give the alarm.
Described blacklist and white list can be collected acquisition by empirical value and from reliable third party, in white list storage, be defined as the link of normal website, and in blacklist, store some viral websites, sex service website or the link of definite malicious websites etc. in the process detecting.The renewal of blacklist and white list can also be undertaken by each webmaster's feedback.
Alternatively, in order to improve accuracy rate, detect server and also the webpage reporting is done to further detection.Owing to distorting detection script, be the detection script being embedded in webpage, as javascript script, in order to ensure accuracy rate, detect server the webpage reporting is done to further detection.
The black chain of take below in tamper detection content detects server to reporting the further testing process of webpage as example illustrates.Although it will be appreciated by those skilled in the art that below the method step of introducing for black chain, be not limited to detect black chain, use similar method can also detect other and maliciously link as hung horse link etc.In addition, can also adopt corresponding mode to detect other and distort content.
Fig. 3 shows in the embodiment of the present invention and detects server to reporting the further detection method process flow diagram of webpage.As shown in Figure 3, the method comprises:
Step 301: detect the content of distorting in webpage according to distorting feature database, distort the black word-Hei chain pair in content described in extraction, described black word-Hei chain is to being comprised of black word and corresponding black chain thereof;
Step 302: if the right frequency of occurrences of described black word-Hei chain is higher than predetermined threshold, deposited in black word-Hei chain storehouse;
Step 303: detect the content of distorting in webpage according to black word-Hei chain storehouse;
Step 304: concentrate if link corresponding to black word occurring in webpage to be detected is present in the black chain that in described black word-Hei chain storehouse, this black word is corresponding, determine that this webpage to be detected is tampered.
In the present invention, described detection server first detects the content of distorting in webpage according to distorting feature database.The described feature database of distorting is comprised of a plurality of regular expressions of distorting keyword and/or malice link.For webpage to be detected, first obtain its source code, then utilize source code described in the existing matching regular expressions of distorting in feature database, to obtain the content consistent with regular expression.If hit the content in webpage to be detected by the regular expression of distorting in feature database, illustrate in this webpage to be detected and exist and distort content.
Regular expression is for carrying out the instrument of text matches, conventionally some common characters and some metacharacters (metacharacters), consists of.Common character comprises the letter and number of capital and small letter, and metacharacter has special implication.The coupling of regular expression can be understood as, and in given character string, finds the part matching with given regular expression.Likely in character string, have a more than part to meet given regular expression, at this moment each such part is called as a coupling.Coupling can comprise three kinds of implications in this paper: a kind of part of speech of describing, such as expression formula of a string matching; Be a verb, such as in character string, mate regular expression; It is nominal also having a kind of, is exactly " the meeting a part for given regular expression in character string " just having mentioned.
Below by way of example the create-rule of regular expression is described.
Suppose to search hi, can use regular expression hi.This regular expression can the such character string of exact matching: two characters, consist of, previous character is h, and latter one is i.In practice, regular expression can ignorecase.If all comprise these two continuous characters of hi in a lot of words, such as him, history, high etc.With hi, search, the hi of this this word the inside also can be found out.If accurately search this word of hi, should use \ bhi \ b.Wherein, \ b is a metacharacter of regular expression, and it is representing beginning or the ending of word, the namely boundary of word.Although conventionally English word is separated by space or punctuation mark or line feed, \ b does not mate any one in these word separators, and it only mates a position.If that look for is an and then Lucy nearby after hi, should use \ bhi \ b.* \ bLucv \ b.Wherein. be another metacharacter, any character of coupling except newline.* be metacharacter equally, what its represented is quantity---specify * content in front can repeat continuously any time so that whole expression formula is mated.Now bhi \ b.* \ bLucy b the meaning just clearly: then a word hi is before this any character (but can not be line feed) arbitrarily, is finally this word of Lucy.
For example, distort that in feature database, to distort regular expression corresponding to feature rule as follows:
<script.*?>document\.write.*?\(.*?\+.*?\+.*?\+.*?\+.*?\+.*?\).*?</script>([\S\s]+?)</div>
The web page element of this regular expression match hit in webpage can be:
<script>document.write(′<d′+′iv?st′+′yle′+′=″po′+′si′+′tio′+′n:a′+′bso′+′lu′+′te;1′+′ef+′t:′+′-′+′10′+′00′+′0′+′p′+′x;′+″″+′>′)>××××<script>document.write(′<′+′/d′+′i′+′v>′);</script>
Visible, distort regular expression corresponding to feature rule and for mating webpage, there is the web page contents of specific format, as have " <script>document.write " and " <script>document.write (' < '+'/d '+' i '+' v> '); </script> " content etc. of element.
Or as, it is as follows that another distorts regular expression corresponding to feature rule:
<a\s*href\s*=[″\′].+?[″\′]\s*style=[″\′][\w+\-]+:-[0-9]+.*?[″\′].*?>.*?</a>。
By this, distorting the page elements that feature rule can hit can be:
<a?href=“http://www.45u.com”style=”margin-left:-83791;”>;
This regular expression is used for mating webpage and occurs having the negative value web page contents of (negative value represent it in viewing area do not show) in " <a href=" and its value of distorting keyword " style " of following below.
Certainly, the expression mode of above-mentioned regular expression is only as example, and it is all feasible that those skilled in the art adopt the expression mode of any regular expression according to actual conditions, the application to this without being limited.
In the embodiment of the present invention, detect server and can analyze page elements position and the display mode in described webpage to be detected by described matching regular expressions, judge whether it is the content being tampered.For example, judge when black chain is distorted, whether the position that can judge the page elements in described webpage to be detected by matching regular expressions is within the scope of predetermined threshold value, or whether described page elements has sightless attribute, and/or, whether described page elements is hidden etc. browser, if so, judges that described page elements in the described page to be detected is as being tampered content.For example, if the hyperlink of certain page detected, be sightless, or in the page, the length and width height of certain html tag element is negative value, can judge the content that this page is tampered.
Whether in the embodiment of the present invention, detecting server can also by there is the keyword of distorting of fixed malice link and/or its correspondence in webpage to be detected described in matching regular expressions, and whether it is tampered to carry out interpretation.Detect server and also from described distorting content, extract black word-Hei chain pair, described black word-Hei chain is to being comprised of black word and corresponding black chain thereof.For example, above-mentioned hit content ' <a href=" http://www.45u.com " style=that distorts " margin-left:-83791; " black word-Hei chain in the private clothes issue of > legend </a> ' is to being: the private clothes issue of legend- http:// www.45u.com.In existing page detection method, conventionally be all that the feature rule of distorting of distorting in feature database is mated the source code of webpage to be detected, the described feature rule of distorting is for having the connection of certain format for mating web page contents, in testing process, if hit, distort feature rule and think that this webpage is tampered, if do not hit, think that webpage to be detected is safe, displays it to user.But the inserted mode of current black chain emerges in an endless stream, day by day change.And fixing the distorting feature database or utilize manually and upgrade and distort the paces that feature database does not obviously catch up with hacker of use.
Based on this, detection server of the present invention, after detecting webpage and being tampered, also extracts black word-Hei chain pair from distort content, so as afterwards according to this black word-Hei chain to webpage is further detected.
Generally, in the web page contents being tampered, black word-Hei chain all can correspondence specifically be distorted keyword.Alternatively, when extracting black word-Hei chain, extract the distort keyword corresponding with it, to further utilize.
For example: black chain below:
<a href=" http://www.45u.com " style=" display:none; " the private clothes issue of > legend </a>.
The keyword of distorting therefrom extracting can be " display:none ", and it represents that the display properties of this black word-Hei chain is invisible.
In step 301, black word-Hei chain pair of every extraction, is all stored in data storage server.
In the solution of the present invention, in order to improve the accuracy rate of detection, be specially provided with black word-Hei chain storehouse.In described black word-Hei chain storehouse for storing black word-Hei chain pair of frequent appearance.In the embodiment of the present invention, by extracted black word-Hei chain to when being stored in data storage server, also add up the number of times of its appearance, if count the right occurrence number of certain black word-Hei chain, surpass the first predetermined threshold, by this black word-Hei chain to being stored in black word-Hei chain storehouse.
Black word-Hei chain can be selected according to specific needs to the storage mode in black word-Hei chain storehouse.Alternatively, can be by described black word-Hei chain to being stored as the mode of black chain collection, the mode of the corresponding black chain collection of each black word is stored.
For example: the black word-Hei chain in black word-Hei chain storehouse is to following storage:
Black word 1---and black chain 1, black chain 2, black chain 3 ..., black chain m1}
Black word 2---and black chain 1, black chain 2, black chain 3 ..., black chain m2}
……
Black word n---and black chain 1, black chain 2, black chain 3 ..., black chain mn}
Alternatively, the black chain set in described black word-Hei chain storehouse can be ordered set, and the number of times of concentrating black chain to occur according to black chain sorts to it, and what number of times was maximum makes number one, and as black chain 1, coming of least number of times is last, as black chain ml.In storing process, black word-Hei chain pair of every acquisition, according to black word wherein, search in black word-Hei chain storehouse whether had this black word, if existed, search the black chain that this black word is corresponding and concentrate the black chain that whether has described black word-Hei chain centering, if exist, upgrade the rank of this black chain, otherwise be inserted into the tail end at black chain collection; If there is not the described black word of black word-Hei chain centering in black word-Hei chain storehouse, re-establish a black word with and corresponding black chain collection.
Alternatively, for improving the accuracy rate detecting, the present invention not only utilizes and distorts the content of distorting that feature database detects webpage, and it also utilizes black word-Hei chain storehouse to detect webpage.Owing to distorting, feature database is relatively stable and upgrade not in time, therefore for a lot of emerging black word-Hei chains, utilizes and distorts feature database and cannot detect in time and distort content.Therefore,, in the solution of the present invention, to distorting the content of distorting that rule base detects according to described, also according to described black word-Hei chain storehouse, detect.
In the embodiment of the present invention, utilize black word-Hei chain storehouse to detect webpage, to mate described web page contents by the black word in black word-Hei chain storehouse, if the content that the black word in webpage in existence and described black word-Hei chain storehouse matches, tentatively assert that this webpage is tampered, extract and tentatively distort accordingly content.
Alternatively, for tentatively distorting content, further check again this tentatively distorts in content whether have the black chain that described black word is corresponding, can mate black chain that black chain that this black word is corresponding concentrates and whether be present in this and tentatively distort in content, if the match is successful, think that this webpage is tampered.
Alternatively, the black chain coupling of utilizing black chain that black word is corresponding to concentrate is of living in while tentatively distorting content, described tentatively distorting in content can be set and have the forward black chain of rank, while there is the black chain before the concentrated precalculated position of black chain that described black word is corresponding, just think that this webpage is tampered.Described precalculated position can be as required and experience preset, if the object detecting is to look into as much as possible entirely, what described precalculated position can arrange is relatively large, if the object detecting is to look into as much as possible standard, what described precalculated position can arrange is relatively little.
Detecting server to reporting in the further testing process of webpage, why select first with black word, to mate, is because black word matching speed is fast and directly do not use black chain to mate, and efficiency is higher.If directly by black chain coupling, owing to forming, the character of black chain and/or letter etc. are more, and matching speed is obviously not as good as being directly that black word mates with word.Visible, the such scheme that the present invention proposes has been taken into account accuracy rate and efficiency that webpage tamper detects, makes whole testing process consumption of natural resource less, and accuracy rate also has greatly raising.
In such scheme of the present invention, once detect definite the reporting in webpage of server, really exist and distort after content, will give the alarm.Described alarm can first send to announcement server, distorts the warning informations such as content, corresponding info web and send to announcement server described in being about to, and announcement server sends to webmaster by the information of distorting described in the mode general of mail or note.Webmaster repairs by revising the modes such as webpage source code, webmaster's account password after receiving warning information.
In the such scheme that the present invention proposes, by proxy server, be unified in webpage and embed and distort detection script, and distorting of webpage detected and be distributed to each user side execution, and the form that embeds script in use webpage is carried out trace routine on backstage, invisible to user, do not hinder other operation of user.The browser of user side is carried out and is distorted after detection script detects webpage and be tampered by explanation, reported detection server, detect server and send a warning by it is further detected to backward portal management personnel, for website provides web portal security, detect service.This programme has not only improved the detection efficiency that web portal security detects, and also the further detection by black and white lists and this mode of chain as black in black word has improved the accuracy rate detecting.
Fig. 4 shows the structure of the detecting device figure of the webpage tamper of the present invention's proposition.As shown in Figure 4, this device comprises:
Proxy module 401, it obtains source station for the response webpage of request of access, and embeds and distort detection script in webpage;
Sending module 402, it is sent to described webpage the browser module of sending request of access;
Browser module 403, whether it distorts detection script described in carrying out, detect described webpage and be tampered;
Reporting module 404, if described webpage is tampered, it reports detection server by described webpage.
Described in embodiment of the method as shown in Figure 1, in said apparatus of the present invention, proxy module 401 obtains the webpage of user's request access from source station, and the detection script of distorting that detects webpage tamper content is directly embedded in the html file that webpage source code is webpage.Like this, can realize being unified in webpage embedding and distorting detection script, and the testing of webpage tamper can be distributed to each user side, can improve detection efficiency.
Particularly, proxy server inserts and distorts detection script code in the leader label of the html file obtaining, and by sending module 402, webpage is returned to browser module 403 afterwards.Alternatively, in the present invention, distorting detection script adopts Javascript script to realize.Javascript shell script is plain text statement, do not need compiling, so it can directly explain execution by browser.At the Javascript statement whether detection webpage is tampered, be embedded in the html file that webpage is corresponding, whether user just can trigger this Javascript script and carry out corresponding operating when opening this webpage, with the content detecting in webpage, be tampered.
Adopt the mode of Javascript script embedding except improving detection speed, another advantage is that Javascript shell script is only carried out on backstage, and user is invisible to it, therefore can not hinder other operation of user.
In the present invention, except using Javascript script, can also use other any scripts that can be embedded in webpage, as long as browser can be explained execution, the present invention does not do concrete restriction to this.
Browser module 404 response users open webpage event and described in carrying out, distort detection script, and complete after described html file in loading, carry out the detection script of distorting embedding in these html file leader label, and detect in the webpage source code that user opens and whether exist and distort content by the described detection script of distorting.
Described detection mode of distorting detection script can have multiple, according to one embodiment of the invention, distorts detection script by judging whether whether detected described webpage by extension Malaysia in described webpage is tampered; According to another embodiment of the present invention, distort detection script by judging whether whether exist black chain to detect described webpage in described webpage is tampered.
In the embodiment of the present invention, for black chain and/or hang horse and connect and wait malice link, distorting detection script can be by the html file of webpage being resolved to DOM Tree, and the DOMTree file obtaining after parsing is detected.
The black chain of take detects as example and is illustrated.For the black chain form below of inserting in webpage:
<a href=" http://www.45u.com " style=" display:none; " the private clothes issue of > legend </a>.
Distorting detection script can write as follows:
It is above-mentioned that what distort detection script is by obtaining " a " mark the DOM Tree file from parsing, and this mark heel with style be " display:none ", the display format of the content after this mark, for not showing, tentatively assert that it is for distorting content.Because hacker finds the black chain of its insertion and hangs horse link in order to prevent user, its display format is set to invisible conventionally.Therefore distorting detection script can the inserted mode based on black chain and/or malice link write.
In this step, browser module 403 utilization is distorted after detection script detects described webpage and be tampered, and the webpage that reporting module 404 is tampered this reports detection server.
Described detection server, after the webpage being tampered described in receiving, is notified the portal management personnel of this webpage, and described keeper can repair leak by revising webpage source code and administration authority.In order to reduce rate of false alarm, alternatively, described detection server is according to reporting the content of distorting of webpage to do further processing.
Described detection server comprises judge module, and described judge module is for judging distorting content and whether being present in white list or blacklist of reported webpage, and wherein, described white list and blacklist are stored in described detection server; If the content of distorting of described webpage is present in white list, do not deal with; If the content of distorting of described webpage is present in blacklist, deposits altered data storehouse in, and give the alarm.Described blacklist and white list can be collected acquisition by empirical value and from reliable third party, in white list storage, be defined as the link of normal website, and in blacklist, store some viral websites, sex service website or the link of definite malicious websites etc. in the process detecting.The renewal of blacklist and white list can also be undertaken by each webmaster's feedback.
Described judge module also comprises alarm modules and notification module, once definite, report in webpage and really exists and distort after content, and described alarm modules will give the alarm.Described in described alarm modules general, distort the warning informations such as content, corresponding info web and send to notification module, notification module sends to webmaster by the information of distorting described in the mode general of mail or note.Webmaster repairs by revising the modes such as webpage source code, webmaster's account password after receiving warning information.
Alternatively, in order to improve accuracy rate, detect server and also comprise that the webpage to reporting does the device of further detection.Owing to distorting detection script, be the detection script being embedded in webpage, as javascript script, in order to ensure accuracy rate, detect server and also comprise that the webpage to reporting does the device of further detection.
The black chain of take below in tamper detection content detects in server reporting webpage to do the device of further detection as example illustrates.Although it will be appreciated by those skilled in the art that below that by the device of introducing, for black chain, it is not limited to detect black chain, uses similar device can also detect other and maliciously links as hung horse link etc.In addition, can also adopt corresponding mode to detect other and distort content.
Fig. 5 shows in the embodiment of the present invention and detects on server reporting webpage to do the structure drawing of device of further detection.As shown in Figure 5, this device comprises:
Extraction module 501: detect the content of distorting in webpage according to distorting feature database, distort the black word-Hei chain pair in content described in extraction, described black word-Hei chain is to being comprised of black word and corresponding black chain thereof;
Storehouse generation module 502: if the right frequency of occurrences of described black word-Hei chain is higher than predetermined threshold, black word-Hei chain is deposited in black word-Hei chain storehouse;
Detection sub-module 503: detect the content of distorting in webpage according to black word-Hei chain storehouse, concentrate if link corresponding to black word occurring in webpage to be detected is present in the black chain that in described black word-Hei chain storehouse, this black word is corresponding, determine that this webpage to be detected is tampered.
In the embodiment of the present invention, described extraction module 501 can be analyzed page elements position and the display mode in described webpage to be detected by described matching regular expressions, judges whether it is the content being tampered.For example, judge when black chain is distorted, whether the position that can judge the page elements in described webpage to be detected by matching regular expressions is within the scope of predetermined threshold value, or whether described page elements has sightless attribute, and/or, whether described page elements is hidden etc. browser, if so, judges that described page elements in the described page to be detected is as being tampered content.For example, if the hyperlink of certain page detected, be sightless, or in the page, the length and width height of certain html tag element is negative value, can judge the content that this page is tampered.
In the embodiment of the present invention, whether described extraction module 501 can also by there is the keyword of distorting of fixed malice link and/or its correspondence in webpage to be detected described in matching regular expressions, and whether it is tampered to carry out interpretation.
In the present invention, described extraction module 501 extracts black word-Hei chain pair from described distorting content, and described black word-Hei chain is to being comprised of black word and corresponding black chain thereof.For example, above-mentioned hit content ' <a href=" http://www.45u.com " style=that distorts " margin-left:-83791; " black word-Hei chain in the private clothes issue of > legend </a> ' is to being: the private clothes issue of legend- http:// www.45u.com.In existing page detection method, conventionally be all that the feature rule of distorting of distorting in feature database is mated the source code of webpage to be detected, the described feature rule of distorting is for having the connection of certain format for mating web page contents, in testing process, if hit, distort feature rule and think that this webpage is tampered, if do not hit, think that webpage to be detected is safe, displays it to user.But the inserted mode of current black chain emerges in an endless stream, day by day change.And use fixing distorting feature database or utilize renewal manually to distort feature database obviously not catch up with paces.
Based on this, the present invention is after detecting webpage and being tampered, and extraction module 501 extracts black word-Hei chain pair from distort content, so as afterwards according to this black word-Hei chain to webpage is further detected.
Generally, in the web page contents being tampered, black word-Hei chain all can correspondence specifically be distorted keyword.Alternatively, when extracting black word-Hei chain, extract the distort keyword corresponding with it, to further utilize.
For example: black chain below:
<a href=" http://www.45u.com " style=" display:none; " the private clothes issue of > legend </a>.
The keyword of distorting therefrom extracting can be " display:none ", and it represents that the display properties of this black word-Hei chain is invisible.
Black word-Hei chain pair of the every extraction of extraction module 501, is all stored in data storage server.
In the solution of the present invention, in order to improve the accuracy rate of detection, be specially provided with black word-Hei chain storehouse.In described black word-Hei chain storehouse for storing black word-Hei chain pair of frequent appearance.In the embodiment of the present invention, by extracted black word-Hei chain to when being stored in data storage server, described storehouse generation module 502 is also added up the number of times of its appearance, if count the right occurrence number of certain black word-Hei chain, surpass the first predetermined threshold, by this black word-Hei chain to being stored in black word-Hei chain storehouse.
Black word-Hei chain can be selected according to specific needs to the storage mode in black word-Hei chain storehouse.Alternatively, can be by described black word-Hei chain to being stored as the mode of black chain collection, the mode of the corresponding black chain collection of each black word is stored.
For example: the black word-Hei chain in black word-Hei chain storehouse is to following storage:
Black word 1---and black chain 1, black chain 2, black chain 3 ..., black chain m1}
Black word 2---and black chain 1, black chain 2, black chain 3 ..., black chain m2}
……
Black word n---and black chain 1, black chain 2, black chain 3 ..., black chain mn}
Alternatively, the black chain set in described black word-Hei chain storehouse can be ordered set, and the number of times of concentrating black chain to occur according to black chain sorts to it, and what number of times was maximum makes number one, and as black chain 1, coming of least number of times is last, as black chain n.In storing process, black word-Hei chain pair of every acquisition, according to black word wherein, search in black word-Hei chain storehouse whether had this black word, if existed, search the black chain that this black word is corresponding and concentrate the black chain that whether has described black word-Hei chain centering, if exist, upgrade the rank of this black chain, otherwise be inserted into the tail end at black chain collection; If there is not the described black word of black word-Hei chain centering in black word-Hei chain storehouse, re-establish a black word with and corresponding black chain collection.
Alternatively, for improving the accuracy rate detecting, the present invention not only utilizes and distorts the content of distorting that feature database detects webpage, and it also utilizes black word-Hei chain storehouse to detect webpage.Owing to distorting, feature database is relatively stable and upgrade not in time, therefore for a lot of emerging black word-Hei chains, utilizes and distorts feature database and cannot detect in time and distort content.Therefore,, in the solution of the present invention, to distorting the content of distorting that rule base detects according to described, described detection sub-module 503 also detects according to described black word-Hei chain storehouse.
In the embodiment of the present invention, described detection sub-module 503 utilizes black word-Hei chain storehouse to detect webpage, to mate described web page contents by the black word in black word-Hei chain storehouse, if the content that the black word in webpage in existence and described black word-Hei chain storehouse matches, tentatively assert that this webpage is tampered, extract and tentatively distort accordingly content.
Alternatively, for tentatively distorting content, further check again this tentatively distorts in content whether have the black chain that described black word is corresponding, can mate black chain that black chain that this black word is corresponding concentrates and whether be present in this and tentatively distort in content, if the match is successful, think that this webpage is tampered.
Alternatively, the black chain coupling of utilizing black chain that black word is corresponding to concentrate is of living in while tentatively distorting content, described tentatively distorting in content can be set and have the forward black chain of rank, while there is the black chain before the concentrated precalculated position of black chain that described black word is corresponding, just think that this webpage is tampered.Described precalculated position can be as required and experience preset, if the object detecting is to look into as much as possible entirely, what described precalculated position can arrange is relatively large, if the object detecting is to look into as much as possible standard, what described precalculated position can arrange is relatively little.
In detection server, to reporting webpage to do the device of further detection, why selecting first with black word, to mate, is because black word matching speed is fast and directly do not use black chain to mate, and efficiency is higher.If directly by black chain coupling, owing to forming, the character of black chain and/or letter etc. are more, and matching speed is obviously not as good as being directly that black word mates with word.Visible, the such scheme that the present invention proposes has been taken into account accuracy rate and efficiency that webpage tamper detects, makes whole testing process consumption of natural resource less, and accuracy rate also has greatly raising.
Because described device embodiment is substantially corresponding to the embodiment of the method shown in earlier figures 1, therefore not detailed part in the description of the present embodiment can, referring to the related description in previous embodiment, just not repeat at this.
The detection method of A1, a kind of webpage tamper, comprising:
Proxy server obtains source station for the response webpage of request of access;
Described proxy server embeds and distorts detection script in described webpage;
Described webpage is sent to the client browser that sends request of access;
Whether described browser is distorted detection script described in carrying out, detect described webpage and be tampered;
If described webpage is tampered, described webpage is reported to detection server.
The detection method of A2, webpage tamper as claimed in claim 1, wherein, described in distort detection script by judging in described webpage that whether being hung Malaysia detects described webpage and whether be tampered.
The detection method of A3, webpage tamper as claimed in claim 1, wherein, described in distort detection script by judging whether whether exist black chain to detect described webpage in described webpage is tampered.
The detection method of A4, webpage tamper as claimed in claim 1, also comprises:
Distorting content and whether be present in white list or blacklist in the webpage that reports of judgement, wherein, described white list and blacklist are stored in described detection server;
If the content of distorting of described webpage is present in white list, do not deal with;
If the content of distorting of described webpage is present in blacklist, deposits altered data storehouse in, and give the alarm.
The detection method of A5, the webpage tamper as described in any one in claim 1-4, also comprises:
In described detection server, reported webpage is further detected.
The detection method of A6, webpage tamper as claimed in claim 5, wherein, described webpage is carried out further detecting and comprising in described detection server:
According to distorting feature database, detect the content of distorting in webpage, distort the black word-Hei chain pair in content described in extraction, described black word-Hei chain is to being comprised of black word and corresponding black chain thereof;
If the right frequency of occurrences of described black word-Hei chain, higher than predetermined threshold, is deposited in black word-Hei chain storehouse;
According to black word-Hei chain storehouse, detect the content of distorting in webpage;
If link corresponding to black word occurring in webpage to be detected is present in the black chain that in described black word-Hei chain storehouse, this black word is corresponding, concentrate, determine that this webpage to be detected is tampered.
The detection method of A7, webpage tamper as claimed in claim 4, wherein, described in give the alarm and comprise:
The information of distorting is sent to announcement server;
Described announcement server sends described warning information by mail/short message mode to webmaster.
The detection method of A8, the webpage tamper as described in any one in claim 1-4, wherein, described in to distort detection script be Javascript script.
The pick-up unit of A9, a kind of webpage tamper, comprising:
Proxy module, it obtains source station for the response webpage of request of access, and embeds and distort detection script in webpage;
Sending module, it is sent to described webpage the browser module of sending request of access;
Browser module, whether it distorts detection script described in carrying out, detect described webpage and be tampered;
Reporting module, if described webpage is tampered, it reports detection server by described webpage.
The pick-up unit of A10, webpage tamper as claimed in claim 9, wherein, described in distort detection script by judging in described webpage that whether being hung Malaysia detects described webpage and whether be tampered.
The pick-up unit of A11, webpage tamper as claimed in claim 9, wherein, described in distort detection script by judging whether whether exist black chain to detect described webpage in described webpage is tampered.
The pick-up unit of A12, webpage tamper as claimed in claim 9, also comprises:
Judge module, for judging distorting content and whether being present in white list or blacklist of reported webpage, wherein, described white list and blacklist are stored in described detection server; If the content of distorting of described webpage is present in white list, do not deal with; If the content of distorting of described webpage is present in blacklist, deposits altered data storehouse in, and give the alarm.
The pick-up unit of A13, the webpage tamper as described in any one in claim 9-12, also comprises:
Detection module, further detects for the webpage to reported.
The pick-up unit of A14, webpage tamper as claimed in claim 13, wherein, described detection module comprises:
Extraction module, it detects the content of distorting in webpage according to distorting feature database, distorts the black word-Hei chain pair in content described in extraction, and described black word-Hei chain is to being comprised of black word and corresponding black chain thereof;
Storehouse generation module, it, deposits black word-Hei chain in black word-Hei chain storehouse in during higher than predetermined threshold in the right frequency of occurrences of described black word-Hei chain;
Detection sub-module: it detects the content of distorting in webpage according to black word-Hei chain storehouse, concentrates if link corresponding to black word occurring in webpage to be detected is present in the black chain that in described black word-Hei chain storehouse, this black word is corresponding, determines that this webpage to be detected is tampered.
The pick-up unit of A15, webpage tamper as claimed in claim 12, wherein, described judge module further comprises:
Alarm modules, it is sent to notification module by the information of distorting;
Notification module, it sends described warning information by mail/short message mode to webmaster.
The pick-up unit of A16, the webpage tamper as described in any one in claim 9-12, wherein, described in to distort detection script be Javascript script.
The such scheme that the present invention proposes can be used in numerous general or special purpose computingasystem environment or configuration.For example: personal computer, server computer, handheld device or portable set, plate equipment, multicomputer system, the system based on microprocessor, Set Top Box, programmable consumer-elcetronics devices, network PC, small-size computer, mainframe computer, comprise distributed computing environment of above any system or equipment etc.
The present invention can describe in the general context of the computer executable instructions of being carried out by computing machine, for example program module.Usually, program module comprises the routine carrying out particular task or realize particular abstract data type, program, object, assembly, data structure etc.Also can in distributed computing environment, put into practice the application, in these distributed computing environment, by the teleprocessing equipment being connected by communication network, be executed the task.In distributed computing environment, program module can be arranged in the local and remote computer-readable storage medium that comprises memory device.
Finally, also it should be noted that, in this article, relational terms such as the first and second grades is only used for an entity or operation to separate with another entity or operational zone, and not necessarily requires or imply and between these entities or operation, have the relation of any this reality or sequentially.And, term " comprises ", " comprising " or its any other variant are intended to contain comprising of nonexcludability, thereby the process, method, article or the equipment that make to comprise a series of key elements not only comprise those key elements, but also comprise other key elements of clearly not listing, or be also included as the intrinsic key element of this process, method, article or equipment.The in the situation that of more restrictions not, the key element being limited by statement " comprising ... ", and be not precluded within process, method, article or the equipment that comprises described key element and also have other identical element.
Above-described specific embodiment; object of the present invention, technical scheme and beneficial effect are further described; be understood that; the foregoing is only specific embodiments of the invention; be not limited to the present invention; within the spirit and principles in the present invention all, any modification of making, be equal to replacement, improvement etc., within all should being included in protection scope of the present invention.

Claims (10)

1. a detection method for webpage tamper, comprising:
Proxy server obtains source station for the response webpage of request of access;
Described proxy server embeds and distorts detection script in described webpage;
Described webpage is sent to the client browser that sends request of access;
Whether described browser is distorted detection script described in carrying out, detect described webpage and be tampered;
If described webpage is tampered, described webpage is reported to detection server.
2. the detection method of webpage tamper as claimed in claim 1, wherein, described in distort detection script by judging that whether being hung Malaysia in described webpage detects described webpage and whether be tampered.
3. the detection method of webpage tamper as claimed in claim 1, wherein, described in distort detection script by judging whether whether exist black chain to detect described webpage in described webpage is tampered.
4. the detection method of webpage tamper as claimed in claim 1, also comprises:
Distorting content and whether be present in white list or blacklist in the webpage that reports of judgement, wherein, described white list and blacklist are stored in described detection server;
If the content of distorting of described webpage is present in white list, do not deal with;
If the content of distorting of described webpage is present in blacklist, deposits altered data storehouse in, and give the alarm.
5. the detection method of the webpage tamper as described in any one in claim 1-4, also comprises:
In described detection server, reported webpage is further detected.
6. the detection method of webpage tamper as claimed in claim 5, wherein, described webpage is carried out further detecting and comprising in described detection server:
According to distorting feature database, detect the content of distorting in webpage, distort the black word-Hei chain pair in content described in extraction, described black word-Hei chain is to being comprised of black word and corresponding black chain thereof;
If the right frequency of occurrences of described black word-Hei chain, higher than predetermined threshold, is deposited in black word-Hei chain storehouse;
According to black word-Hei chain storehouse, detect the content of distorting in webpage;
If link corresponding to black word occurring in webpage to be detected is present in the black chain that in described black word-Hei chain storehouse, this black word is corresponding, concentrate, determine that this webpage to be detected is tampered.
7. the detection method of webpage tamper as claimed in claim 4, wherein, described in give the alarm and comprise:
The information of distorting is sent to announcement server;
Described announcement server sends described warning information by mail/short message mode to webmaster.
8. the detection method of the webpage tamper as described in any one in claim 1-4, wherein, described in to distort detection script be Javascript script.
9. a pick-up unit for webpage tamper, comprising:
Proxy module, it obtains source station for the response webpage of request of access, and embeds and distort detection script in webpage;
Sending module, it is sent to described webpage the browser module of sending request of access;
Browser module, whether it distorts detection script described in carrying out, detect described webpage and be tampered;
Reporting module, if described webpage is tampered, it reports detection server by described webpage.
10. the pick-up unit of webpage tamper as claimed in claim 9, wherein, described in distort detection script by judging that whether being hung Malaysia in described webpage detects described webpage and whether be tampered.
CN201310631867.2A 2013-11-29 2013-11-29 Webpage tampering detecting method and device Pending CN103605926A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310631867.2A CN103605926A (en) 2013-11-29 2013-11-29 Webpage tampering detecting method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310631867.2A CN103605926A (en) 2013-11-29 2013-11-29 Webpage tampering detecting method and device

Publications (1)

Publication Number Publication Date
CN103605926A true CN103605926A (en) 2014-02-26

Family

ID=50124147

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310631867.2A Pending CN103605926A (en) 2013-11-29 2013-11-29 Webpage tampering detecting method and device

Country Status (1)

Country Link
CN (1) CN103605926A (en)

Cited By (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104951700A (en) * 2014-10-11 2015-09-30 腾讯科技(深圳)有限公司 Webpage loophole detecting method and device
CN105100298A (en) * 2015-07-24 2015-11-25 北京奇虎科技有限公司 Page access method in application program and apparatus thereof
CN105354511A (en) * 2015-07-24 2016-02-24 北京奇虎科技有限公司 Method and apparatus for detecting page tampering in application
CN106341376A (en) * 2015-07-15 2017-01-18 广州市动景计算机科技有限公司 Network attack judgment method, secure network data transmission method and corresponding devices
WO2017016458A1 (en) * 2015-07-24 2017-02-02 北京奇虎科技有限公司 Application internal page processing method and device
CN106385395A (en) * 2015-07-15 2017-02-08 广州市动景计算机科技有限公司 Network attack determination method, safe network data transmission method and corresponding apparatus
CN106529286A (en) * 2016-10-17 2017-03-22 杭州迪普科技股份有限公司 Behavior detection method and apparatus
CN106960058A (en) * 2017-04-05 2017-07-18 金电联行(北京)信息技术有限公司 A kind of structure of web page alteration detection method and system
CN106992981A (en) * 2017-03-31 2017-07-28 北京知道创宇信息技术有限公司 A kind of website back door detection method, device and computing device
CN107124430A (en) * 2017-06-08 2017-09-01 腾讯科技(深圳)有限公司 Pagejack monitoring method, device, system and storage medium
CN107301355A (en) * 2017-06-20 2017-10-27 深信服科技股份有限公司 A kind of webpage tamper monitoring method and device
CN108595957A (en) * 2018-05-02 2018-09-28 腾讯科技(深圳)有限公司 Main browser page altering detecting method, device and storage medium
WO2018219076A1 (en) * 2017-05-31 2018-12-06 腾讯科技(深圳)有限公司 Processing method for preventing webpage hijacking, client, and server
CN109104421A (en) * 2018-08-01 2018-12-28 深信服科技股份有限公司 A kind of web site contents altering detecting method, device, equipment and readable storage medium storing program for executing
CN109635592A (en) * 2018-11-22 2019-04-16 山东中创软件商用中间件股份有限公司 A kind of file means of defence, device, equipment, system and storage medium
CN109948025A (en) * 2019-03-20 2019-06-28 上海古鳌电子科技股份有限公司 A kind of data referencing recording method
CN110493240A (en) * 2019-08-26 2019-11-22 奇安信科技集团股份有限公司 Detection method and device that website is distorted, storage medium, electronic device
US10574673B2 (en) 2015-07-15 2020-02-25 Guangzhou Ucweb Computer Technology Co., Ltd. Network attack determination method, secure network data transmission method, and corresponding apparatus
CN110968875A (en) * 2019-12-03 2020-04-07 支付宝(杭州)信息技术有限公司 Method and device for detecting permission vulnerability of webpage
CN111049783A (en) * 2018-10-12 2020-04-21 北京奇虎科技有限公司 Network attack detection method, device, equipment and storage medium
CN111967064A (en) * 2020-09-05 2020-11-20 湖南西盈网络科技有限公司 Webpage tamper-proofing method and system
CN117251441A (en) * 2023-09-22 2023-12-19 江苏天好富兴数据技术有限公司 System and method for detecting black chain based on big data
CN117729041A (en) * 2023-12-22 2024-03-19 云尖(北京)软件有限公司 Webpage tamper-resistant data encryption method and system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102436563A (en) * 2011-12-30 2012-05-02 奇智软件(北京)有限公司 Method and device for detecting page tampering
CN102446255A (en) * 2011-12-30 2012-05-09 奇智软件(北京)有限公司 Method and device for detecting page tamper
CN102520985A (en) * 2011-11-29 2012-06-27 深圳市万兴软件有限公司 System and method for running client software
CN103259790A (en) * 2013-04-28 2013-08-21 深圳市深信服电子科技有限公司 Protective method and device for network security
CN103281177A (en) * 2013-04-10 2013-09-04 广东电网公司信息中心 Method and system for detecting hostile attack on Internet information system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102520985A (en) * 2011-11-29 2012-06-27 深圳市万兴软件有限公司 System and method for running client software
CN102436563A (en) * 2011-12-30 2012-05-02 奇智软件(北京)有限公司 Method and device for detecting page tampering
CN102446255A (en) * 2011-12-30 2012-05-09 奇智软件(北京)有限公司 Method and device for detecting page tamper
CN103281177A (en) * 2013-04-10 2013-09-04 广东电网公司信息中心 Method and system for detecting hostile attack on Internet information system
CN103259790A (en) * 2013-04-28 2013-08-21 深圳市深信服电子科技有限公司 Protective method and device for network security

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
MICHAEL HALE LIGH ET AL: "《恶意软件分析诀窍与工具箱-对抗"流氓"软件的技术与利器》", 31 January 2012, 清华大学出版社 *
陈冠军 等: "《JavaScript语法和对象速查手册》", 31 May 2010, 北京:化学工业出版社 *

Cited By (37)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104951700A (en) * 2014-10-11 2015-09-30 腾讯科技(深圳)有限公司 Webpage loophole detecting method and device
CN104951700B (en) * 2014-10-11 2018-11-06 腾讯科技(深圳)有限公司 Webpage leak detection method and device
US11277418B2 (en) 2015-07-15 2022-03-15 Alibaba Group Holding Limited Network attack determination method, secure network data transmission method, and corresponding apparatus
CN106385395B (en) * 2015-07-15 2020-10-16 阿里巴巴(中国)有限公司 Network attack judgment method, safe network data transmission method and corresponding device
CN106341376A (en) * 2015-07-15 2017-01-18 广州市动景计算机科技有限公司 Network attack judgment method, secure network data transmission method and corresponding devices
US10574673B2 (en) 2015-07-15 2020-02-25 Guangzhou Ucweb Computer Technology Co., Ltd. Network attack determination method, secure network data transmission method, and corresponding apparatus
CN106385395A (en) * 2015-07-15 2017-02-08 广州市动景计算机科技有限公司 Network attack determination method, safe network data transmission method and corresponding apparatus
WO2017016458A1 (en) * 2015-07-24 2017-02-02 北京奇虎科技有限公司 Application internal page processing method and device
CN105354511A (en) * 2015-07-24 2016-02-24 北京奇虎科技有限公司 Method and apparatus for detecting page tampering in application
CN105100298A (en) * 2015-07-24 2015-11-25 北京奇虎科技有限公司 Page access method in application program and apparatus thereof
CN106529286A (en) * 2016-10-17 2017-03-22 杭州迪普科技股份有限公司 Behavior detection method and apparatus
CN106992981A (en) * 2017-03-31 2017-07-28 北京知道创宇信息技术有限公司 A kind of website back door detection method, device and computing device
CN106992981B (en) * 2017-03-31 2020-04-07 北京知道创宇信息技术股份有限公司 Website backdoor detection method and device and computing equipment
CN106960058A (en) * 2017-04-05 2017-07-18 金电联行(北京)信息技术有限公司 A kind of structure of web page alteration detection method and system
CN106960058B (en) * 2017-04-05 2021-01-12 金电联行(北京)信息技术有限公司 Webpage structure change detection method and system
US11128662B2 (en) 2017-05-31 2021-09-21 Tencent Technology (Shenzhen) Company Ltd Method, client, and server for preventing web page hijacking
CN108989266B (en) * 2017-05-31 2021-09-10 腾讯科技(深圳)有限公司 Processing method for preventing webpage hijacking, client and server
WO2018219076A1 (en) * 2017-05-31 2018-12-06 腾讯科技(深圳)有限公司 Processing method for preventing webpage hijacking, client, and server
CN108989266A (en) * 2017-05-31 2018-12-11 腾讯科技(深圳)有限公司 A kind of processing method for preventing webpage from kidnapping and client and server
CN107124430B (en) * 2017-06-08 2021-07-06 腾讯科技(深圳)有限公司 Page hijacking monitoring method, device, system and storage medium
CN107124430A (en) * 2017-06-08 2017-09-01 腾讯科技(深圳)有限公司 Pagejack monitoring method, device, system and storage medium
CN107301355B (en) * 2017-06-20 2021-07-02 深信服科技股份有限公司 Webpage tampering monitoring method and device
CN107301355A (en) * 2017-06-20 2017-10-27 深信服科技股份有限公司 A kind of webpage tamper monitoring method and device
CN108595957B (en) * 2018-05-02 2023-04-14 腾讯科技(深圳)有限公司 Browser homepage tampering detection method, device and storage medium
CN108595957A (en) * 2018-05-02 2018-09-28 腾讯科技(深圳)有限公司 Main browser page altering detecting method, device and storage medium
CN109104421A (en) * 2018-08-01 2018-12-28 深信服科技股份有限公司 A kind of web site contents altering detecting method, device, equipment and readable storage medium storing program for executing
CN109104421B (en) * 2018-08-01 2021-09-17 深信服科技股份有限公司 Website content tampering detection method, device, equipment and readable storage medium
CN111049783A (en) * 2018-10-12 2020-04-21 北京奇虎科技有限公司 Network attack detection method, device, equipment and storage medium
CN109635592A (en) * 2018-11-22 2019-04-16 山东中创软件商用中间件股份有限公司 A kind of file means of defence, device, equipment, system and storage medium
CN109948025B (en) * 2019-03-20 2023-10-20 上海古鳌电子科技股份有限公司 Data reference recording method
CN109948025A (en) * 2019-03-20 2019-06-28 上海古鳌电子科技股份有限公司 A kind of data referencing recording method
CN110493240B (en) * 2019-08-26 2022-09-13 奇安信科技集团股份有限公司 Website tampering detection method and device, storage medium and electronic device
CN110493240A (en) * 2019-08-26 2019-11-22 奇安信科技集团股份有限公司 Detection method and device that website is distorted, storage medium, electronic device
CN110968875A (en) * 2019-12-03 2020-04-07 支付宝(杭州)信息技术有限公司 Method and device for detecting permission vulnerability of webpage
CN111967064A (en) * 2020-09-05 2020-11-20 湖南西盈网络科技有限公司 Webpage tamper-proofing method and system
CN117251441A (en) * 2023-09-22 2023-12-19 江苏天好富兴数据技术有限公司 System and method for detecting black chain based on big data
CN117729041A (en) * 2023-12-22 2024-03-19 云尖(北京)软件有限公司 Webpage tamper-resistant data encryption method and system

Similar Documents

Publication Publication Date Title
CN103605926A (en) Webpage tampering detecting method and device
CN103605925A (en) Webpage tampering detecting method and device
CN104767757B (en) Various dimensions safety monitoring method and system based on WEB service
EP2729895B1 (en) Syntactical fingerprinting
CN102436563B (en) Method and device for detecting page tampering
AU2014337396B2 (en) System for detecting classes of automated browser agents
US8683584B1 (en) Risk assessment
CN103679053A (en) Webpage tampering detection method and device
CN102446255B (en) Method and device for detecting page tamper
CN102129528B (en) WEB page tampering identification method and system
CN103593615A (en) Method and device for detecting webpage tampering
CN107786537B (en) Isolated page implantation attack detection method based on Internet cross search
CN105138907B (en) A kind of active probe is attacked the method and system of website
CN105184159A (en) Web page falsification identification method and apparatus
Wardman et al. High-performance content-based phishing attack detection
CN110035075A (en) Detection method, device, computer equipment and the storage medium of fishing website
KR100912794B1 (en) Web hacking management system and manegement method thereof for real time web server hacking analysis and homepage hacking search
CN104168293A (en) Method and system for recognizing suspicious phishing web page in combination with local content rule base
CN104158828B (en) The method and system of suspicious fishing webpage are identified based on cloud content rule base
CN112231711B (en) Vulnerability detection method and device, computer equipment and storage medium
US20200336498A1 (en) Method and apparatus for detecting hidden link in website
CN111159775A (en) Webpage tampering detection method, system and device and computer readable storage medium
CN103647767A (en) Website information display method and apparatus
CN104036190A (en) Method and device for detecting page tampering
CN105975523A (en) Hidden hyperlink detection method based on stack

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
C41 Transfer of patent application or patent right or utility model
TA01 Transfer of patent application right

Effective date of registration: 20161128

Address after: 100016 Jiuxianqiao Chaoyang District Beijing Road No. 10, building 15, floor 17, layer 1701-26, 3

Applicant after: BEIJING QI'ANXIN SCIENCE & TECHNOLOGY CO., LTD.

Address before: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park)

Applicant before: Beijing Qihu Technology Co., Ltd.

Applicant before: Qizhi Software (Beijing) Co., Ltd.

RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20140226