CN108171082B - Webpage detection method and device - Google Patents

Webpage detection method and device Download PDF

Info

Publication number
CN108171082B
CN108171082B CN201711278421.0A CN201711278421A CN108171082B CN 108171082 B CN108171082 B CN 108171082B CN 201711278421 A CN201711278421 A CN 201711278421A CN 108171082 B CN108171082 B CN 108171082B
Authority
CN
China
Prior art keywords
webpage
original
detected
sampling data
url
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711278421.0A
Other languages
Chinese (zh)
Other versions
CN108171082A (en
Inventor
岳炳词
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN201711278421.0A priority Critical patent/CN108171082B/en
Publication of CN108171082A publication Critical patent/CN108171082A/en
Application granted granted Critical
Publication of CN108171082B publication Critical patent/CN108171082B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/958Organisation or management of web site content, e.g. publishing, maintaining pages or automatic linking

Abstract

The embodiment of the invention provides a webpage detection method and a device, wherein the method comprises the following steps: sampling an original webpage in advance to obtain original sampling data, and correspondingly storing the original sampling data and the identification of the webpage; when a webpage is detected, original sampling data corresponding to the identification of the webpage to be detected is obtained from prestored original sampling data, the webpage to be detected is sampled to obtain current sampling data, whether the original sampling data is the same as the current sampling data is judged, and if the original sampling data is the same as the current sampling data, the webpage to be detected is determined not to be tampered. Therefore, the original sampling data and the current sampling data are compared in the scheme, and compared with the existing scheme, the method and the device for detecting the webpage content contrast the whole content of the original webpage and the whole content of the webpage to be detected, time consumed by contrast is reduced, and detection efficiency is improved.

Description

Webpage detection method and device
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method and an apparatus for detecting a web page.
Background
In internet applications, an attacker usually tampers with a webpage, and therefore, the webpage needs to be detected to determine whether the webpage is tampered or not, so that damage caused by the tampered webpage is reduced. Existing web page detection schemes typically include: the method comprises the steps of storing normal webpages which are not tampered into a buffer area in advance, and comparing webpages which are requested to be accessed by a user with webpages stored in the buffer area after webpage access requests sent by the user are received. If the web pages stored in the buffer are different from the web page requested to be accessed by the user, the web page requested by the user is tampered.
In the scheme, the whole content of the webpage which the user requests to access is compared with the whole content of the webpage stored in the buffer area, so that the time consumption is long, and the detection efficiency is low.
Disclosure of Invention
The embodiment of the invention aims to provide a webpage detection method and a webpage detection device so as to improve the detection efficiency.
In order to achieve the above object, an embodiment of the present invention provides a method for detecting a web page, including:
determining the identification of a webpage to be detected;
acquiring original sampling data corresponding to the identifier from prestored original sampling data;
sampling the webpage to be detected to obtain current sampling data;
judging whether the obtained original sampling data is the same as the current sampling data;
and if the original sampling data is the same as the current sampling data, determining that the webpage to be detected is not tampered.
Optionally, the determining the identifier of the webpage to be detected may include:
receiving an access request sent by a user terminal, and determining a Uniform Resource Locator (URL) carried in the access request as an identifier of a webpage to be detected;
or, at intervals of a preset time period, sequentially determining the stored URLs of the webpages as the identifiers of the webpages to be detected according to a preset sequence.
Optionally, the obtaining, from the pre-stored original sample data, the original sample data corresponding to the identifier may include:
acquiring the original webpage data length corresponding to the identifier from the pre-stored original webpage data length;
acquiring the data length of the web page to be detected corresponding to the identifier;
judging whether the obtained original webpage data length is the same as the webpage data length to be detected or not;
and if the identification is the same as the original sampling data, acquiring the original sampling data corresponding to the identification from the prestored original sampling data.
Optionally, the obtaining, from the pre-stored original sample data, the original sample data corresponding to the identifier may include:
searching a detection table item containing the identifier in a pre-stored detection table item;
if the data is found, reading original sampling data contained in the found detection table item;
and if the identification is not found, acquiring the original webpage corresponding to the identification from the backup server, and sampling the original webpage to obtain original sampling data.
Optionally, the determining the identifier of the webpage to be detected includes: reading a URL (uniform resource locator) carried in an access request sent by a user terminal; if the read URL points to the dynamic webpage, adjusting the dynamic sequence number in the read URL to a preset sequence number, and determining the adjusted URL as the URL to be detected;
the obtaining, from the pre-stored raw sample data, the raw sample data corresponding to the identifier may include:
acquiring original sampling data corresponding to the URL to be detected from prestored original sampling data;
sampling the web page to be detected to obtain current sampling data, which may include:
and sampling the webpage to be detected corresponding to the URL to be detected to obtain current sampling data.
Optionally, the obtaining, from the pre-stored original sample data, the original sample data corresponding to the identifier may include:
acquiring a detection mark corresponding to the identification of the webpage to be detected from the pre-stored identification of the webpage and the detection mark corresponding to the identification;
judging whether the obtained detection mark is an untampered mark or not;
if the webpage is not marked with tampering, acquiring original sampling data corresponding to the identification of the webpage to be detected from prestored original sampling data;
the method may further comprise:
and under the condition that the obtained original sampling data is different from the current sampling data, adjusting the detection mark corresponding to the identification of the webpage to be detected into a tampering mark.
Optionally, the method may further include:
if the original sampling data is different from the current sampling data, acquiring an original webpage corresponding to the identifier from a backup server;
and sending the original webpage to a user terminal.
In order to achieve the above object, an embodiment of the present invention further provides a web page detection apparatus, including:
the first determining module is used for determining the identification of the webpage to be detected;
the acquisition module is used for acquiring original sampling data corresponding to the identifier from prestored original sampling data;
the first sampling module is used for sampling the webpage to be detected to obtain current sampling data;
the judging module is used for judging whether the acquired original sampling data is the same as the current sampling data; if the two are the same, a second determination module is triggered,
and the second determining module is used for determining that the webpage to be detected is not tampered.
Optionally, the first determining module may be specifically configured to:
receiving an access request sent by a user terminal, and determining a Uniform Resource Locator (URL) carried in the access request as an identifier of a webpage to be detected;
or, at intervals of a preset time period, sequentially determining the stored URLs of the webpages as the identifiers of the webpages to be detected according to a preset sequence.
Optionally, the obtaining module may be specifically configured to:
acquiring the original webpage data length corresponding to the identifier from the pre-stored original webpage data length;
acquiring the data length of the web page to be detected corresponding to the identifier;
judging whether the obtained original webpage data length is the same as the webpage data length to be detected or not;
and if the identification is the same as the original sampling data, acquiring the original sampling data corresponding to the identification from the prestored original sampling data.
Optionally, the obtaining module may be specifically configured to:
searching a detection table item containing the identifier in a pre-stored detection table item;
if the data is found, reading original sampling data contained in the found detection table item;
and if the identification is not found, acquiring the original webpage corresponding to the identification from the backup server, and sampling the original webpage to obtain original sampling data.
Optionally, the first determining module may be specifically configured to: reading a URL (uniform resource locator) carried in an access request sent by a user terminal; if the read URL points to the dynamic webpage, adjusting the dynamic sequence number in the read URL to a preset sequence number, and determining the adjusted URL as the URL to be detected;
the obtaining module may be specifically configured to: acquiring original sampling data corresponding to the URL to be detected from prestored original sampling data;
the first sampling module may be specifically configured to: and sampling the webpage to be detected corresponding to the URL to be detected to obtain current sampling data.
Optionally, the obtaining module may be specifically configured to:
acquiring a detection mark corresponding to the identification of the webpage to be detected from the pre-stored identification of the webpage and the detection mark corresponding to the identification; judging whether the obtained detection mark is an untampered mark or not; if the webpage is not marked with tampering, acquiring original sampling data corresponding to the identification of the webpage to be detected from prestored original sampling data;
the apparatus may further include:
and the adjusting module is used for adjusting the detection mark corresponding to the identifier of the webpage to be detected into a tampering mark under the condition that the obtained original sampling data is different from the current sampling data.
Optionally, the apparatus may further include:
the feedback module is used for acquiring an original webpage corresponding to the identifier from a backup server under the condition that the acquired original sampling data is different from the current sampling data; and sending the original webpage to a user terminal.
In order to achieve the above object, an embodiment of the present invention further provides an electronic device, including a processor, a communication interface, a memory, and a communication bus, where the processor, the communication interface, and the memory complete communication with each other through the communication bus;
a memory for storing a computer program;
and the processor is used for realizing any webpage detection method when executing the program stored in the memory.
In order to achieve the above object, an embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored in the computer-readable storage medium, and the computer program, when executed by a processor, implements any of the above web page detection methods.
By applying the embodiment of the invention, the original webpage, namely the normal webpage is sampled in advance to obtain the original sampling data, and the original sampling data and the identification of the webpage are correspondingly stored. When a webpage needs to be detected, acquiring original sampling data corresponding to the identification of the webpage to be detected from prestored original sampling data; and sampling the webpage to be detected to obtain current sampling data. And judging whether the acquired original sampling data is the same as the current sampling data. And if the detection result is the same, determining that the webpage to be detected is not tampered. And if not, determining that the webpage to be detected is tampered. Therefore, on the first aspect, compared with the existing scheme in which the original sampling data is compared with the current sampling data, the scheme compares all the contents of the original webpage with all the contents of the webpage to be detected, thereby reducing the time consumed for comparison and improving the detection efficiency; in the second aspect, the sampling data of the normal webpage is pre-stored in the scheme, but not the whole content of the abnormal webpage, so that the occupation of storage resources is reduced.
Of course, not all of the advantages described above need to be achieved at the same time in the practice of any one product or method of the invention.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic flowchart of a first method for detecting a web page according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of a second method for detecting a web page according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of an application scenario according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a web page detection apparatus according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In order to solve the technical problem, embodiments of the present invention provide a method and an apparatus for detecting a web page, and an electronic device. The method and apparatus may be applied to a server, or a network device between the server and a user terminal, and the like, and are not limited in particular.
For convenience of description, in the following, a network device is explained as an execution subject. First, a detailed description is given to a web page detection method provided by an embodiment of the present invention.
Fig. 1 is a schematic flowchart of a first process of a web page detection method according to an embodiment of the present invention, where the web page detection method specifically includes the following steps:
s101: and determining the identification of the webpage to be detected.
As an implementation manner, after receiving an access request sent by a user terminal, a network device may determine, according to the access request, an identifier of a web page to be detected.
As another embodiment, the network device may determine, every preset time period, the stored identifiers of the webpages in turn according to a preset sequence as the identifiers of the webpages to be detected.
For example, the identifier may be a Uniform Resource Locator (URL). The access request sent by the user terminal may carry a URL, and the network device determines the URL carried in the access request as the URL of the web page to be detected.
Or, the network device may determine the stored URLs of the web pages as the URLs of the web pages to be detected in sequence according to a preset sequence every preset time period.
Alternatively, the network device may use other information capable of uniquely identifying the web page as the identifier of the web page, which is not limited specifically, and for convenience of description, the following description will use the identifier of the web page as a URL as an example.
In this embodiment, the network device reads a URL carried in an access request sent by the user terminal. And if the webpage pointed by the URL is a static webpage, the network equipment directly takes the read URL as the URL to be detected. If the webpage pointed by the URL is a dynamic webpage, the network equipment adjusts the dynamic sequence number in the read URL to be a preset sequence number, and determines the adjusted URL as the URL to be detected.
Generally, "? "followed by a number of ids, such as: http:// xxx.xx.com/xxx/xxx/xxx.yxyid 1; http:// xxx.xxx.com/xxx/xxx/xxx.yyyid 10; http:// xxx.xxx.com/xxx/xxx/xxx.yyyid 5; the three URLs represent the same dynamic web page, and the dynamic web page comprises a plurality of URLs with different ids.
In the present embodiment, this id is referred to as a dynamic number, and one dynamic number may be set in advance, and if the preset number is 1, a URL whose id is 1 is used as the URL to be detected.
S102: and acquiring the original sampling data corresponding to the identifier from the prestored original sampling data.
In a network device or another device communicatively connected to the network device, raw sample data of a plurality of web pages is stored in advance.
Specifically, the network device or another device communicatively connected to the network device may sample an original web page in advance to obtain original sample data, and store the obtained original sample data in correspondence with the URL of the web page. In this embodiment, the "original web page" is a web page that has not been tampered with, and data obtained by sampling the original web page is referred to as "original sampling data".
In this way, the network device takes the URL acquired in S101 as the URL to be probed. And in the prestored URL and the corresponding original sampling data, the network equipment acquires the original sampling data corresponding to the URL to be detected.
In the present embodiment, a sampling rule is set in advance, and the sampling rule includes the number of sampling intervals, the sampling length, and the like. Sampling is carried out on the original webpage and the webpage to be detected in the subsequent content according to the sampling rule.
As described above, in S101, if the URL read in the access request points to the dynamic web page, the network device adjusts the dynamic sequence number in the read URL to a preset sequence number, and determines the adjusted URL as the URL to be detected.
Assuming that the preset serial number is 1, when the network device stores the URL and the corresponding original sampling data in advance, only the original web page pointed by the URL corresponding to the serial number 1 may be sampled for the plurality of URLs included in the dynamic web page, so as to obtain the original sampling data.
As an embodiment, S102 may include: the network equipment acquires the original webpage data length corresponding to the identifier and the webpage data length to be detected corresponding to the identifier from the prestored original webpage data length. And the network equipment judges whether the acquired original webpage data length is the same as the data length of the webpage to be detected. And if the data are the same, the network equipment acquires the original sampling data corresponding to the identifier from the prestored original sampling data.
In a network device or another device communicatively connected to the network device, original web page data lengths of a plurality of web pages are stored in advance. In this embodiment, the "data length of the web page" refers to the total length of all data in the web page, and the "data length of the original web page" refers to the total length of all data in the web page that has not been tampered with.
Specifically, the network device may obtain the data length of the original web page in advance, and store the obtained data length of the original web page and the URL of the web page correspondingly. In this way, the network device uses the URL determined in S101 as the URL to be detected, and obtains the original webpage data length corresponding to the URL to be detected from the pre-stored URL and the corresponding original webpage data length.
In addition, the network device obtains the data length of the web page to be detected corresponding to the URL to be detected, and the web page to be detected is the web page provided for the user by the server at the current time.
As an embodiment, two types of servers may be set, one type is a publishing server, and the other type is a backup server: the publishing server is a server providing services for ordinary users, and a webpage provided by the server is at risk of being tampered. The backup server can be regarded as a safe server, the web pages stored in the backup server are not tampered, and common users cannot access the backup server. And after the issuing server issues a new webpage, storing the new webpage into the backup server.
In this way, the network device (executing agent) can obtain the web page to be detected from the publishing server and obtain the original web page from the backup server.
The network device may read the data length of the web page to be detected from the publishing server, and compare the data length of the web page to be detected with the data length of the original web page. If the URL and the webpage are different, the network equipment determines that the webpage to be detected corresponding to the URL is tampered, and does not execute the subsequent steps. If the two are the same, the network device executes the subsequent steps again to perform the subsequent detection.
As an embodiment, a probe entry may be stored in a network device or a device communicatively connected to the network device, where the probe entry includes a URL and corresponding raw sample data, or the probe entry may further include a raw data length.
In this embodiment, S102 may include: and the network equipment searches the detection table item containing the identifier in the pre-stored detection table items. If the data is found, the network equipment reads the original sampling data contained in the found detection table entry. If the identification is not found, the network equipment acquires the original webpage corresponding to the identification from the backup server, and samples the original webpage to obtain original sampling data.
The network device or other devices connected with the network device sample the original webpage to obtain original sampling data, and then the obtained original sampling data and the URL to be detected can be stored as a new detection table item; or, the obtained original sampling data, the data length of the original web page, and the URL to be detected may be stored as a new detection entry.
In this embodiment, the network device may update the stored detection table entry according to a preset period. For example, the stored detection table entry is updated every hour; or, after the original web page stored in the backup server is updated, the network device updates the detection table entry corresponding to the updated web page. There are various update modes for the detection table entry, and no limitation is specifically made.
Updating the probe entry may include adding or replacing. For example, for the stored probe table entries, the original web pages corresponding to the URLs in the backup server may be searched for by referring to the URLs included in the table entries, and the original web pages are resampled by the network device or other devices connected to the network device, and the original sampled data obtained by resampling is substituted for the original sampled data in the probe table entries.
And if the original webpage is newly added in the backup server, sampling the newly added original webpage, and correspondingly storing the obtained original sampling data and the URL of the newly added original webpage as a detection table entry, which is equivalent to adding the detection table entry.
S103: and sampling the webpage to be detected to obtain current sampling data.
For example, the network device may obtain a web page to be detected from the publishing server, and sample the web page to be detected by using a preset sampling rule to obtain current sampling data.
As described above, in S101, if the URL read by the network device in the access request points to the dynamic web page, the dynamic sequence number in the read URL is adjusted to the preset sequence number, and the adjusted URL is determined as the URL to be detected. And the original sampling data acquired by the network device in S102 is also the sampling data of the original webpage corresponding to the adjusted URL.
Correspondingly, the network device in S103 also samples the web page to be detected corresponding to the adjusted URL to obtain the current sampling data.
Continuing the above example, assuming that the preset serial number is 1, when the URLs and the corresponding original sampling data are stored in advance, only the original web page pointed by the URL corresponding to the serial number 1 is sampled for the URLs included in the dynamic web page, so as to obtain the original sampling data.
Correspondingly, in S103, the network device only samples the web page to be detected pointed by the URL corresponding to the serial number 1, so as to obtain current sampling data. In this way, the dynamic sequence numbers in the URLs corresponding to the original sample data and the current sample data are the same.
In the existing scheme, aiming at a dynamic webpage, webpage contents pointed by a plurality of URLs contained in the dynamic webpage are all stored in a buffer area, and a large amount of storage resources are occupied; in the embodiment, only the sampling data of one URL in the dynamic webpage is stored, so that the occupation of storage resources is greatly reduced.
In addition, in the existing scheme, aiming at each URL contained in the dynamic webpage, all original contents of the URL are compared with all current contents, and the comparison time is long; in the embodiment, only one URL in the dynamic webpage is targeted, and the original sampling data of the URL is compared with the current sampling data, so that the time consumption for comparison is greatly reduced, and the detection efficiency is improved.
S104: judging whether the obtained original sampling data is the same as the current sampling data; if so, executing S105: determining that the webpage to be detected is not tampered; if not, executing S106: and determining that the webpage to be detected is tampered.
If the network device executes the embodiment of the present invention after receiving the access request sent by the user terminal, the network device may feed back the web page to be detected corresponding to the URL carried in the access request to the user terminal if the determination result in S104 is the same. And in the case that the determination result of S104 is different, the network device may feed back the original webpage corresponding to the URL carried in the access request to the user.
For example, in the above embodiment, the network device (execution agent) acquires the web page to be detected from the publishing server, and acquires the original web page from the backup server. That is, when the determination results in S104 are the same, the web page to be detected corresponding to the URL is acquired from the publishing server and fed back to the user. And if the judgment result of S104 is different, acquiring the original webpage corresponding to the URL from the backup server, and sending the original webpage to the user terminal.
As an embodiment, the network device or another device connected to the network device may store corresponding detection marks for the URL, where the detection marks include both tampered marks and untampered marks.
Before S102, the network device may first obtain a detection flag corresponding to the URL to be detected. If the acquired detection mark is a tampering mark, the network device determines that the webpage to be detected corresponding to the URL is tampered, and does not execute S102-S104. If the acquired detection mark is an untampered mark, the network device performs S102-S104 again for subsequent detection. The detection marking is carried out on the URL, so that the detection efficiency can be further improved.
In the present embodiment, when the determination result in S104 is different, the network device adjusts the detection flag corresponding to the URL to be detected to the falsification flag. In addition, the network device may adjust the detection flag corresponding to the detection URL to be an untampered flag after the to-be-detected web page corresponding to the to-be-detected URL is repaired.
By applying the embodiment shown in fig. 1 of the invention, on the first hand, in the scheme, the original sampling data is compared with the current sampling data, and compared with the existing scheme, the method has the advantages that the whole content of the original webpage is compared with the whole content of the webpage to be detected, so that the time consumed for comparison is reduced, and the detection efficiency is improved; in the second aspect, the sampling data of the normal webpage is pre-stored in the scheme, but not the whole content of the abnormal webpage, so that the occupation of storage resources is reduced.
Fig. 2 is a schematic flow chart of a second method for detecting a web page according to an embodiment of the present invention, which specifically includes the following steps:
s201: and receiving an access request sent by a user terminal, and determining the URL to be detected according to the URL carried in the access request.
As an implementation manner, the network device reads a URL carried in an access request sent by the user terminal. And if the webpage pointed by the URL is a static webpage, the network equipment directly takes the read URL as the URL to be detected. If the webpage pointed by the URL is a dynamic webpage, the network equipment adjusts the dynamic sequence number in the read URL to be a preset sequence number, and determines the adjusted URL as the URL to be detected.
Generally, "? "followed by a number of ids, such as: http:// xxx.xx.com/xxx/xxx/xxx.yxyid 1; http:// xxx.xxx.com/xxx/xxx/xxx.yyyid 10; http:// xxx.xxx.com/xxx/xxx/xxx.yyyid 5; the three URLs represent the same dynamic web page, and the dynamic web page comprises a plurality of URLs with different ids.
In the present embodiment, this id is referred to as a dynamic number, and one dynamic number may be set in advance, and if the preset number is 1, a URL whose id is 1 is used as the URL to be detected.
S202: and searching a detection table item containing the URL to be detected in the pre-stored detection table items. If found, S203-S209 are executed, and if not found, S210-S215 are executed.
In the embodiment of fig. 2, a network device or other devices communicatively connected to the network device stores a probe entry therein. The detection table entry comprises a URL, a detection mark corresponding to the URL, the data length of the original webpage and original sampling data. The detection mark comprises a tampered mark and an untampered mark.
S203: judging whether the detection mark contained in the searched detection table entry is an untampered mark, if so, executing S204, otherwise, executing S216: and determining that the webpage to be detected corresponding to the URL to be detected is tampered.
S204: and reading the data length of the original webpage contained in the searched detection table entry.
S205: and acquiring the data length of the web page to be detected corresponding to the URL to be detected.
As an embodiment, two types of servers may be set, one type is a publishing server, and the other type is a backup server: the publishing server is a server providing services for ordinary users, and a webpage provided by the server is at risk of being tampered. The backup server can be regarded as a safe server, the web pages stored in the backup server are not tampered, and common users cannot access the backup server. And after the issuing server issues a new webpage, storing the new webpage into the backup server.
In this way, the network device (executing agent) can obtain the web page to be detected from the publishing server and obtain the original web page from the backup server.
For example, the network device may obtain a web page to be detected from the publishing server, and then determine the data length of the web page to be detected. Or, the publishing server may store the data length of the web page to be detected, and the network device may directly obtain the data length of the web page to be detected from the publishing server.
S206: judging whether the original webpage data length contained in the searched detection table entry is the same as the acquired webpage data length to be detected, if so, executing S207, and if not, executing S216: and determining that the webpage to be detected corresponding to the URL to be detected is tampered.
S207: and reading the original sampling data contained in the searched detection table entry.
As described above, in S201, if the URL read by the network device in the access request points to the dynamic web page, the dynamic sequence number in the read URL is adjusted to a preset sequence number, and the adjusted URL is determined as the URL to be detected.
For example, assuming that the preset sequence number is 1, when the network device or another device connected to the network device stores the detection table entry in advance, for a plurality of URLs included in the dynamic web page, only the original web page pointed by the URL corresponding to the sequence number 1 may be sampled to obtain original sampling data, and the original sampling data is added to the detection table entry.
S208: and sampling the webpage to be detected corresponding to the URL to be detected to obtain current sampling data.
As described above, in S201, if the URL read by the network device in the access request points to the dynamic web page, the dynamic sequence number in the read URL is adjusted to a preset sequence number, and the adjusted URL is determined as the URL to be detected. And the original sampling data read by the network device in S207 is also the sampling data of the original webpage corresponding to the adjusted URL.
Correspondingly, the network device in S208 also samples the web page to be detected corresponding to the adjusted URL to obtain the current sampling data.
Continuing the above example, assuming that the preset serial number is 1, when the URL and the corresponding original sampling data are stored in advance, only the original web page pointed by the URL corresponding to the serial number 1 is sampled for the plurality of URLs included in the dynamic web page, so as to obtain the original sampling data.
Correspondingly, in S208, the network device only samples the web page to be detected pointed by the URL corresponding to the serial number 1, so as to obtain current sampling data. In this way, the dynamic sequence numbers in the URLs corresponding to the original sample data and the current sample data are the same.
S209: judging whether the acquired original sampling data is the same as the current sampling data, if so, executing S217: determining that the webpage to be detected corresponding to the URL to be detected is not tampered, if the webpage to be detected is not tampered, executing S216: and determining that the webpage to be detected corresponding to the URL to be detected is tampered.
If the probing entry containing the URL to be probed is not found in S202, S210-S215 are executed.
S210: and acquiring an original webpage corresponding to the URL to be detected from the backup server, and determining the data length of the original webpage.
S211: and acquiring the data length of the web page to be detected corresponding to the URL to be detected.
As described above, the network device may obtain the web page to be detected from the publishing server, and then determine the data length of the web page to be detected. Or, the publishing server may store the data length of the web page to be detected, and the network device may directly obtain the data length of the web page to be detected from the publishing server.
S212: judging whether the determined original webpage data length is the same as the acquired webpage data length to be detected, if so, executing S213, and if not, executing S216: and determining that the webpage to be detected corresponding to the URL to be detected is tampered.
S213: and sampling the original webpage corresponding to the URL to be detected, which is acquired from the backup server, to obtain original sampling data.
S214: and sampling the webpage to be detected corresponding to the URL to be detected to obtain current sampling data.
S215: judging whether the acquired original sampling data is the same as the current sampling data, if so, executing S217: determining that the webpage to be detected corresponding to the URL to be detected is not tampered, if the webpage to be detected is not tampered, executing S216: and determining that the webpage to be detected corresponding to the URL to be detected is tampered.
In the embodiment of fig. 2, the network device may update the stored detection table entry according to a preset period. For example, the stored probe entries are updated every hour. Or, after the original web page stored in the backup server is updated, the network device updates the detection table entry corresponding to the updated web page. There are various update modes for the detection table entry, and no limitation is specifically made.
Updating the probe entry may include adding or replacing. For example, for a stored probe entry, the network device may look up, in the backup server, original web pages corresponding to URLs included in the entry for the URLs, resample the original web pages, and replace original sample data in the probe entry with original sample data obtained by resampling.
If the original web page is newly added in the backup server, the network device samples the newly added original web page, and stores the obtained original sampling data and the URL of the newly added original web page as a detection table entry, which is equivalent to adding the detection table entry.
A specific embodiment is described below with reference to fig. 2 and fig. 3, and as shown in fig. 3, a Web application protection system, also called as: the embodiment of the invention can be executed by a WAF system.
The network device is in communication connection with a publishing server (or publishing web server) and a backup server. The publishing server is a server providing services for ordinary users, and a webpage provided by the server is at risk of being tampered. The backup server can be regarded as a safe server, the web pages stored in the backup server are not tampered, and common users cannot access the backup server. And after the release server releases a new webpage, storing the newly released webpage into the backup server.
In this way, the network device (executing agent) can obtain the web page to be detected from the publishing server, and the network device can obtain the original web page from the backup server through the private network.
The network device may obtain a list of tamper resistant web pages, the list including a plurality of URLs. The network equipment searches the original web pages corresponding to the URLs from the backup server, and samples the searched original web pages by using a preset sampling rule to obtain a plurality of original sampling data. If the original webpage pointed by the URL is a dynamic webpage, the network equipment can adjust the dynamic serial number in the URL to be a preset serial number, the adjusted URL is obtained if the preset serial number is 1, and then the network equipment samples the original webpage pointed by the adjusted URL to obtain original sampling data.
The network equipment acquires the original webpage data lengths corresponding to the URLs, and respectively stores each URL, the corresponding original sampling data and the original webpage data length as a detection table entry. The detection table entry further comprises a detection mark corresponding to the URL, the detection mark comprises a tamper mark and an untamper mark, the detection mark is an untamper mark in an initial state, and subsequently, if it is determined that the web page is tampered, the network device adjusts the detection mark in the detection table entry corresponding to the web page to be the tamper mark.
The detection table entries may be stored in the network device, and the detection table entries may be divided into two types, namely, dynamic web page detection table entries and static web page detection table entries. The web pages pointed by the URLs contained in the dynamic web page detection list items are dynamic web pages, and the web pages pointed by the URLs contained in the static web page detection list items are static web pages. And the detection table items are classified, so that the table item searching efficiency can be improved. The structures of the two types of detection table entries may be the same.
The structure of the detection table entry can be divided into three levels, and the first level table entry can be called a file extension table entry. The file extension table entry may be an Array structure extFile _ Array [ ], and the structure of each element in the Array may be:
web file name extension ListPtr
Wherein, the column of the 'web file extension' stores the file extension, such as htm, etc.; the "ListPtr" column is a pointer to the second level entry.
The second-level entry may be called an alphabetical entry, the alphabetical entry may be an array structure, letter _ hash _ array [ ], the array subscript may be the ASCII code of the first letter of the file extension, and the structure of each element in the array may be:
array subscript corresponding letter ClPtr
The column of the 'array subscript corresponding to letter' stores the letter corresponding to the array subscript ASCII code. If the ASCII code of "a" is 65, then the letter ' a ' is stored in the column of "array subscript corresponding to letter" in the letter table entry letter _ hash _ array [65] '
ClPtr: is a pointer to the third level entry.
The third-level table entry may be referred to as a matching table entry, and the matching table entry may be an Array structure match _ Array [ ], and the structure of each element in the Array may be:
Figure BDA0001497052210000161
the URL in the matching entry may be a relative URL. For example, the URL is typically in the format: "http:// xxx. com/xxx/xxx. yyyy? Parameter list "; the URL in the matching entry may not contain "http:// xxx. com/", but only "xxx/xxx. yyyy? List of parameters ".
raw _ strList represents the original sample data corresponding to the URL, and raw _ page _ len represents the original web page data length corresponding to the URL. The sampling interval value and the sampling length both belong to the content in the set sampling rule. For example, if the sampling interval value is 10, it means that 10 bytes are sampled every interval, and the sampling length is 3, it means that 3 bytes are read at a time.
The matchTime may indicate the interval duration for updating the sounding table entry. The detection mark includes a tamper mark and an untamper mark, the tamper mark may be change _ state ═ 1, and the untamper mark may be change _ state ═ 0.
As shown in fig. 3, a user can access a network device through a terminal used.
Suppose that a network device receives an access request sent by a user terminal, and a URL carried in the access request is a URL in a tamper-resistant web page list. In this case, the network device starts the WAF system. If the URL is the URL of the static webpage, the network equipment directly takes the URL as the URL to be detected, and searches the detection table entry containing the URL to be detected in the static detection table entry.
As described above, the URLs in the matching entry are relative URLs. Therefore, read the URL in the access request, extract a part of the URL, that is, contain only "xxx/xxx/xxx.yyyy? Part of the parameter list "serves as the URL to be probed.
If the URL to be detected is the URL of a dynamic web page, "? And adjusting the subsequent id value to be a preset serial number 1, taking the adjusted URL as the URL to be detected, and searching the URL to be detected in the dynamic detection table entry.
And the network equipment reads the detection mark in the searched detection table entry. If the detection flag is change _ state ═ 1, the network device may directly determine that the web page to be detected corresponding to the URL to be detected is tampered. In this case, the network device may obtain the original web page corresponding to the URL to be detected from the backup server, and feed back the original web page to the user.
If the detection mark is changed _ state ═ 0, the network device continues to read the original web page data length in the searched detection table entry. And acquiring the webpage to be detected corresponding to the URL to be detected from the publishing server, and determining the data length of the webpage to be detected.
And the network equipment judges whether the data length of the original webpage is the same as that of the webpage to be detected. If the detected URL is different from the detected URL, the webpage to be detected corresponding to the URL to be detected can be determined to be tampered. In this case, the network device may obtain the original web page corresponding to the URL to be detected from the backup server, and feed back the original web page to the user. And if the data length of the original webpage is the same as that of the webpage to be detected, the network equipment samples the webpage to be detected acquired from the release server by using the sampling rule.
As described above, if the URL carried in the access request points to the dynamic web page, the network device adjusts the dynamic serial number in the URL to the preset serial number 1 to obtain an adjusted URL, and the adjusted URL is used as the URL to be detected. Therefore, the network device samples the adjusted webpage to be detected pointed by the URL to obtain the current sampling data.
And the network equipment continuously reads the original sampling data in the searched detection table entry and judges whether the original sampling data is the same as the current sampling data. If the URL is the same as the URL, the network equipment determines that the webpage to be detected corresponding to the URL to be detected is not tampered, and feeds the webpage to be detected acquired from the publishing server back to the user. And if the URL is different from the URL, the network equipment determines that the webpage to be detected corresponding to the URL to be detected is tampered, and feeds back the original webpage acquired from the backup server to the user.
And if the network equipment does not find the detection table entry containing the URL to be detected, the network equipment acquires the original webpage corresponding to the URL to be detected from the backup server and determines the data length of the original webpage. And the network equipment acquires the webpage to be detected corresponding to the URL to be detected from the publishing server and determines the data length of the webpage to be detected.
And the network equipment judges whether the data length of the original webpage is the same as that of the webpage to be detected. If the data length of the original webpage is different from that of the webpage to be detected, the network device can determine that the webpage to be detected corresponding to the URL to be detected is tampered. In this case, the network device may feed back the original web page retrieved from the backup server to the user. And if the data length of the original webpage is the same as that of the webpage to be detected, the network equipment samples the webpage to be detected acquired from the release server by using the sampling rule.
As described above, if the URL carried in the access request points to the dynamic web page, the network device adjusts the dynamic serial number in the URL to the preset serial number 1 to obtain an adjusted URL, and the adjusted URL is used as the URL to be detected. Therefore, the network device samples the adjusted webpage to be detected pointed by the URL to obtain the current sampling data.
And the network equipment samples the original webpage acquired from the backup server by using the sampling rule. As described above, if the URL carried in the access request points to the dynamic web page, the network device adjusts the dynamic serial number in the URL to the preset serial number 1 to obtain an adjusted URL, and the adjusted URL is used as the URL to be detected. Therefore, the network device samples the adjusted original webpage pointed by the URL to obtain original sampling data.
The network device determines whether the original sampled data is the same as the current sampled data. If the URL is the same as the URL, the network equipment determines that the webpage to be detected corresponding to the URL to be detected is not tampered, and feeds the webpage to be detected acquired from the publishing server back to the user. And if the URL is different from the URL, the network equipment determines that the webpage to be detected corresponding to the URL to be detected is tampered, and feeds back the original webpage acquired from the backup server to the user.
Corresponding to the foregoing method embodiment, an embodiment of the present invention further provides a web page detection apparatus, as shown in fig. 4, including:
a first determining module 401, configured to determine an identifier of a web page to be detected;
an obtaining module 402, configured to obtain, from pre-stored original sample data, original sample data corresponding to the identifier;
a first sampling module 403, configured to sample the web page to be detected to obtain current sampling data;
a judging module 404, configured to judge whether the obtained original sampling data is the same as the current sampling data; if the two are the same, a second determination module is triggered,
and a second determining module 405, configured to determine that the web page to be detected is not tampered.
As an embodiment, the first determining module 401 may specifically be configured to:
receiving an access request sent by a user terminal, and determining a Uniform Resource Locator (URL) carried in the access request as an identifier of a webpage to be detected;
or, at intervals of a preset time period, sequentially determining the stored URLs of the webpages as the identifiers of the webpages to be detected according to a preset sequence.
As an embodiment, the obtaining module 402 may be specifically configured to:
acquiring the original webpage data length corresponding to the identifier from the pre-stored original webpage data length;
acquiring the data length of the web page to be detected corresponding to the identifier;
judging whether the obtained original webpage data length is the same as the webpage data length to be detected or not;
and if the identification is the same as the original sampling data, acquiring the original sampling data corresponding to the identification from the prestored original sampling data.
As an embodiment, the obtaining module 402 may be specifically configured to:
searching a detection table item containing the identifier in a pre-stored detection table item;
if the data is found, reading original sampling data contained in the found detection table item;
and if the identification is not found, acquiring the original webpage corresponding to the identification from the backup server, and sampling the original webpage to obtain original sampling data.
As an embodiment, the first determining module 401 may specifically be configured to: reading a URL (uniform resource locator) carried in an access request sent by a user terminal; if the read URL points to the dynamic webpage, adjusting the dynamic sequence number in the read URL to a preset sequence number, and determining the adjusted URL as the URL to be detected;
the obtaining module 402 may be specifically configured to: acquiring original sampling data corresponding to the URL to be detected from prestored original sampling data;
the first sampling module 403 may specifically be configured to: and sampling the webpage to be detected corresponding to the URL to be detected to obtain current sampling data.
As an embodiment, the obtaining module 402 may be specifically configured to:
acquiring a detection mark corresponding to the identification of the webpage to be detected from the pre-stored identification of the webpage and the detection mark corresponding to the identification; judging whether the obtained detection mark is an untampered mark or not; if the webpage is not marked with tampering, acquiring original sampling data corresponding to the identification of the webpage to be detected from prestored original sampling data;
the apparatus may further include:
and an adjusting module (not shown in the figure) configured to adjust the detection mark corresponding to the identifier of the web page to be detected to be a tampering mark when it is determined that the obtained original sample data is different from the current sample data.
As an embodiment, the apparatus may further include:
a feedback module (not shown in the figure) for acquiring an original webpage corresponding to the identifier from the backup server under the condition that the acquired original sampling data is judged to be different from the current sampling data; and sending the original webpage to a user terminal.
By applying the embodiment shown in fig. 4 of the present invention, on the first hand, in the present scheme, the original sampling data is compared with the current sampling data, and compared with the existing scheme, the present scheme compares all contents of the original webpage with all contents of the webpage to be detected, which reduces the time consumption for comparison and improves the detection efficiency; in the second aspect, the sampling data of the normal webpage is pre-stored in the scheme, but not the whole content of the abnormal webpage, so that the occupation of storage resources is reduced.
An embodiment of the present invention further provides an electronic device, as shown in fig. 5, which includes a processor 501, a communication interface 502, a memory 503 and a communication bus 504, where the processor 501, the communication interface 502 and the memory 503 complete mutual communication through the communication bus 504,
a memory 503 for storing a computer program;
the processor 501 is configured to implement any of the above-described web page detection methods when executing the program stored in the memory 503.
The communication bus mentioned in the electronic device may be a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (EISA) bus. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface is used for communication between the electronic equipment and other equipment.
The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; the Integrated Circuit may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA), or other Programmable logic devices, discrete Gate or transistor logic devices, or discrete hardware components.
The embodiment of the invention also provides a computer-readable storage medium, wherein a computer program is stored in the computer-readable storage medium, and when being executed by a processor, the computer program realizes any one of the above webpage detection methods.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the embodiment of the web page detection apparatus shown in fig. 4, the embodiment of the electronic device shown in fig. 5, and the embodiment of the computer-readable storage medium, since they are substantially similar to the embodiments of the web page detection method shown in fig. 1-3, the description is relatively simple, and relevant points can be found by referring to the partial description of the embodiment of the web page detection method shown in fig. 1-3.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.

Claims (12)

1. A method for detecting web pages, the method comprising:
determining the identification of a webpage to be detected;
acquiring original sampling data corresponding to the identifier from prestored original sampling data;
sampling the webpage to be detected to obtain current sampling data;
judging whether the obtained original sampling data is the same as the current sampling data;
if the original sampling data is the same as the current sampling data, determining that the webpage to be detected is not tampered;
the determining the identification of the webpage to be detected includes:
reading a URL (uniform resource locator) carried in an access request sent by a user terminal;
if the read URL points to the dynamic webpage, the dynamic sequence number in the read URL is adjusted to be a preset sequence number, and the adjusted URL is determined to be the URL to be detected.
2. The method according to claim 1, wherein the obtaining of the original sample data corresponding to the identifier from the prestored original sample data comprises:
acquiring the original webpage data length corresponding to the identifier from the pre-stored original webpage data length;
acquiring the data length of the web page to be detected corresponding to the identifier;
judging whether the obtained original webpage data length is the same as the webpage data length to be detected or not;
and if the identification is the same as the original sampling data, acquiring the original sampling data corresponding to the identification from the prestored original sampling data.
3. The method according to claim 1, wherein the obtaining of the original sample data corresponding to the identifier from the prestored original sample data comprises:
searching a detection table item containing the identifier in a pre-stored detection table item;
if the data is found, reading original sampling data contained in the found detection table item;
and if the identification is not found, acquiring the original webpage corresponding to the identification from the backup server, and sampling the original webpage to obtain original sampling data.
4. The method according to claim 1, wherein the obtaining of the original sample data corresponding to the identifier from the prestored original sample data comprises:
acquiring original sampling data corresponding to the URL to be detected from prestored original sampling data;
sampling the webpage to be detected to obtain current sampling data, wherein the sampling comprises the following steps:
and sampling the webpage to be detected corresponding to the URL to be detected to obtain current sampling data.
5. The method according to claim 1 or 2, wherein the obtaining of the original sample data corresponding to the identifier from the prestored original sample data comprises:
acquiring a detection mark corresponding to the identification of the webpage to be detected from the pre-stored identification of the webpage and the detection mark corresponding to the identification;
judging whether the obtained detection mark is an untampered mark or not;
if the webpage is not marked with tampering, acquiring original sampling data corresponding to the identification of the webpage to be detected from prestored original sampling data;
the method further comprises the following steps:
and under the condition that the obtained original sampling data is different from the current sampling data, adjusting the detection mark corresponding to the identification of the webpage to be detected into a tampering mark.
6. The method according to claim 1 or 3, characterized in that the method further comprises:
if the original sampling data is different from the current sampling data, acquiring an original webpage corresponding to the identifier from a backup server;
and sending the original webpage to a user terminal.
7. A web page detection apparatus, comprising:
the first determining module is used for determining the identification of the webpage to be detected;
the acquisition module is used for acquiring original sampling data corresponding to the identifier from prestored original sampling data;
the first sampling module is used for sampling the webpage to be detected to obtain current sampling data;
the judging module is used for judging whether the acquired original sampling data is the same as the current sampling data; if the two are the same, a second determination module is triggered,
the second determining module is used for determining that the webpage to be detected is not tampered;
the first determining module is specifically configured to: reading a URL (uniform resource locator) carried in an access request sent by a user terminal; if the read URL points to the dynamic webpage, the dynamic sequence number in the read URL is adjusted to be a preset sequence number, and the adjusted URL is determined to be the URL to be detected.
8. The apparatus of claim 7, wherein the obtaining module is specifically configured to:
acquiring the original webpage data length corresponding to the identifier from the pre-stored original webpage data length;
acquiring the data length of the web page to be detected corresponding to the identifier;
judging whether the obtained original webpage data length is the same as the webpage data length to be detected or not;
and if the identification is the same as the original sampling data, acquiring the original sampling data corresponding to the identification from the prestored original sampling data.
9. The apparatus of claim 7, wherein the obtaining module is specifically configured to:
searching a detection table item containing the identifier in a pre-stored detection table item;
if the data is found, reading original sampling data contained in the found detection table item;
and if the identification is not found, acquiring the original webpage corresponding to the identification from the backup server, and sampling the original webpage to obtain original sampling data.
10. The apparatus of claim 7, wherein the obtaining module is specifically configured to: acquiring original sampling data corresponding to the URL to be detected from prestored original sampling data;
the first sampling module is specifically configured to: and sampling the webpage to be detected corresponding to the URL to be detected to obtain current sampling data.
11. The apparatus of claim 7, wherein the obtaining module is specifically configured to:
acquiring a detection mark corresponding to the identification of the webpage to be detected from the pre-stored identification of the webpage and the detection mark corresponding to the identification; judging whether the obtained detection mark is an untampered mark or not; if the webpage is not marked with tampering, acquiring original sampling data corresponding to the identification of the webpage to be detected from prestored original sampling data;
the device further comprises:
and the adjusting module is used for adjusting the detection mark corresponding to the identifier of the webpage to be detected into a tampering mark under the condition that the obtained original sampling data is different from the current sampling data.
12. The apparatus of claim 7 or 9, further comprising:
the feedback module is used for acquiring an original webpage corresponding to the identifier from a backup server under the condition that the acquired original sampling data is different from the current sampling data; and sending the original webpage to a user terminal.
CN201711278421.0A 2017-12-06 2017-12-06 Webpage detection method and device Active CN108171082B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711278421.0A CN108171082B (en) 2017-12-06 2017-12-06 Webpage detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711278421.0A CN108171082B (en) 2017-12-06 2017-12-06 Webpage detection method and device

Publications (2)

Publication Number Publication Date
CN108171082A CN108171082A (en) 2018-06-15
CN108171082B true CN108171082B (en) 2021-04-30

Family

ID=62525426

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711278421.0A Active CN108171082B (en) 2017-12-06 2017-12-06 Webpage detection method and device

Country Status (1)

Country Link
CN (1) CN108171082B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020206662A1 (en) * 2019-04-11 2020-10-15 深圳市欢太科技有限公司 Browser anti-hijacking method and device, electronic equipment and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102111267A (en) * 2009-12-28 2011-06-29 北京安码科技有限公司 Website safety protection method based on digital signature and system adopting same
CN102624713A (en) * 2012-02-29 2012-08-01 深信服网络科技(深圳)有限公司 Website tampering identification method and website tampering identification device
CN103685307A (en) * 2013-12-25 2014-03-26 北京奇虎科技有限公司 Method, system, client and server for detecting phishing fraud webpage based on feature library
CN103716315A (en) * 2013-12-24 2014-04-09 上海天存信息技术有限公司 Method and device for detecting web page tampering
CN103902889A (en) * 2012-12-26 2014-07-02 腾讯科技(深圳)有限公司 Malicious message cloud detection method and server
CN106953874A (en) * 2017-04-21 2017-07-14 深圳市科力锐科技有限公司 Website falsification-proof method and device

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6029245A (en) * 1997-03-25 2000-02-22 International Business Machines Corporation Dynamic assignment of security parameters to web pages
CN101350043B (en) * 2007-07-17 2011-05-11 华为技术有限公司 Method and apparatus for detecting consistency of digital content
CN102710652A (en) * 2012-06-12 2012-10-03 北京星网锐捷网络技术有限公司 Web application intrusion prevention method and device as well as network equipment and network system
CN104766014B (en) * 2015-04-30 2017-12-01 安一恒通(北京)科技有限公司 For detecting the method and system of malice network address

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102111267A (en) * 2009-12-28 2011-06-29 北京安码科技有限公司 Website safety protection method based on digital signature and system adopting same
CN102624713A (en) * 2012-02-29 2012-08-01 深信服网络科技(深圳)有限公司 Website tampering identification method and website tampering identification device
CN103902889A (en) * 2012-12-26 2014-07-02 腾讯科技(深圳)有限公司 Malicious message cloud detection method and server
CN103716315A (en) * 2013-12-24 2014-04-09 上海天存信息技术有限公司 Method and device for detecting web page tampering
CN103685307A (en) * 2013-12-25 2014-03-26 北京奇虎科技有限公司 Method, system, client and server for detecting phishing fraud webpage based on feature library
CN106953874A (en) * 2017-04-21 2017-07-14 深圳市科力锐科技有限公司 Website falsification-proof method and device

Also Published As

Publication number Publication date
CN108171082A (en) 2018-06-15

Similar Documents

Publication Publication Date Title
US10250526B2 (en) Method and apparatus for increasing subresource loading speed
US20180219907A1 (en) Method and apparatus for detecting website security
CN107204960B (en) Webpage identification method and device and server
CN109741060B (en) Information inquiry system, method, device, electronic equipment and storage medium
CN108388604B (en) User authority data management apparatus, method and computer readable storage medium
CN102957664B (en) A kind of method and device identifying fishing website
CN109768992B (en) Webpage malicious scanning processing method and device, terminal device and readable storage medium
KR102090982B1 (en) How to identify malicious websites, devices and computer storage media
CN109902073B (en) Log processing method and device, computer equipment and computer readable storage medium
WO2012089005A1 (en) Method and apparatus for phishing web page detection
WO2019109529A1 (en) Webpage identification method, device, computer apparatus, and computer storage medium
CN111756724A (en) Detection method, device and equipment for phishing website and computer readable storage medium
CN103220352A (en) Terminal, server, file storage system and file storage method
CN107070873B (en) Webpage illegal data screening method and system, data screening server and browser
CN108171082B (en) Webpage detection method and device
CN109656592B (en) Card management method, device, terminal and computer readable storage medium
CN114880641A (en) API asset detection method, device, equipment and medium
CN112765502B (en) Malicious access detection method, device, electronic equipment and storage medium
CN111885212B (en) Domain name storage method and device
CN110457900B (en) Website monitoring method, device and equipment and readable storage medium
CN117113430A (en) Webpage violation picture detection method and device, electronic equipment and storage medium
CN110727895A (en) Sensitive word sending method and device, electronic equipment and storage medium
CN105956182A (en) Resource loading method, apparatus and system
WO2020006909A1 (en) Method and device for deduplicating urls
CN115794780A (en) Method and device for collecting network space assets, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant