CN111931108A - Safety net station updating method and system - Google Patents
Safety net station updating method and system Download PDFInfo
- Publication number
- CN111931108A CN111931108A CN202010769847.1A CN202010769847A CN111931108A CN 111931108 A CN111931108 A CN 111931108A CN 202010769847 A CN202010769847 A CN 202010769847A CN 111931108 A CN111931108 A CN 111931108A
- Authority
- CN
- China
- Prior art keywords
- website
- directory
- new
- same
- original
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 91
- 230000003993 interaction Effects 0.000 claims description 5
- 238000002955 isolation Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 239000007943 implant Substances 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/958—Organisation or management of web site content, e.g. publishing, maintaining pages or automatic linking
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/955—Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
- G06F16/9566—URL specific, e.g. using aliases, detecting broken or misspelled links
Landscapes
- Engineering & Computer Science (AREA)
- Databases & Information Systems (AREA)
- Theoretical Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Information Transfer Between Computers (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to a method and a system for updating a security website.A new website which is different in port and has the same configuration as the original website is additionally arranged in a website server; the directory directions of the new website and the original website are the same; when a user meeting the conditions updates a new website, firstly, accessing an undisclosed URL path in the new website; allowing the request in the process to have read and write rights to the contents pointed by the directory only after the website server captures the process accessing the non-disclosed URL path; the requests in the remaining processes can only have read-only rights for the content pointed to by the directory. The invention improves the safety of updating the website.
Description
Technical Field
The invention relates to the technical field of information security software, in particular to a security network station updating method and system.
Background
After the website is released, the website is also updated to maintain the amount of access, SEO optimization, etc. Generally, a website has a management background which is verified by a user name and a password, and anyone can update the website after mastering the user name and the password of the website management background.
If the user name and the password of the website management background are leaked due to various reasons, the website is illegally updated, and the condition of 'website is blacked out' occurs. Moreover, a hacker can implant a backdoor (webshell) in a website directory through an attack mode such as SQL injection to bypass a website management background, and then illegally update the website through the webshell.
Disclosure of Invention
In view of this, the present invention provides a method and a system for updating a security website, which improve the security of updating the website.
The invention is realized by adopting the following scheme: a security net station updating method comprises the following steps:
newly adding a new website in the website server; the new website and the original website have the same directory direction;
compared with the original website, the new website only has different ports and the same other configurations, or only has different domain names and the same other configurations;
when a user meeting the conditions updates a new website, firstly, accessing an undisclosed URL path in the new website;
allowing the request in the process to have read and write rights to the contents pointed by the directory only after the website server captures the process accessing the non-disclosed URL path; the requests in the remaining processes can only have read-only rights for the content pointed to by the directory.
Further, the web server captures all accessed processes by installing a kernel driver.
The invention also provides a safe website updating system, which comprises a client, wherein the client performs the following operations:
when a client needs to update a new website, reading and writing rights of pointed contents of a corresponding website directory are obtained by accessing the next undisclosed URL path of the new website;
compared with the original website, the new website only has different ports and the same other configurations, or only has different domain names and the same other configurations;
the new web site points to the same directory as the original web site.
The invention also provides a safe website updating system, which comprises a website server, wherein the website server performs the following operations:
newly adding a new website in the website server; the directory directions of the new website and the original website are the same;
compared with the original website, the new website only has different ports and the same other configurations, or only has different domain names and the same other configurations;
the website server captures the process of accessing the directory pointing content in real time;
after the captured process contains the access to the undisclosed URL path, allowing the request in the process to have read and write rights on the content pointed by the directory; for the rest of the captured processes, the request can only have read-only rights for the contents pointed to by the directory.
Further, the web server captures all accessed processes by installing a kernel driver.
The invention also provides a safe website updating system, which comprises a client and a website server, and the interaction is as follows:
newly adding a new website in the website server; the directory directions of the new website and the original website are the same;
compared with the original website, the new website only has different ports and the same other configurations, or only has different domain names and the same other configurations;
when a client needs to update a new website, firstly, accessing an undisclosed URL path in the new website;
the website server captures the process of accessing the directory pointing content in real time; after the captured process contains the access to the undisclosed URL path, allowing the request in the process to have read and write rights on the content pointed by the directory; for the rest of the captured processes, the request can only have read-only rights for the contents pointed to by the directory.
Further, the web server captures all accessed processes by installing a kernel driver.
Compared with the prior art, the invention has the following beneficial effects: the invention separates the request of the website administrator and the request of the common user by building a website, thereby realizing the isolation and the distinction of the process. By adopting the method of the invention, even if the user name and the password of the website management background are leaked, the ordinary user can not know the undisclosed URL and has no relevant characteristics, and the process of the relevant request can not write in the website directory, so that the illegal user can still not update and tamper the website content. In conclusion, the invention improves the safety of updating the website.
Drawings
FIG. 1 is a schematic diagram of the method of the embodiment of the present invention.
Detailed Description
The invention is further explained below with reference to the drawings and the embodiments.
It should be noted that the following detailed description is exemplary and is intended to provide further explanation of the disclosure. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs.
It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments according to the present application. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, and it should be understood that when the terms "comprises" and/or "comprising" are used in this specification, they specify the presence of stated features, steps, operations, devices, components, and/or combinations thereof, unless the context clearly indicates otherwise.
As shown in fig. 1, the present embodiment provides a security gateway update method, including the following steps:
newly adding a new website in the website server; the new website and the original website have the same directory direction;
compared with the original website, the new website only has different ports and the same other configurations, or only has different domain names and the same other configurations;
when a user meeting the conditions updates a website, firstly, an undisclosed URL path in a new website is accessed;
allowing the request in the process to have read and write rights to the contents pointed by the directory only after the website server captures the process accessing the non-disclosed URL path; the requests in the remaining processes can only have read-only rights for the content pointed to by the directory.
Wherein the website server captures all accessed processes by installing a kernel driver.
The embodiment also provides a secure website updating system, which comprises a client, wherein the client performs the following operations:
when a client needs to update a new website, firstly accessing a next undisclosed URL path of the new website to obtain the read and write permission of the pointed content of the corresponding website directory;
compared with the original website, the new website only has different ports and the same other configurations, or only has different domain names and the same other configurations;
the new web site points to the same directory as the original web site.
The embodiment also provides a secure website update system, which includes a website server, where the website server performs the following operations:
newly adding a new website in the website server; the directory directions of the new website and the original website are the same;
compared with the original website, the new website only has different ports and the same other configurations, or only has different domain names and the same other configurations;
the website server captures the process of accessing the directory pointing content in real time;
after the captured process contains the access to the undisclosed URL path, allowing the request in the process to have read and write rights on the content pointed by the directory; for the rest of the captured processes, the request can only have read-only rights for the contents pointed to by the directory.
Wherein the website server captures all accessed processes by installing a kernel driver.
The embodiment also provides a secure website update system, which comprises a client and a website server, and the interaction is as follows:
newly adding a new website in the website server; the directory directions of the new website and the original website are the same;
compared with the original website, the new website only has different ports and the same other configurations, or only has different domain names and the same other configurations;
when a client needs to update a new website, firstly, accessing an undisclosed URL path in the new website;
the website server captures the process of accessing the directory pointing content in real time; after the captured process contains the access to the undisclosed URL path, allowing the request in the process to have read and write rights on the content pointed by the directory; for the rest of the captured processes, the request can only have read-only rights for the contents pointed to by the directory.
Wherein the website server captures all accessed processes by installing a kernel driver.
Specifically, this embodiment will exemplify a case where only the ports are different and the other configurations are the same as the original website, with reference to fig. 1. The interaction process of the two parties specifically comprises the following steps:
1. in the website server, a new website which only has different ports and other configurations and is the same as the original website is added: wherein, the original website is TCP 80, the new website port is TCP 8080, the domain name www.my.com and other configuration information are the same as the original website,
in particular, the directory of the newly added website is pointed to the same as the directory of the original website.
2. When a valid user (website administrator) updates a new website, it needs to access the next undisclosed URL path of the new website in step 1: for example http:// www.my.com:8080/847dd7e5a43c311fd2f144 c.
3. And (3) pre-installing a kernel driver on the website server in the step 1, wherein the kernel driver captures the process accessing the unpublished URL in the step 2, and the process is P2.
4. And 3, the drive program carries out tamper-proof protection on the website directory, according to whether the unpublished URL in the step 2 is accessed as the process characteristic, only the P2 process accessing the unpublished URL in the step 2 can read and write, and other processes such as P1 (a process accessed by a common user, the process accesses http:// www.my.com/website) and the like can only read and can not write.
Specifically, this embodiment exemplifies a case where only the domain name is different and the other configuration is the same as that of the original website. The interaction process of the two parties specifically comprises the following steps:
1. in a website server, a new website which only has a domain name different from other websites with the same configuration as the original website is added: wherein the domain name of the original website is www.my.com, the domain name of the new website is www.123my.com, the port and other configuration information are the same as those of the original website,
in particular, the directory of the newly added website is pointed to the same as the directory of the original website.
2. When a valid user (website administrator) updates a new website, it needs to access the next undisclosed URL path of the new website in step 1: for example http:// www.123my.com/847dd7e5a43c311fd2f144 c.
3. And (3) pre-installing a kernel driver on the website server in the step 1, wherein the kernel driver captures the process accessing the unpublished URL in the step 2, and the process is P2.
4. And 3, the drive program carries out tamper-proof protection on the website directory, according to whether the unpublished URL in the step 2 is accessed as the process characteristic, only the P2 process accessing the unpublished URL in the step 2 can read and write, and other processes such as P1 (a process accessed by a common user, the process accesses http:// www.my.com/website) and the like can only read and can not write.
In summary, in this embodiment, a new website is created, and requests of the website administrator IP and the common user IP are separated: the request of the administrator IP (http:// www.my.com:8080/, as shown in FIG. 1) accesses the website directory through the new website process (P2 process, as shown in FIG. 1), and the request of the ordinary user IP (http:// www.my.com/, as shown in FIG. 1) accesses the website directory through the original website process (P1 process, as shown in FIG. 1), so that process isolation is realized (the related requests are in the process P2 and the process P1 respectively). The above process can also be implemented by setting different domain names.
Since the administrator is required to first access an unpublished URL (http:// www.my.com:8080/847dd7e5a43c311fd2f144c as shown in FIG. 1), this behavior serves as a characteristic of the process when the kernel driver of the Web server captures a process accessing the unpublished URL, i.e., the process is considered to be a new Web site process where the administrator's IP request is located, and then the process is immediately allowed by the kernel driver to read and write to the Web directory. Therefore, the website administrator can update the website normally.
Meanwhile, the process (such as the P1 process shown in fig. 1) where the request of the general user IP is sent does not access the feature of not disclosing the URL, so the directory of the website is still limited to be read only by the kernel driver. Therefore, even if the user name and the password of the website management background are leaked, the ordinary user cannot forge the website administrator IP, cannot know the unpublished URL, has no relevant characteristics, and cannot write the website directory in the process of the relevant request, so that the illegal user still cannot update and falsify the website content.
Therefore, the method improves the safety of updating the website and the convenience of user operation.
The foregoing is directed to preferred embodiments of the present invention, other and further embodiments of the invention may be devised without departing from the basic scope thereof, and the scope thereof is determined by the claims that follow. However, any simple modification, equivalent change and modification of the above embodiments according to the technical essence of the present invention are within the protection scope of the technical solution of the present invention.
Claims (7)
1. A security net station updating method, comprising the steps of:
adding a new website in a website server, wherein the new website and the original website have the same directory direction;
compared with the original website, the new website only has different ports and the same other configurations, or only has different domain names and the same other configurations;
when a user meeting the conditions updates a new website, firstly, accessing an undisclosed URL path in the new website;
allowing the request in the process to have read and write rights to the contents pointed by the directory only after the website server captures the process accessing the non-disclosed URL path; the requests in the remaining processes can only have read-only rights for the content pointed to by the directory.
2. The security website updating method of claim 1, wherein the website server captures all accessed processes by installing a kernel driver.
3. A secure website update system, comprising a client, wherein the client performs the following operations:
when a client needs to update a new website, reading and writing rights of pointed contents of a corresponding website directory are obtained by accessing the next undisclosed URL path of the new website;
compared with the original website, the new website only has different ports and the same other configurations, or only has different domain names and the same other configurations;
the new web site points to the same directory as the original web site.
4. A secure website update system, comprising a website server that performs the following operations:
newly adding a new website in the website server; the directory directions of the new website and the original website are the same;
compared with the original website, the new website only has different ports and the same other configurations, or only has different domain names and the same other configurations;
the website server captures the process of accessing the directory pointing content in real time;
after the captured process contains the access to the undisclosed URL path, allowing the request in the process to have read and write rights on the content pointed by the directory; for the rest of the captured processes, the request can only have read-only rights for the contents pointed to by the directory.
5. A secure website update system as defined in claim 4, wherein the website server captures all access processes by installing a kernel driver.
6. A safe website updating system is characterized by comprising a client and a website server, wherein the interaction is as follows:
newly adding a new website in the website server; the directory directions of the new website and the original website are the same;
compared with the original website, the new website only has different ports and the same other configurations, or only has different domain names and the same other configurations;
when a client needs to update a new website, firstly, accessing an undisclosed URL path in the new website;
the website server captures the process of accessing the directory pointing content in real time; after the captured process contains the access to the undisclosed URL path, allowing the request in the process to have read and write rights on the content pointed by the directory; for the rest of the captured processes, the request can only have read-only rights for the contents pointed to by the directory.
7. A secure website update system as defined in claim 6, wherein the website server captures all access processes by installing a kernel driver.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010760154 | 2020-07-31 | ||
CN2020107601546 | 2020-07-31 |
Publications (1)
Publication Number | Publication Date |
---|---|
CN111931108A true CN111931108A (en) | 2020-11-13 |
Family
ID=73306581
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010769847.1A Pending CN111931108A (en) | 2020-07-31 | 2020-08-04 | Safety net station updating method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111931108A (en) |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5918018A (en) * | 1996-02-09 | 1999-06-29 | Secure Computing Corporation | System and method for achieving network separation |
US20010047486A1 (en) * | 1996-02-09 | 2001-11-29 | Secure Computing Corporation | Secure commerce server |
CN102469132A (en) * | 2010-11-15 | 2012-05-23 | 北大方正集团有限公司 | Method and system for grabbing web pages from servers with different IPs (Internet Protocols) in website |
CN104348914A (en) * | 2014-10-31 | 2015-02-11 | 福建六壬网安股份有限公司 | Tamper-proofing system file synchronizing system and tamper-proofing system file synchronizing method |
CN110602092A (en) * | 2019-09-12 | 2019-12-20 | 福建深空信息技术有限公司 | Method for only allowing designated IP to update website based on process forwarding |
CN110602091A (en) * | 2019-09-12 | 2019-12-20 | 福建深空信息技术有限公司 | Method for realizing website updating by modifying network data packet |
-
2020
- 2020-08-04 CN CN202010769847.1A patent/CN111931108A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5918018A (en) * | 1996-02-09 | 1999-06-29 | Secure Computing Corporation | System and method for achieving network separation |
US20010047486A1 (en) * | 1996-02-09 | 2001-11-29 | Secure Computing Corporation | Secure commerce server |
CN102469132A (en) * | 2010-11-15 | 2012-05-23 | 北大方正集团有限公司 | Method and system for grabbing web pages from servers with different IPs (Internet Protocols) in website |
CN104348914A (en) * | 2014-10-31 | 2015-02-11 | 福建六壬网安股份有限公司 | Tamper-proofing system file synchronizing system and tamper-proofing system file synchronizing method |
CN110602092A (en) * | 2019-09-12 | 2019-12-20 | 福建深空信息技术有限公司 | Method for only allowing designated IP to update website based on process forwarding |
CN110602091A (en) * | 2019-09-12 | 2019-12-20 | 福建深空信息技术有限公司 | Method for realizing website updating by modifying network data packet |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8732794B2 (en) | Browser plug-in firewall | |
US10476733B2 (en) | Single sign-on system and single sign-on method | |
US20070283011A1 (en) | Synchronizing Configuration Information Among Multiple Clients | |
US9081956B2 (en) | Remote DOM access | |
USH2279H1 (en) | Method for prevention of cross site request forgery attack | |
WO2000010303A1 (en) | Access control using attributes contained within public key certificates | |
US11783016B2 (en) | Computing system and method for verification of access permissions | |
CN110968825A (en) | WEB page fine-grained authority control method | |
CN111431753A (en) | Asset information updating method, device, equipment and storage medium | |
US8127033B1 (en) | Method and apparatus for accessing local computer system resources from a browser | |
JP2005234729A (en) | Unauthorized access protection system and its method | |
CN100586123C (en) | A safe audit method based on role management and system thereof | |
US9432357B2 (en) | Computer network security management system and method | |
CN113221194A (en) | Webpage tampering hybrid detection technology | |
Deng et al. | Lexical analysis for the webshell attacks | |
CN110087238B (en) | Information security protection system of mobile electronic equipment | |
US20060200566A1 (en) | Software proxy for securing web application business logic | |
CN114745145B (en) | Business data access method, device and equipment and computer storage medium | |
CN111931108A (en) | Safety net station updating method and system | |
CN112836186A (en) | Page control method and device | |
CN113194088B (en) | Access interception method, device, log server and computer readable storage medium | |
CN110602092B (en) | Method for only allowing designated IP to update website based on process forwarding | |
Bertino et al. | Threat Modelling for SQL Servers: Designing a Secure Database in a Web Application | |
CN110602091A (en) | Method for realizing website updating by modifying network data packet | |
US8640244B2 (en) | Declared origin policy |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201113 |