CN110210231A - A kind of safety protecting method, system, equipment and computer readable storage medium - Google Patents

A kind of safety protecting method, system, equipment and computer readable storage medium Download PDF

Info

Publication number
CN110210231A
CN110210231A CN201910482080.1A CN201910482080A CN110210231A CN 110210231 A CN110210231 A CN 110210231A CN 201910482080 A CN201910482080 A CN 201910482080A CN 110210231 A CN110210231 A CN 110210231A
Authority
CN
China
Prior art keywords
url
splicing
exception
white list
default white
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910482080.1A
Other languages
Chinese (zh)
Other versions
CN110210231B (en
Inventor
位凯志
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN201910482080.1A priority Critical patent/CN110210231B/en
Publication of CN110210231A publication Critical patent/CN110210231A/en
Application granted granted Critical
Publication of CN110210231B publication Critical patent/CN110210231B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/955Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
    • G06F16/9566URL specific, e.g. using aliases, detecting broken or misspelled links
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Computer And Data Communications (AREA)

Abstract

This application discloses a kind of safety protecting method, system, equipment and computer readable storage mediums, are applied to WAF, and this method includes the service URL for obtaining downlink;Based on preset rules, the abnormal URL in service URL is obtained;Judge whether exception URL belongs to default white list, presetting includes preset safe URL type in white list;If exception URL is not belonging to default white list, abnormal URL is intercepted;If exception URL belongs to default white list, let pass abnormal URL.Safety protecting method provided by the present application, WAF can be determined as abnormal URL by default white list to avoid by safe URL, reduce identification and intercept the rate of false alarm of traversal attack.A kind of security protection system, equipment and computer readable storage medium provided by the present application also solve the problems, such as relevant art.

Description

A kind of safety protecting method, system, equipment and computer readable storage medium
Technical field
This application involves technical field of information transmission, more specifically to a kind of safety protecting method, system, equipment And computer readable storage medium.
Background technique
Current WAF (Web Application Firewall, website application layer intrusion prevention system) for target traversal, The solution of the traversals such as SQL (Structured Query Language, structured query language) injection loophole attack is logical Some low orders or high-order rule are crossed to identify and intercept.
However, based in low order or the identification of high-order rule and the URL intercepted, existing in existing method and being not belonging to traverse The URL of attack namely the rate of false alarm of existing method are higher, after this partial discharge is filtered, can draw to client traffic in search The popularization held up causes bigger influence.
In conclusion the rate of false alarm for how reducing identification and intercepting traversal attack is that current those skilled in the art urgently solve Certainly the problem of.
Summary of the invention
The purpose of the application is to provide a kind of safety protecting method, can solve how to reduce to a certain extent identification and The technical issues of intercepting the rate of false alarm of traversal attack.Present invention also provides a kind of security protection system, equipment and computers can Read storage medium.
To achieve the goals above, the application provides the following technical solutions:
A kind of safety protecting method is applied to WAF, comprising:
Obtain the service URL of downlink;
Based on preset rules, the abnormal URL in the service URL is obtained;
Judge whether the exception URL belongs to default white list, includes preset safe URL class in the default white list Type;
If the exception URL is not belonging to the default white list, the exception URL is intercepted;If the exception URL belongs to The default white list, then let pass the exception URL.
It is preferably, described to judge whether the exception URL belongs to default white list, comprising:
Judge whether the type of the exception URL belongs to directory traversal or SQL injection loophole;
If the type of the exception URL belongs to the target traversal or the SQL injection loophole, the judgement institute is executed The step of whether abnormal URL belongs to default white list stated.
It is preferably, described to judge whether the exception URL belongs to before default white list, further includes:
Tag resolution is carried out to the HTML in http response, obtains parsing result;
According to the parsing result, obtained downlink URL is filtered, obtains filtering URL;
Request URL is intercepted, interception URL is obtained;
The interception URL and the filtering URL are spliced, splicing URL is obtained;
Judge whether the splicing URL includes target word, described presets white name if so, the splicing URL is added to Dan Zhong, the target word include that will splice the word that URL is judged to splicing safely URL.
Preferably, described that request URL is intercepted, obtain interception URL, comprising:
When there are first question marks when question mark, determined in the request URL in the request URL;
The position of the last one slash before first question mark is determined as record position;
Intercepting the content that the beginning in the request URL is arrived between the record position is the interception URL.
Preferably, described that request URL is intercepted, obtain interception URL, comprising:
When there is no question mark in the request URL, the position of the last one slash in the request URL is determined as recording Position;
Intercepting the content that the beginning in the request URL is arrived between the record position is the interception URL.
It is preferably, described to judge whether the splicing URL includes target word, comprising:
Back slash in the splicing URL is replaced with into forward slash, obtains the first splicing URL;
Whether judge in the first splicing URL with parameter;
If the first splicing URL has parameter, to the content in the first splicing URL before first question mark into Row backtracking process obtains the second splicing URL, and judges whether the second splicing URL includes target word;
If the first splicing URL carries out at backtracking the full content of the first splicing URL without parameter Reason obtains third splicing URL, and judges whether the third splicing URL includes target word;
Wherein, the backtracking process includes deleting adjacent upper level catalogue and the first symbol, double slashes being replaced with list Slash deletes the second symbol;First symbol includes two point symbols and a slash;Second symbol includes a point Symbol and a slash.
Preferably, the target word includes target traversal keyword and SQL injection keyword;
The target traversal keyword includes percent symbol, third symbol, and the third symbol includes two point symbols;
The SQL injection keyword includes from, select.
A kind of security protection system is applied to WAF, comprising:
First obtains module, for obtaining the service URL of downlink;
First analysis module obtains the abnormal URL in the service URL for being based on preset rules;
First judgment module is wrapped in the default white list for judging whether the exception URL belongs to default white list Include preset safe URL type;
First execution module when being not belonging to the default white list for the exception URL, intercepts the exception URL;Institute When stating abnormal URL and belonging to the default white list, let pass the exception URL.
A kind of safety protection equipment, comprising:
Memory, for storing computer program;
Processor, when for executing the computer program realize as above any safety protecting method the step of.
A kind of computer readable storage medium is stored with computer program in the computer readable storage medium, described The step of as above any safety protecting method is realized when computer program is executed by processor.
A kind of safety protecting method provided by the present application is applied to WAF, obtains the service URL of downlink;In service URL, Analysis obtains the abnormal URL for meeting preset rules;Judge whether exception URL belongs to default white list, includes in default white list Preset safe URL type;If exception URL is not belonging to default white list, abnormal URL is intercepted;If exception URL belong to preset it is white List, then let pass abnormal URL.Safety protecting method provided by the present application, in the service URL of acquisition, analysis is met WAF The abnormal URL of preset rules, since preset rules include determining whether that service URL belongs to the rule of abnormal URL, so exception URL is Abnormal URL in service URL;Judge whether exception URL belongs to default white list later, if it is not, abnormal URL is then intercepted, if so, Then let pass abnormal URL, due to including preset safe URL type in default white list, so the abnormal URL to let pass is safety URL, the abnormal URL of interception are unsafe exception URL, it is also possible to it is the safe URL judged by accident, it can be with by default white list It avoids safe URL being determined as abnormal URL, reduce identification and intercepts the rate of false alarm of traversal attack.One kind provided by the present application Security protection system, equipment and computer readable storage medium also solve the problems, such as relevant art.
Detailed description of the invention
In order to illustrate the technical solutions in the embodiments of the present application or in the prior art more clearly, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this The embodiment of application for those of ordinary skill in the art without creative efforts, can also basis The attached drawing of offer obtains other attached drawings.
Fig. 1 is a kind of first pass figure of safety protecting method provided by the embodiments of the present application;
Fig. 2 is the organigram that white list is preset in the embodiment of the present application;
Fig. 3 is a kind of structural schematic diagram of security protection system provided by the embodiments of the present application;
Fig. 4 is a kind of structural schematic diagram of safety protection equipment provided by the embodiments of the present application;
Fig. 5 is a kind of another structural schematic diagram of safety protection equipment provided by the embodiments of the present application.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present application, technical solutions in the embodiments of the present application carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of embodiments of the present application, instead of all the embodiments.It is based on Embodiment in the application, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall in the protection scope of this application.
Referring to Fig. 1, Fig. 1 is a kind of first pass figure of safety protecting method provided by the embodiments of the present application.
A kind of safety protecting method provided by the embodiments of the present application is applied to WAF, may comprise steps of:
Step S101: the service URL (uniform resource locator) of downlink is obtained.
In practical application, WAF can first obtain the service URL of downlink, and the service URL of downlink refers to that WAF is received and rung Service URL is obtained after answering web-page requests, correspondingly, the URL in web-page requests is the URL of uplink.
Step S102: being based on preset rules, obtains the abnormal URL in service URL.
In practical application, after obtaining service URL, preset rules can be based on, the abnormal URL in service URL is obtained, For example can analyze to obtain the abnormal URL for meeting preset rules in service URL, it is different that preset rules include determining whether that service URL belongs to The rule of normal URL, it is possible to which analysis obtains the abnormal URL in service URL.In concrete application scene, preset rules be can wrap Low order rule or high-order rule etc. are included, for example it can be snort rule etc..
Step S103: judging whether exception URL belongs to default white list, and presetting includes preset safe URL in white list Type thens follow the steps S104, if exception URL belongs to default white list, executes if exception URL is not belonging to default white list Step S105.
In practical application, after analysis obtains abnormal URL, can judge by default white list exception URL whether be Safe URL.Due to including preset safe URL type in default white list, and exception URL is the exception for meeting preset rules URL may be unsafe exception URL, it is also possible to be the safe URL of erroneous judgement, so meeting the exception of default white list URL is the safe URL of preset rules erroneous judgement.
Step S104: exception URL is intercepted.
Step S105: let pass exception URL.
A kind of safety protecting method provided by the present application is applied to WAF, obtains the service URL of downlink;Based on default rule Then, the abnormal URL in service URL is obtained;Judge whether exception URL belongs to default white list, it includes default for presetting in white list Safe URL type;If exception URL is not belonging to default white list, abnormal URL is intercepted;If exception URL, which belongs to, presets white name Single, then let pass abnormal URL.Safety protecting method provided by the present application, WAF are based on preset rules in the service URL of acquisition, The abnormal URL in service URL is obtained,;Judge whether exception URL belongs to default white list later, if it is not, abnormal URL is then intercepted, If so, the exception URL that lets pass, due to including preset safe URL type in default white list, so the abnormal URL to let pass is Safe URL, the abnormal URL of interception are unsafe exception URL, it is also possible to be the safe URL of erroneous judgement, by default white list It can be determined as abnormal URL to avoid by safe URL, reduce identification and intercept the rate of false alarm of traversal attack.
In practical application, due to the diversity of traversal attack, if being performed both by above-mentioned steps to every a kind of traversal attack, The more judgement time can be occupied, and accuracy rate promotion is few, judges the time to reduce as far as possible, and keeps judgement Accuracy rate only can carry out above-mentioned processing to the biggish directory traversal type of False Rate and SQL injection loophole type, then judge different The process whether normal URL belongs to default white list can be with specifically: judge the type of exception URL whether belong to directory traversal or SQL injection loophole;If the type of exception URL belongs to target traversal or SQL injection loophole, executes and judge whether exception URL belongs to In the step of presetting white list.
Referring to Fig. 2, Fig. 2 is the organigram for presetting white list in the embodiment of the present application.
In practical application, the make for presetting white list can be varied, white in order to construct quickly in the application List, and guarantee the accuracy of default white list, before judging whether exception URL belongs to default white list, can according to Lower step constructs default white list:
Step S201: in HTTP (-- Hyper Text Transfer Protocol, hypertext transfer protocol) response HTML (hypertext markup language) carry out tag resolution, obtain parsing result.
In practical application, tag resolution, the description of obtained parsing result first can be carried out to the HTML in http response It can be refering to table 1.
1 html tag parsing result of table
Step S202: according to parsing result, being filtered obtained downlink URL, obtains filtering URL.
In practical application, the url filtering in obtained downlink URL comprising relative directory can be fallen according to parsing result, Filtering URL is obtained, for example downlink URL can be filtered according to the domain-name information in parsing result, obtains meeting corresponding field The filtering URL etc. that name requires, downlink URL belongs to the URL of http response.It is of course also possible to there is other filter methods, the application exists This is not specifically limited.
Step S203: intercepting request URL, obtains interception URL.
In practical application, request URL refers to the received URL with request effect of WAF.Request URL is intercepted Process can according to concrete application scene determine.It is inputed to it should be pointed out that request URL involved in the application can be user The URL of WAF, downlink URL refer to that WAF carries out the URL obtained after the processing such as corresponding retrieval to received request URL;In addition, this Relationship between downlink URL and service URL involved in applying can determine flexibly according to actual needs, for example downlink URL can be with Completely the same with service URL, downlink URL also may include service URL and other URL etc..
In concrete application scene, when in request URL there are first question mark that when question mark, can be determined in request URL, The position of the last one slash before first question mark is determined as record position;Beginning in intercept requests URL is to record position Content between setting is interception URL.Assuming that request URL is /product/price/index.html? ads=/adb/it- Yun.html, then intercepting URL is /product/price/.
It, can be by the position of the last one slash in request URL when there is no question mark in request URL in concrete application scene It sets and is determined as record position;Beginning in intercept requests URL intercepts URL to the content between record position.Assuming that request URL For/product/price/it-yun.html, then intercepting URL is /product/price/.
Step S204: interception URL and filtering URL are spliced, and obtain splicing URL.
In practical application, after obtaining filtering URL and splicing URL, interception URL and filtering URL can be spliced, Obtain splicing URL.In concrete application scene, should according to interception URL preceding, the posterior sequential concatenation interception URL of filtering URL and Filter URL.
Step S205: judge to splice whether URL includes target word, if so, thening follow the steps S206.
Step S206: splicing URL is added in default white list, and target word includes that will splice URL to be judged to spelling safely Connect the word of URL.
In practical application, target word includes that will splice the word that URL is judged to splicing safely URL, and safety is spliced URL and referred to It includes target word that type, which is in the splicing URL of safety, namely splicing URL, and splicing URL will be judged as splicing URL safely.
In concrete application scene, judge to splice whether URL includes that the process of target word can be with specifically: will be in splicing URL Back slash replace with forward slash, obtain the first splicing URL;Whether judge in the first splicing URL with parameter;If the first splicing URL has parameter, then carries out backtracking process to the content before first question mark in the first splicing URL, obtain the second splicing URL, and judge whether the second splicing URL includes target word;If the first splicing URL is without parameter, to the first splicing URL's Full content carries out backtracking process, obtains third splicing URL, and judges whether third splicing URL includes target word;Wherein, it returns Processing of tracing back includes deleting adjacent upper level catalogue and the first symbol, double slashes being replaced with to monocline thick stick, delete the second symbol;The One symbol includes two point symbols and a slash;Second symbol includes a point symbol and a slash.With with parameter Does is one splicing URL /a/b/../index.html? vid=/var/../ac/./cja.js, then it is corresponding second splicing URL be/ A/index.html? vid=/var/../ac/./cja.js;It is /product/ with the first splicing URL without parameter Price/nice/ab/../ac/ad/./../index.html, then corresponding third splices URL are as follows:/product/price/ nice/ac/index.html。
In practical application, target word may include target traversal keyword and SQL injection keyword;Target traverses keyword It may include percent symbol, third symbol, third symbol includes two point symbols;SQL injection keyword may include from, select。
Present invention also provides a kind of security protection systems, with a kind of security protection side provided by the embodiments of the present application The correspondence effect that method has.Referring to Fig. 3, Fig. 3 is a kind of structural representation of security protection system provided by the embodiments of the present application Figure.
A kind of security protection system provided by the embodiments of the present application is applied to WAF, may include:
First obtains module 101, for obtaining the service URL of downlink;
First analysis module 102 obtains the abnormal URL in service URL for being based on preset rules;
First judgment module 103, for judging whether abnormal URL belongs to default white list, it includes pre- for presetting in white list If safe URL type;
First execution module 104 when being not belonging to default white list for abnormal URL, intercepts exception URL;Abnormal URL belongs to When default white list, let pass exception URL.
A kind of security protection system provided by the embodiments of the present application, is applied to WAF, and first judgment module may include:
First judging unit, for judging whether the type of abnormal URL belongs to directory traversal or SQL injection loophole;If different The type of normal URL belongs to target traversal or SQL injection loophole, then first judgment module execution is prompted to judge whether exception URL belongs to In the step of presetting white list.
A kind of security protection system provided by the embodiments of the present application is applied to WAF, can also include:
First parsing module, before judging whether exception URL belongs to default white list for first judgment module, to HTTP HTML in response carries out tag resolution, obtains parsing result;
First filtering module obtains filtering URL for being filtered to obtained downlink URL according to parsing result;
First interception module obtains interception URL for intercepting to request URL;
First splicing module splices for that will intercept URL and filtering URL, obtains splicing URL;
Second judgment module splices whether URL includes target word for judging, if so, splicing URL is added to default In white list, target word includes that will splice the word that URL is judged to splicing safely URL.
A kind of security protection system provided by the embodiments of the present application, is applied to WAF, and the first interception module may include:
First determination unit, for when there are first question marks when question mark, determined in request URL in request URL;
Second determination unit, for the position of the last one slash before first question mark to be determined as record position;
First interception unit is interception URL for the beginning in intercept requests URL to the content between record position.
A kind of security protection system provided by the embodiments of the present application, is applied to WAF, and the first interception module may include:
Third determination unit, for when not having question mark in request URL, by the position of the last one slash in request URL It is determined as record position;
Second interception unit is interception URL for the beginning in intercept requests URL to the content between record position.
A kind of security protection system provided by the embodiments of the present application, is applied to WAF, and the second judgment module may include:
First replacement unit obtains the first splicing URL for the back slash spliced in URL to be replaced with forward slash;
Second judgment unit, for whether judging in the first splicing URL with parameter;
First execution unit, when having parameter for the first splicing URL, before first question mark in the first splicing URL Content carry out backtracking process, obtain the second splicing URL, and judge second splice URL whether include target word;
Second execution unit when for the first splicing URL without parameter, carries out the full content of the first splicing URL Backtracking process obtains third splicing URL, and judges whether third splicing URL includes target word;
Wherein, backtracking process include delete adjacent upper level catalogue and the first symbol, double slashes replaced with to monocline thick stick, Delete the second symbol;First symbol includes two point symbols and a slash;Second symbol includes that a point symbol and one are oblique Thick stick.
A kind of security protection system provided by the embodiments of the present application, is applied to WAF, and target word includes target traversal keyword With SQL injection keyword;Target traversal keyword includes percent symbol, third symbol, and third symbol includes two point symbols; SQL injection keyword includes from, select.
Present invention also provides a kind of safety protection equipment and computer readable storage mediums, all have the application implementation The correspondence effect that a kind of safety protecting method that example provides has.Referring to Fig. 4, Fig. 4 is one kind provided by the embodiments of the present application The structural schematic diagram of safety protection equipment.
A kind of safety protection equipment provided by the embodiments of the present application, including memory 201 and processor 202, in memory It is stored with computer program, processor realizes following steps when executing the computer program stored in memory:
Obtain the service URL of downlink;
Based on preset rules, the abnormal URL in service URL is obtained;
Judge whether exception URL belongs to default white list, presetting includes preset safe URL type in white list;
If exception URL is not belonging to default white list, abnormal URL is intercepted;If exception URL belongs to default white list, put Row exception URL.
A kind of safety protection equipment provided by the embodiments of the present application, including memory and processor are stored in memory Computer subprogram, processor are implemented as follows step when executing the computer subprogram stored in memory: judgement is abnormal Whether the type of URL belongs to directory traversal or SQL injection loophole;If the type of exception URL belongs to target traversal or SQL injection leakage Hole then executes and the step of whether exception URL belongs to default white list is judged.
A kind of safety protection equipment provided by the embodiments of the present application, including memory and processor are stored in memory Computer subprogram, processor are implemented as follows step when executing the computer subprogram stored in memory: judgement is abnormal Whether URL belongs to before default white list, carries out tag resolution to the HTML in http response, obtains parsing result;According to solution Analysis obtains filtering URL as a result, be filtered to obtained downlink URL;Request URL is intercepted, interception URL is obtained;It will cut It takes URL and filtering URL to be spliced, obtains splicing URL;Judge to splice whether URL includes target word, if so, URL will be spliced It is added in default white list, target word includes that will splice the word that URL is judged to splicing safely URL.
A kind of safety protection equipment provided by the embodiments of the present application, including memory and processor are stored in memory Computer subprogram, processor are implemented as follows step when executing the computer subprogram stored in memory: working as request URL In there are first question marks when question mark, determined in request URL;The position of the last one slash before first question mark is true It is set to record position;Beginning in intercept requests URL intercepts URL to the content between record position.
A kind of safety protection equipment provided by the embodiments of the present application, including memory and processor are stored in memory Computer subprogram, processor are implemented as follows step when executing the computer subprogram stored in memory: working as request URL In when there is no question mark, the position of the last one slash in request URL is determined as record position;Beginning in intercept requests URL It is interception URL to the content between record position.
A kind of safety protection equipment provided by the embodiments of the present application, including memory and processor are stored in memory Computer subprogram, processor are implemented as follows step when executing the computer subprogram stored in memory: will splice URL In back slash replace with forward slash, obtain the first splicing URL;Whether judge in the first splicing URL with parameter;If first spells URL is met with parameter, then backtracking process is carried out to the content before first question mark in the first splicing URL, obtains the second splicing URL, and judge whether the second splicing URL includes target word;If the first splicing URL is without parameter, to the first splicing URL's Full content carries out backtracking process, obtains third splicing URL, and judges whether third splicing URL includes target word;Wherein, it returns Processing of tracing back includes deleting adjacent upper level catalogue and the first symbol, double slashes being replaced with to monocline thick stick, delete the second symbol;The One symbol includes two point symbols and a slash;Second symbol includes a point symbol and a slash.
In a kind of safety protection equipment provided by the embodiments of the present application, target word includes target traversal keyword and SQL note Enter keyword;Target traversal keyword includes percent symbol, third symbol, and third symbol includes two point symbols;SQL injection Keyword includes from, select.
Referring to Fig. 5, can also include: and processor in another kind safety protection equipment provided by the embodiments of the present application The input port 203 of 202 connections is used for transmission the extraneous order inputted to processor 202;The display being connect with processor 202 Unit 204, the processing result for video-stream processor 202 is to the external world;The communication module 205 being connect with processor 202, for real Existing safety protection equipment and extraneous communication.Display unit 204 can make display etc. for display panel, laser scanning;Communication Communication mode used by module 205 include but is not limited to mobile high definition chained technology (HML), universal serial bus (USB), High-definition media interface (HDMI) is wirelessly connected: adopting wireless fidelity technology (WiFi), Bluetooth Communication Technology, low-power consumption bluetooth communication Technology, the communication technology based on IEEE802.11s.
A kind of computer readable storage medium provided by the embodiments of the present application is stored with meter in computer readable storage medium Calculation machine program, realizes the step of safety protecting method described in any embodiment as above when computer program is executed by processor Suddenly.
Computer readable storage medium involved in the application includes random access memory (RAM), memory, read-only memory (ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or technical field Any other form of storage medium well known to interior.
Relevant portion in a kind of security protection system provided by the embodiments of the present application, equipment and computer readable storage medium Explanation refer to the detailed description of corresponding part in a kind of safety protecting method provided by the embodiments of the present application, it is no longer superfluous herein It states.In addition, in above-mentioned technical proposal provided by the embodiments of the present application with to correspond to technical solution realization principle in the prior art consistent Part and unspecified, in order to avoid excessively repeat.
It should also be noted that, herein, relational terms such as first and second and the like are used merely to one Entity or operation are distinguished with another entity or operation, without necessarily requiring or implying between these entities or operation There are any actual relationship or orders.Moreover, the terms "include", "comprise" or its any other variant are intended to contain Lid non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that There is also other identical elements in process, method, article or equipment including the element.
The foregoing description of the disclosed embodiments makes those skilled in the art can be realized or use the application.To this A variety of modifications of a little embodiments will be apparent for a person skilled in the art, and the general principles defined herein can Without departing from the spirit or scope of the application, to realize in other embodiments.Therefore, the application will not be limited It is formed on the embodiments shown herein, and is to fit to consistent with the principles and novel features disclosed in this article widest Range.

Claims (10)

1. a kind of safety protecting method, which is characterized in that be applied to WAF, comprising:
Obtain the service URL of downlink;
Based on preset rules, the abnormal URL in the service URL is obtained;
Judge whether the exception URL belongs to default white list, includes preset safe URL type in the default white list;
If the exception URL is not belonging to the default white list, the exception URL is intercepted;If the exception URL belongs to described Default white list, then let pass the exception URL.
2. judging whether the exception URL belongs to the method according to claim 1, wherein described and presetting white name It is single, comprising:
Judge whether the type of the exception URL belongs to directory traversal or SQL injection loophole;
If the type of the exception URL belongs to the target traversal or the SQL injection loophole, it is described different to execute the judgement The step of whether normal URL belongs to default white list.
3. method according to claim 1 or 2, which is characterized in that it is described judge the exception URL whether belong to preset it is white Before list, further includes:
Tag resolution is carried out to the HTML in http response, obtains parsing result;
According to the parsing result, obtained downlink URL is filtered, obtains filtering URL;
Request URL is intercepted, interception URL is obtained;
The interception URL and the filtering URL are spliced, splicing URL is obtained;
Judge whether the splicing URL includes target word, if so, the splicing URL is added in the default white list, The target word includes that will splice the word that URL is judged to splicing safely URL.
4. according to the method described in claim 3, obtaining interception URL, packet it is characterized in that, described intercept request URL It includes:
When there are first question marks when question mark, determined in the request URL in the request URL;
The position of the last one slash before first question mark is determined as record position;
Intercepting the content that the beginning in the request URL is arrived between the record position is the interception URL.
5. according to the method described in claim 3, obtaining interception URL, packet it is characterized in that, described intercept request URL It includes:
When there is no question mark in the request URL, the position of the last one slash in the request URL is determined as to record position It sets;
Intercepting the content that the beginning in the request URL is arrived between the record position is the interception URL.
6. according to the method described in claim 3, it is characterized in that, described judge whether the splicing URL includes target word, packet It includes:
Back slash in the splicing URL is replaced with into forward slash, obtains the first splicing URL;
Whether judge in the first splicing URL with parameter;
If the first splicing URL has parameter, the content before first question mark in the first splicing URL is returned It traces back processing, obtains the second splicing URL, and judge whether the second splicing URL includes target word;
If the first splicing URL carries out backtracking process without parameter, to the full content of the first splicing URL, obtain Splice URL to third, and judges whether the third splicing URL includes target word;
Wherein, the backtracking process include delete adjacent upper level catalogue and the first symbol, double slashes replaced with to monocline thick stick, Delete the second symbol;First symbol includes two point symbols and a slash;Second symbol includes a point symbol With a slash.
7. according to the method described in claim 3, it is characterized in that, the target word includes target traversal keyword and SQL note Enter keyword;
The target traversal keyword includes percent symbol, third symbol, and the third symbol includes two point symbols;
The SQL injection keyword includes from, select.
8. a kind of security protection system, which is characterized in that be applied to WAF, comprising:
First obtains module, for obtaining the service URL of downlink;
First analysis module obtains the abnormal URL in the service URL for being based on preset rules;
First judgment module includes pre- in the default white list for judging whether the exception URL belongs to default white list If safe URL type;
First execution module when being not belonging to the default white list for the exception URL, intercepts the exception URL;It is described different When normal URL belongs to the default white list, let pass the exception URL.
9. a kind of safety protection equipment characterized by comprising
Memory, for storing computer program;
Processor, realizing the safety protecting method as described in any one of claim 1 to 7 when for executing the computer program Step.
10. a kind of computer readable storage medium, which is characterized in that be stored with computer in the computer readable storage medium Program realizes the step of the safety protecting method as described in any one of claim 1 to 7 when the computer program is executed by processor Suddenly.
CN201910482080.1A 2019-06-04 2019-06-04 Security protection method, system, equipment and computer readable storage medium Active CN110210231B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910482080.1A CN110210231B (en) 2019-06-04 2019-06-04 Security protection method, system, equipment and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910482080.1A CN110210231B (en) 2019-06-04 2019-06-04 Security protection method, system, equipment and computer readable storage medium

Publications (2)

Publication Number Publication Date
CN110210231A true CN110210231A (en) 2019-09-06
CN110210231B CN110210231B (en) 2023-07-14

Family

ID=67790682

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910482080.1A Active CN110210231B (en) 2019-06-04 2019-06-04 Security protection method, system, equipment and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN110210231B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112019546A (en) * 2020-08-28 2020-12-01 杭州安恒信息技术股份有限公司 Protection strategy adjusting method, system, equipment and computer storage medium
CN112350992A (en) * 2020-09-28 2021-02-09 广东电力信息科技有限公司 Safety protection method, device, equipment and storage medium based on web white list
CN114726559A (en) * 2020-12-22 2022-07-08 深信服科技股份有限公司 URL detection method, system, equipment and computer readable storage medium
CN115022015A (en) * 2022-05-31 2022-09-06 中国工商银行股份有限公司 Method, apparatus, computer device, storage medium and program product for detecting block

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20140042674A (en) * 2012-09-28 2014-04-07 가부시키가이샤 디에누에 Network system and non-transitory computer-readable storage medium
US20150381654A1 (en) * 2013-07-05 2015-12-31 Tencent Technology (Shenzhen) Company Limited Method, device and system for detecting potential phishing websites
CN105704146A (en) * 2016-03-18 2016-06-22 四川长虹电器股份有限公司 System and method for SQL injection prevention
WO2016173327A1 (en) * 2015-04-28 2016-11-03 北京瀚思安信科技有限公司 Method and device for detecting website attack
CN107360162A (en) * 2017-07-12 2017-11-17 北京奇艺世纪科技有限公司 A kind of network application means of defence and device
US20180041530A1 (en) * 2015-04-30 2018-02-08 Iyuntian Co., Ltd. Method and system for detecting malicious web addresses
CN108173814A (en) * 2017-12-08 2018-06-15 深信服科技股份有限公司 Detection method for phishing site, terminal device and storage medium
CN108737471A (en) * 2017-04-20 2018-11-02 苏宁云商集团股份有限公司 A kind of Network Access Method and device
CN109597948A (en) * 2018-10-17 2019-04-09 深圳壹账通智能科技有限公司 Access method, system and the storage medium of URL link
CN109688137A (en) * 2018-12-27 2019-04-26 深信服科技股份有限公司 A kind of detection method, system and the associated component of SQL injection attack
CN109768992A (en) * 2019-03-04 2019-05-17 深信服科技股份有限公司 Webpage malicious scanning processing method and device, terminal device, readable storage medium storing program for executing

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20140042674A (en) * 2012-09-28 2014-04-07 가부시키가이샤 디에누에 Network system and non-transitory computer-readable storage medium
US20150381654A1 (en) * 2013-07-05 2015-12-31 Tencent Technology (Shenzhen) Company Limited Method, device and system for detecting potential phishing websites
WO2016173327A1 (en) * 2015-04-28 2016-11-03 北京瀚思安信科技有限公司 Method and device for detecting website attack
US20180041530A1 (en) * 2015-04-30 2018-02-08 Iyuntian Co., Ltd. Method and system for detecting malicious web addresses
CN105704146A (en) * 2016-03-18 2016-06-22 四川长虹电器股份有限公司 System and method for SQL injection prevention
CN108737471A (en) * 2017-04-20 2018-11-02 苏宁云商集团股份有限公司 A kind of Network Access Method and device
CN107360162A (en) * 2017-07-12 2017-11-17 北京奇艺世纪科技有限公司 A kind of network application means of defence and device
CN108173814A (en) * 2017-12-08 2018-06-15 深信服科技股份有限公司 Detection method for phishing site, terminal device and storage medium
CN109597948A (en) * 2018-10-17 2019-04-09 深圳壹账通智能科技有限公司 Access method, system and the storage medium of URL link
CN109688137A (en) * 2018-12-27 2019-04-26 深信服科技股份有限公司 A kind of detection method, system and the associated component of SQL injection attack
CN109768992A (en) * 2019-03-04 2019-05-17 深信服科技股份有限公司 Webpage malicious scanning processing method and device, terminal device, readable storage medium storing program for executing

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
徐莺等: "关于渗透测试在Web软件系统安全性测试中的应用研究", 《通信技术》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112019546A (en) * 2020-08-28 2020-12-01 杭州安恒信息技术股份有限公司 Protection strategy adjusting method, system, equipment and computer storage medium
CN112350992A (en) * 2020-09-28 2021-02-09 广东电力信息科技有限公司 Safety protection method, device, equipment and storage medium based on web white list
CN114726559A (en) * 2020-12-22 2022-07-08 深信服科技股份有限公司 URL detection method, system, equipment and computer readable storage medium
CN115022015A (en) * 2022-05-31 2022-09-06 中国工商银行股份有限公司 Method, apparatus, computer device, storage medium and program product for detecting block
CN115022015B (en) * 2022-05-31 2024-02-20 中国工商银行股份有限公司 Method, apparatus, computer device, storage medium, and program product for detecting seal

Also Published As

Publication number Publication date
CN110210231B (en) 2023-07-14

Similar Documents

Publication Publication Date Title
US11483332B2 (en) System and method for cybersecurity analysis and score generation for insurance purposes
CN103607385B (en) Method and apparatus for security detection based on browser
CN110210231A (en) A kind of safety protecting method, system, equipment and computer readable storage medium
CN110851839B (en) Risk-based asset scoring method and system
US9231972B2 (en) Malicious website identifying method and system
CN109474640B (en) Malicious crawler detection method and device, electronic equipment and storage medium
US11960604B2 (en) Online assets continuous monitoring and protection
CN110650117B (en) Cross-site attack protection method, device, equipment and storage medium
CN107943949A (en) A kind of method and server of definite web crawlers
CN103812840B (en) Differentiate the method and system of malice network address
WO2015018314A1 (en) Method, device and system for detecting whether account is stolen
CN103856471A (en) Cross-site scripting attack monitoring system and method
CN105022815A (en) Information interception method and device
CN107135199B (en) Method and device for detecting webpage backdoor
CN111030972A (en) Asset information management and visual display method, device and storage equipment
JP5656266B2 (en) Blacklist extraction apparatus, extraction method and extraction program
CN114760144A (en) Attack defense method based on intelligent non-contact internet security service
Malandrino et al. Supportive, comprehensive and improved privacy protection for web browsing
CN110311890B (en) Visualized attack and defense graph generation method and device, computer equipment and storage medium
CN104506529A (en) Website protection method and device
CN104811418A (en) Virus detection method and apparatus
CN109190376A (en) A kind of Web page wooden horse detecting method, system and electronic equipment and storage medium
CN103619012B (en) Method and system for security assessment of mobile internet
CN109981683A (en) A kind of exchange data access method, system, equipment and computer storage medium
CN105740666A (en) Method and device for identifying on-line operational risk

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB03 Change of inventor or designer information

Inventor after: Wei Kaizhi

Inventor after: Hu Wenguang

Inventor before: Wei Kaizhi

CB03 Change of inventor or designer information
GR01 Patent grant
GR01 Patent grant