CN109145536B - Webpage tamper-proofing method and device - Google Patents
Webpage tamper-proofing method and device Download PDFInfo
- Publication number
- CN109145536B CN109145536B CN201710465752.9A CN201710465752A CN109145536B CN 109145536 B CN109145536 B CN 109145536B CN 201710465752 A CN201710465752 A CN 201710465752A CN 109145536 B CN109145536 B CN 109145536B
- Authority
- CN
- China
- Prior art keywords
- file
- operation request
- tampering
- webpage
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 59
- 238000012544 monitoring process Methods 0.000 claims abstract description 17
- 230000004044 response Effects 0.000 claims description 10
- 230000006870 function Effects 0.000 description 35
- 230000008569 process Effects 0.000 description 17
- 238000005516 engineering process Methods 0.000 description 14
- 230000006399 behavior Effects 0.000 description 8
- 230000009471 action Effects 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000003068 static effect Effects 0.000 description 3
- 230000000903 blocking effect Effects 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000013515 script Methods 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/16—Program or content traceability, e.g. by watermarking
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the invention discloses a webpage tamper-proofing method and a device, wherein the method comprises the following steps: receiving a file operation request aiming at a target webpage file; monitoring whether an operation table corresponding to the target webpage file is accessed or not; if so, judging whether the file operation request is a webpage tampering operation request; and if so, refusing to respond to the file operation request. By applying the embodiment of the invention, the risk that the webpage file cannot be recovered after being tampered can be avoided.
Description
Technical Field
The invention relates to the field of network information security, in particular to a webpage tamper-proofing method and device.
Background
At present, three common application layer webpage tamper-proofing technologies exist: a timing cycle scanning technology, a digital watermarking technology and an event triggering technology.
The timing cycle scanning technology is to perform polling access on a target website through an external machine according to a time threshold set by a user, detect whether a webpage file is consistent with a backed-up webpage file, if not, indicate that the webpage file is tampered, and recover the tampered webpage file by using the backed-up webpage file.
The digital watermarking technology is to check the integrity of a webpage when the webpage is browsed, judge whether an accessed file is falsified or not by comparing watermarks of the accessed webpage file and a webpage file backed up before, prevent the falsified webpage file from being displayed to a user, and recover the falsified webpage file by using the backed-up webpage file.
And the event triggering technology is used for monitoring the protected directory through a user mode program, if the directory is modified, the monitoring program obtains a system notification event, then whether the directory is a tampering behavior is judged according to a related configuration strategy, and if the directory is the tampering behavior, the directory is recovered.
The three tamper-resistant methods are all to recover the web page file after the web page file is tampered, but if the tampered web page file is hijacked maliciously, the risk of being unable to recover is generated.
Disclosure of Invention
The embodiment of the invention aims to provide a webpage tamper-proofing method and a webpage tamper-proofing device so as to avoid the risk that a webpage file cannot be recovered after being tampered.
In order to achieve the above object, the embodiment of the present invention discloses a method for preventing web page from being tampered, which comprises the following steps:
receiving a file operation request aiming at a target webpage file;
monitoring whether an operation table corresponding to the target webpage file is accessed or not;
if so, judging whether the file operation request is a webpage tampering operation request;
and if so, refusing to respond to the file operation request.
Optionally, the operation table is an index node operation table and/or a file operation table.
Optionally, the determining whether the file operation request is a webpage tampering operation request includes:
and detecting whether the file operation request is a webpage tampering operation request or not by setting a hook function for a kernel file operation function corresponding to the index node operation table and/or the file operation table.
Optionally, the method further includes:
and responding to the file operation request when the file operation request is judged not to be the webpage tampering operation request.
Optionally, before the determining whether the file operation request is a webpage tampering operation request, the method further includes:
and generating a configuration file corresponding to the target webpage file according to the configuration strategy corresponding to the target webpage file.
Optionally, the determining whether the file operation request is a webpage tampering operation request includes:
acquiring a configuration file corresponding to the target webpage file;
and judging whether the file operation request is a webpage tampering operation request or not according to the configuration strategy in the configuration file.
Optionally, after the refusing to respond to the file operation request, the method further includes:
and generating a tampering operation log according to the file operation request.
In order to achieve the above object, an embodiment of the present invention further discloses a device for preventing web page tampering, where the device includes:
the receiving module is used for receiving a file operation request aiming at a target webpage file;
the monitoring module is used for monitoring whether the operation table corresponding to the target webpage file is accessed or not;
the judging module is used for judging whether the file operation request is a webpage tampering operation request or not when the monitoring module monitors that the operation table corresponding to the target webpage file is accessed;
and the rejecting module is used for rejecting to respond to the file operation request when the judging module judges that the file operation request is the webpage tampering operation request.
Optionally, the operation table is an index node operation table and/or a file operation table.
Optionally, the determining module is specifically configured to:
and detecting whether the file operation request is a webpage tampering operation request or not by setting a hook function for a kernel file operation function corresponding to the index node operation table and/or the file operation table.
Optionally, the apparatus further comprises:
and the response module is used for responding to the file operation request when the judging module judges that the file operation request is not the webpage tampering operation request.
Optionally, the apparatus further comprises:
and the first generating module is used for generating a configuration file corresponding to the target webpage file according to the configuration policy corresponding to the target webpage file before the judging module judges whether the file operation request is a webpage tampering operation request.
Optionally, the determining module includes:
the obtaining submodule is used for obtaining a configuration file corresponding to the target webpage file;
and the judging submodule is used for judging whether the file operation request is a webpage tampering operation request according to the configuration strategy in the configuration file.
Optionally, the apparatus further comprises:
and the second generation module is used for generating a tampering operation log according to the file operation request after the refusing module refuses to respond to the file operation request.
As can be seen from the above, in the scheme provided in the embodiment of the present invention, after receiving a file operation request for a target webpage file, if it is monitored that an operation table corresponding to the target webpage file is accessed, it is determined whether the file operation request is a webpage tampering operation request, and if so, response to the file operation request is denied. Compared with the prior art, in the scheme provided by the embodiment of the invention, before responding the file operation aiming at the target webpage file, when the operation table corresponding to the target webpage file is monitored to be accessed, whether the file operation request is a malicious tampering request needs to be judged, and when the file operation request is judged to be the malicious tampering request, the file operation request is refused to be responded, namely the target webpage file cannot be maliciously tampered, so that the risk that the webpage file cannot be recovered after being tampered is avoided.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a first flowchart illustrating a method for preventing a webpage from being tampered according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of a second method for preventing webpage tampering according to an embodiment of the present invention;
fig. 3 is a schematic flowchart of a first process of the apparatus for preventing webpage tampering according to the embodiment of the present invention;
fig. 4 is a schematic flowchart of a second process of the webpage tamper-proofing device according to the embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the method for preventing webpage tampering provided by the embodiment of the present invention may be applied to a Linux System, and relates to a Virtual File System (VFS) of the Linux System, and a significant feature of the Virtual File System is that the method supports access of multiple File systems, such as ext3, nfs, and the like. The data structure in the VFS includes an inode object and a file object, where one file corresponds to one inode object, and since there may be a case where a plurality of processes open and operate one file at the same time, one file may correspond to a plurality of file objects. Each index node object corresponds to one index node operation table, and each file object corresponds to one file operation table, so that one file corresponds to one index node operation table, and may correspond to a plurality of file operation tables.
Of course, the webpage tamper-proofing method provided in the embodiment of the present invention may also be applied to other systems similar to the above systems, and the application does not limit the specific application environment of the webpage tamper-proofing method provided in the embodiment of the present invention. The present application takes a Linux operating system as an example for explanation.
The index node object of a file can be understood as a pointer pointing to a specific storage location of the file in a disk partition, and when a system call is performed, information stored by the index node object is called into a memory and is filled into an index node operation table, wherein each member in the operation table is a function pointer pointing to an implementation function for modifying an attribute. The implementation function is also referred to herein as a kernel file operation function.
The file object is a representation of an opened file in a memory, and is mainly used for establishing a corresponding relation between a process and a file on a disk. The operation set related to the file object constitutes a file operation table, and each member in the operation table is a function pointer and points to a specific operation implementation function, for example, a write member points to an implementation function of a file write operation. The implementation function herein is also referred to as a kernel file operation function.
The program in the Linux operating system has two running levels, namely a kernel mode program and a user mode program, wherein the kernel mode program is a program running in a kernel space, and the user mode program is a program running in a user space.
When a task or process is executing its own code, it is said to be in a user running state (user state), and at this time, the processor runs in the user code with the lowest privilege level, i.e. the task or process runs in the user space. When a task or a process executes a system call and enters kernel code to execute, the task or the process is called to be in a kernel running state (or simply referred to as a kernel state), and at this time, the processor is in the kernel code with the highest privilege level to execute, that is, the task or the process runs in a kernel space.
In the prior art, web page tamper-proofing methods are implemented by programs running in a user mode, such as a timing cycle scanning technology, a digital watermarking technology and an event triggering technology, which are all restored after detecting that a web page file is modified, and the risk that the web page file is maliciously hijacked and cannot be restored is possibly caused. The webpage tamper-proofing method provided by the embodiment of the invention has the advantages that the webpage file is subjected to safety protection in the kernel mode, the risk that a user mode program is easily maliciously suspended is avoided, the webpage file tamper operation is prevented, the performance influence of a watermark algorithm on a server is avoided, the real-time blocking type defense is realized, the malicious operation request is not responded, and the risk that the webpage file cannot be recovered after being tampered is avoided.
Specifically, the timing cycle scanning technology performs polling access on a target website through an external machine according to a time threshold set by a user, and has the advantages of large influence on the target website, low efficiency and small coverage, wherein a main coverage object is a pure static website. The scheme provided by the embodiment of the invention blocks the operation request before responding to the tampering operation request, has high efficiency and small influence on the website, and has more coverage objects because the characteristic that the virtual file system in the Linux system supports the access of various file systems is utilized.
The digital watermarking technology uses a Web server core embedded technology as a core embedded module of a Web server, and integrity check is carried out when a webpage is browsed in a Web server access triggering mode. The watermark comparison module is used as a plug-in to be inserted into different web servers, the protection of the web page is realized through comparing the watermarks of the accessed files, and the main protection objects are static files and scripts. The main drawbacks of this technique are: (1) the digital watermark calculation has certain influence on the access performance and the resource occupation of the server; (2) the real-time response is not carried out when the file is tampered; (3) an independent publishing server is required to be added during deployment; (4) the software module depends on the web container, and different modules need to be developed aiming at different web containers; (5) the watermark algorithm has insecurity; (6) when continuous modification is faced, the webpage cannot be guaranteed not to be tampered. The scheme provided by the embodiment of the invention detects whether the operation request is a tampering request before the operation request is responded, does not need to additionally deploy the website, refuses to respond to the tampering operation before the file is tampered, can ensure that the file is not tampered, has higher safety and has less influence on the performance of the server.
And the event triggering technology is used for monitoring the protected directory through a user mode program, if the directory is modified, the monitoring program obtains a system notification event, then whether the behavior is a malicious tampering behavior is judged according to a configuration strategy, if the behavior is the malicious modification behavior, the behavior is recovered, and main protected objects are static files and scripts. The main disadvantages of this technique are: (1) the user mode program has the risk of being maliciously ended and is difficult to avoid; (2) the user continuously modifies the webpage file at a high speed, which may cause the situation that the file cannot be recovered; (3) after a user modifies a webpage file, the user immediately hijacks a file handle, which causes the situation that the file cannot be recovered. According to the scheme provided by the embodiment of the invention, the file is protected in the kernel mode, the risk that the user mode program is maliciously ended is avoided, the blocking is carried out before the tampering operation is executed, and the risk that the file cannot be recovered after being tampered is avoided.
In order to solve the problems in the prior art, embodiments of the present invention provide a method and an apparatus for preventing webpage tampering. First, a detailed description is given to a method for preventing web page tampering according to an embodiment of the present invention.
Fig. 1 is a first flowchart of a method for preventing a webpage from being tampered according to an embodiment of the present invention, where the method includes:
s101, receiving a file operation request aiming at a target webpage file.
The file operation of the target webpage file by the user may be a file reading operation, a file writing operation, a file deleting operation, or other operations for the webpage file, and the file operation request may include: the identifier of the target web page file, the identifier of the file operation, the user performing the file operation, and the like, but the present application is not limited to the information included in the file operation request, and the identifier of the file operation is used to indicate that the file operation is a file reading operation, a file writing operation, a file deleting operation, or other operations on the web page file.
It can be understood that, for the Linux system, when a user performs a file operation on a target web page file, a file notification event of the Linux kernel is triggered, that is, the Linux kernel receives a file operation request for the web page file, that is, the file operation enters a kernel state from a user state.
S102, monitoring whether an operation table corresponding to the target webpage file is accessed or not; if so, S103 is executed.
Specifically, the operation table may be an index node operation table and/or a file operation table. As can be seen from the above description, in the Linux kernel mode, each target web page file corresponds to an index node operation table and a file operation table. When the kernel performs a file operation on the target web page file, it is necessary to first access the index node operation table and the file operation table corresponding to the target web page file, obtain an implementation function corresponding to the file operation according to the function pointer in the table, perform a system call corresponding to the implementation function, and complete the file operation on the target web page file.
S103, judging whether the file operation request is a webpage tampering operation request or not; if so, S104 is performed.
In practical applications, when it is monitored that the index node operation table and/or the file operation table corresponding to the target webpage file is accessed, it is required to determine whether the file operation request is a webpage tampering operation request.
In an implementation manner, whether the file operation request is a webpage tampering operation request or not may be detected by setting a hook function for a kernel file operation function corresponding to the index node operation table and/or the file operation table. Specifically, a hook function is set in a kernel file operation function corresponding to the index node operation table and/or the file operation table by modifying parameters in the index node operation table and/or the file operation table.
The hook function is a detection function preset according to a configuration policy corresponding to the target webpage file, and is used for judging whether the file operation request is a webpage tampering operation request or not according to the configuration policy corresponding to the target webpage file. Specifically, the configuration policy may be an access right of the target web page file, which indicates that a specific right is allowed or prohibited to access the file. If the file operation request is consistent with the access authority in the configuration policy, the file operation request is not a webpage tampering operation request; and if the file operation request is not consistent with the access authority in the configuration policy, indicating that the file operation request is a webpage tampering operation request.
For example, the configuration policy of the web page file a is to prohibit the user a from performing write operation, that is, the user a has no permission of write operation on the file a, and other users have permission of write operation on the file a; then, after receiving a write operation request of a user A to a webpage file A, the hook function judges that the file operation request is a webpage tampering operation request according to a configuration strategy of the webpage file A; after receiving a write operation request of a user B to a webpage file A, judging that the file operation request is not a webpage tampering operation request by the hook function according to a configuration strategy of the webpage file A.
It should be noted that, in the present application, a hook function may be separately set in a kernel file operation function corresponding to an index node operation table corresponding to a target web page file, or a hook function may be separately set in a kernel file operation function corresponding to a file operation table. In a preferred embodiment, a hook function can be set for the index node operation table and the kernel file operation function corresponding to the index node operation table at the same time, so as to achieve a better protection effect.
S104, refusing to respond to the file operation request.
When the file operation request is judged to be a webpage tampering operation request, in order to ensure the security of the target webpage file, the file operation request needs to be refused to be responded.
When the file operation request is judged not to be a webpage tampering operation request, the file operation request is responded to ensure that the file operation aiming at the target webpage file is normally carried out.
Furthermore, since the file operation request is judged to be a webpage tampering operation request, in order to track webpage tampering operation, it is convenient to analyze tampering operation behavior, and after the file operation request is refused to be responded, a tampering operation log can be generated according to the file operation request.
Specifically, the information included in the tampering operation log may be: the method includes the steps of tampering operation identification, tampered files, tampered user IP addresses, tampering time and the like, and information contained in a tampering operation log is not limited in the application.
As can be seen from the above, in the scheme provided in the embodiment of the present invention, after receiving a file operation request for a target webpage file, if it is monitored that an operation table corresponding to the target webpage file is accessed, it is determined whether the file operation request is a webpage tampering operation request, and if so, response to the file operation request is denied. Compared with the prior art, in the scheme provided by the embodiment of the invention, before responding the file operation aiming at the target webpage file, when the operation table corresponding to the target webpage file is monitored to be accessed, whether the file operation request is a malicious tampering request needs to be judged, and when the file operation request is judged to be the malicious tampering request, the file operation request is refused to be responded, namely the target webpage file cannot be maliciously tampered, so that the risk that the webpage file cannot be recovered after being tampered is avoided.
It should be noted that the access right in the configuration policy corresponding to the target web page file may be set from various aspects such as file operation type, user, process, and the like. In a specific embodiment of the present invention, a corresponding configuration file may be generated according to the configuration policy of the web page file, so that the system can flexibly set or modify the configuration policy, and when determining whether the file operation request is a web page tampering operation request, the configuration policy in the configuration file is read by the hook function, and then determined according to the configuration policy.
In a specific implementation manner of the present application, before receiving a file operation request for a target web page file, a configuration file corresponding to the target web page file may be generated according to a configuration policy corresponding to the target web page file. In practical application, it is reasonable to generate the configuration file corresponding to the target webpage file only before judging whether the file operation request is the webpage tampering operation request, and the application does not limit the configuration file.
Based on the foregoing specific implementation manner, referring to fig. 2, a second flowchart of the method for preventing a webpage from being tampered is provided, and compared with the embodiment shown in fig. 1, in this embodiment, before determining whether the file operation request is a webpage tampering operation request in step S103, the method may further include:
and S105, generating a configuration file corresponding to the target webpage file according to the configuration strategy corresponding to the target webpage file.
In practical application, the configuration policy for the target webpage file can be set from multiple access rights such as file operation type, user, process and the like. For example, the user a prohibits the file operation of the file operation type a on the target web page file in the process a, the user B permits the file operation of the file operation type a on the target web page file in the process a, and so on.
Correspondingly, the step S103 of determining whether the file operation request is a web page tampering operation request may include:
and S1031, obtaining a configuration file corresponding to the target webpage file.
S1032, judging whether the file operation request is a webpage tampering operation request according to the configuration policy in the configuration file.
Specifically, when determining whether the file operation request is a webpage tampering operation request according to the configuration policy in the configuration file, it is determined whether the file operation request matches the configuration policy, and if so, it may be determined that the file operation request is the webpage tampering operation request, and if not, it may be determined that the file operation request is not the webpage tampering operation request.
For example, the configuration policy may be an access right of the target web page file, indicating that a particular right is allowed or prohibited to access the file. If the file operation request is consistent with the access authority in the configuration policy, the file operation request is not a webpage tampering operation request; and if the file operation request is not consistent with the access authority in the configuration policy, indicating that the file operation request is a webpage tampering operation request.
The above configuration policy may also be other contents, but the determination process is similar to the above case, and is not listed here.
It can be known from the foregoing description that the hook function detects whether the file operation request is a web page tampering operation request according to the configuration policy corresponding to the target web page file. In this embodiment, the hook function first obtains a configuration file corresponding to a target web page file, reads a configuration policy in the configuration file, performs protection detection according to the configuration policy, and determines whether the file request is a web page tampering operation request.
As can be seen from the above, in the scheme provided in the embodiment of the present invention, after receiving a file operation request for a target webpage file, if it is monitored that an operation table corresponding to the target webpage file is accessed, it is determined whether the file operation request is a webpage tampering operation request, and if so, response to the file operation request is denied. Compared with the prior art, in the scheme provided by the embodiment of the invention, before responding the file operation aiming at the target webpage file, when monitoring that the operation table corresponding to the target webpage file is accessed, whether the file operation request is a malicious tampering request needs to be judged, and when the file operation request is judged to be the malicious tampering request, the file operation request is refused to be responded, namely the target webpage file cannot be maliciously tampered, so that the risk that the webpage file cannot be recovered after being tampered is avoided; furthermore, a corresponding configuration file is generated according to the configuration strategy of the target webpage file, so that the system can flexibly set or modify the configuration strategy.
Corresponding to the method embodiment, the embodiment of the invention also provides a webpage tamper-proofing device.
Corresponding to the method embodiment shown in fig. 1, fig. 3 is a first schematic structural diagram of a webpage tamper-proofing device according to an embodiment of the present invention, where the device may include: a receiving module 301, a monitoring module 302, a judging module 303, and a rejecting module 304, wherein:
a receiving module 301, configured to receive a file operation request for a target web page file;
a monitoring module 302, configured to monitor whether to access an operation table corresponding to the target web page file;
a determining module 303, configured to determine whether the file operation request is a webpage tampering operation request when the monitoring module 302 monitors that the operation table corresponding to the target webpage file is accessed;
a rejecting module 304, configured to reject to respond to the file operation request when the determining module 303 determines that the file operation request is a webpage tampering operation request.
In practical applications, the operation table may be an inode operation table and/or a file operation table.
In practical applications, the determining module 303 may be specifically configured to:
and detecting whether the file operation request is a webpage tampering operation request or not by setting a hook function for a kernel file operation function corresponding to the index node operation table and/or the file operation table.
In practical applications, the apparatus may further include:
a responding module (not shown in the figure), configured to respond to the file operation request when the determining module 303 determines that the file operation request is not a web page tampering operation request.
In practical applications, the apparatus may further include:
a second generating module (not shown in the figure), configured to generate a tampering operation log according to the file operation request after the rejecting module 304 rejects the response to the file operation request.
As can be seen from the above, in the scheme provided in the embodiment of the present invention, after receiving a file operation request for a target webpage file, if it is monitored that an operation table corresponding to the target webpage file is accessed, it is determined whether the file operation request is a webpage tampering operation request, and if so, response to the file operation request is denied. Compared with the prior art, in the scheme provided by the embodiment of the invention, before responding the file operation aiming at the target webpage file, when the operation table corresponding to the target webpage file is monitored to be accessed, whether the file operation request is a malicious tampering request needs to be judged, and when the file operation request is judged to be the malicious tampering request, the file operation request is refused to be responded, namely the target webpage file cannot be maliciously tampered, so that the risk that the webpage file cannot be recovered after being tampered is avoided.
Corresponding to the embodiment of the method shown in fig. 2, fig. 4 is a schematic diagram of a second structure of the webpage tamper-proofing device provided in the embodiment of the present invention, and compared with the embodiment shown in fig. 3, in this embodiment, the webpage tamper-proofing device may further include: a first generation module 305, wherein:
a first generating module 305, configured to generate a configuration file corresponding to the target web page file according to a configuration policy corresponding to the target web page file before the determining module 303 determines whether the file operation request is a web page tampering operation request.
Accordingly, the determining module 303 may include: obtaining a sub-module 3031, and judging the sub-module 3032, wherein:
an obtaining submodule 3031, configured to obtain a configuration file corresponding to the target web page file;
and the determining submodule 3032 is configured to determine whether the file operation request is a webpage tampering operation request according to the configuration policy in the configuration file.
As can be seen from the above, in the scheme provided in the embodiment of the present invention, after receiving a file operation request for a target webpage file, if it is monitored that an operation table corresponding to the target webpage file is accessed, it is determined whether the file operation request is a webpage tampering operation request, and if so, response to the file operation request is denied. Compared with the prior art, in the scheme provided by the embodiment of the invention, before responding the file operation aiming at the target webpage file, when monitoring that the operation table corresponding to the target webpage file is accessed, whether the file operation request is a malicious tampering request needs to be judged, and when the file operation request is judged to be the malicious tampering request, the file operation request is refused to be responded, namely the target webpage file cannot be maliciously tampered, so that the risk that the webpage file cannot be recovered after being tampered is avoided; furthermore, a corresponding configuration file is generated according to the configuration strategy of the target webpage file, so that the system can flexibly set or modify the configuration strategy.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.
Claims (8)
1. A method for preventing tampering with a web page, the method comprising the steps of:
receiving a file operation request aiming at a target webpage file;
monitoring whether an operation table corresponding to the target webpage file is accessed or not;
if so, judging whether the file operation request is a webpage tampering operation request;
if yes, refusing to respond to the file operation request;
the operation table is an index node operation table and/or a file operation table, each member in the index node operation table and/or the file operation table is a function pointer, and the function pointer points to a kernel file operation function;
the judging whether the file operation request is a webpage tampering operation request comprises:
detecting whether the file operation request is a webpage tampering operation request or not by setting a hook function for a kernel file operation function corresponding to the index node operation table and/or the file operation table;
after the refusing to respond to the file operation request, the method further comprises: generating a tampering operation log according to the file operation request, wherein the information contained in the tampering operation log comprises: the operation identification of tampering, the tampered file, the IP address of the user performing tampering and the tampering time.
2. The method of claim 1, further comprising:
and responding to the file operation request when the file operation request is judged not to be the webpage tampering operation request.
3. The method according to claim 1, before said determining whether the file operation request is a web page tampering operation request, further comprising:
and generating a configuration file corresponding to the target webpage file according to the configuration strategy corresponding to the target webpage file.
4. The method according to claim 3, wherein the determining whether the file operation request is a web page tampering operation request comprises:
acquiring a configuration file corresponding to the target webpage file;
and judging whether the file operation request is a webpage tampering operation request or not according to the configuration strategy in the configuration file.
5. A web page tamper-resistant apparatus, the apparatus comprising:
the receiving module is used for receiving a file operation request aiming at a target webpage file;
the monitoring module is used for monitoring whether the operation table corresponding to the target webpage file is accessed or not;
the judging module is used for judging whether the file operation request is a webpage tampering operation request or not when the monitoring module monitors that the operation table corresponding to the target webpage file is accessed;
the rejecting module is used for rejecting to respond to the file operation request when the judging module judges that the file operation request is a webpage tampering operation request;
the operation table is an index node operation table and/or a file operation table, each member of the index node operation table and/or the file operation table is a function pointer, and the function pointer points to a kernel file operation function;
the judgment module is specifically configured to:
detecting whether the file operation request is a webpage tampering operation request or not by setting a hook function for a kernel file operation function corresponding to the index node operation table and/or the file operation table;
the device further comprises:
a second generating module, configured to generate a tampering operation log according to the file operation request after the rejecting module rejects the response to the file operation request, where information included in the tampering operation log includes: the identification of the tampering operation, the tampered file, the IP address of the user performing tampering and the tampering time.
6. The apparatus of claim 5, further comprising:
and the response module is used for responding to the file operation request when the judging module judges that the file operation request is not the webpage tampering operation request.
7. The apparatus of claim 5, further comprising:
and the first generating module is used for generating a configuration file corresponding to the target webpage file according to the configuration policy corresponding to the target webpage file before the judging module judges whether the file operation request is a webpage tampering operation request.
8. The apparatus of claim 7, wherein the determining module comprises:
the obtaining submodule is used for obtaining a configuration file corresponding to the target webpage file;
and the judging submodule is used for judging whether the file operation request is a webpage tampering operation request according to the configuration strategy in the configuration file.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710465752.9A CN109145536B (en) | 2017-06-19 | 2017-06-19 | Webpage tamper-proofing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710465752.9A CN109145536B (en) | 2017-06-19 | 2017-06-19 | Webpage tamper-proofing method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109145536A CN109145536A (en) | 2019-01-04 |
| CN109145536B true CN109145536B (en) | 2021-03-26 |
Family
ID=64804399
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710465752.9A Active CN109145536B (en) | 2017-06-19 | 2017-06-19 | Webpage tamper-proofing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109145536B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110022305A (en) * | 2019-03-07 | 2019-07-16 | 北京华安普特网络科技有限公司 | Web portal security guard system and method |
| CN110765453B (en) * | 2019-09-27 | 2020-07-10 | 山东高速信联科技有限公司 | Tamper-proof method and system for ETC online recharging service |
| CN112187787B (en) * | 2020-09-27 | 2023-10-10 | 广州瀚信通信科技股份有限公司 | Digital marketing advertisement page tamper-proof method, device and equipment based on knowledge graph |
| CN112052423A (en) * | 2020-10-10 | 2020-12-08 | 杭州安恒信息安全技术有限公司 | Data tamper-proof method, system and related device |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104766009A (en) * | 2015-03-18 | 2015-07-08 | 杭州安恒信息技术有限公司 | System for preventing webpage document tampering based on operating system bottom layer |
| CN104778423A (en) * | 2015-04-28 | 2015-07-15 | 福建六壬网安股份有限公司 | Webpage tamper-resistant method based on file-driven watermark comparison |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103324885B (en) * | 2013-06-19 | 2017-11-10 | 山东中创软件商用中间件股份有限公司 | The file means of defence and system of a kind of kernel level |
| CN105550599B (en) * | 2015-12-29 | 2018-07-17 | 山东中创软件商用中间件股份有限公司 | A kind of tamper resistant method and system based on Linux Virtual File Systems |
-
2017
- 2017-06-19 CN CN201710465752.9A patent/CN109145536B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104766009A (en) * | 2015-03-18 | 2015-07-08 | 杭州安恒信息技术有限公司 | System for preventing webpage document tampering based on operating system bottom layer |
| CN104778423A (en) * | 2015-04-28 | 2015-07-15 | 福建六壬网安股份有限公司 | Webpage tamper-resistant method based on file-driven watermark comparison |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109145536A (en) | 2019-01-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109871691B (en) | Authority-based process management method, system, device and readable storage medium | |
| CN109145536B (en) | Webpage tamper-proofing method and device | |
| CN109743315B (en) | Behavior identification method, behavior identification device, behavior identification equipment and readable storage medium for website | |
| CN110851241A (en) | Safety protection method, device and system for Docker container environment | |
| CN102831339B (en) | Method, device and browser for protecting webpage against malicious attack | |
| JP2006252477A (en) | Access control device and access control method | |
| CN111191243B (en) | Vulnerability detection method, vulnerability detection device and storage medium | |
| CN109409087B (en) | Anti-privilege-raising detection method and device | |
| GB2485622A (en) | Server detecting malware in user device. | |
| CN111726364B (en) | Host intrusion prevention method, system and related device | |
| CN109617977B (en) | Webpage request processing method and device | |
| KR102242219B1 (en) | Method and device for preventing the server from being attacked | |
| CN113886835A (en) | Method and device for preventing container from escaping, computer equipment and storage medium | |
| CN106339629A (en) | Application management method and device | |
| CN112099904A (en) | Nested page table management method and device for virtual machine, processor chip and server | |
| CN114021115A (en) | Malicious application detection method and device, storage medium and processor | |
| CN114064780A (en) | Session information processing method, system, device, storage medium and electronic equipment | |
| CN107103243B (en) | Vulnerability detection method and device | |
| KR101503827B1 (en) | A detect system against malicious processes by using the full path of access files | |
| CN106911635B (en) | Method and device for detecting whether backdoor program exists in website | |
| WO2024125108A1 (en) | On-demand enabling method and apparatus for security aspect of mobile terminal | |
| CN106682512B (en) | Method, device and system for preventing program from being modified | |
| CN112187787A (en) | Digital marketing advertisement page tamper-proof method, device and equipment based on knowledge graph | |
| CN111783087A (en) | Method and device for detecting malicious execution of executable file, terminal and storage medium | |
| CN112597492B (en) | Binary executable file modification monitoring method based on Windows kernel |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |