CN112470154B - Method and device for detecting web page security - Google Patents
Method and device for detecting web page security Download PDFInfo
- Publication number
- CN112470154B CN112470154B CN201880095842.6A CN201880095842A CN112470154B CN 112470154 B CN112470154 B CN 112470154B CN 201880095842 A CN201880095842 A CN 201880095842A CN 112470154 B CN112470154 B CN 112470154B
- Authority
- CN
- China
- Prior art keywords
- web
- page
- dom tree
- tested
- dom
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 55
- 230000004044 response Effects 0.000 claims abstract description 164
- 238000002347 injection Methods 0.000 claims abstract description 35
- 239000007924 injection Substances 0.000 claims abstract description 35
- 238000004364 calculation method Methods 0.000 claims abstract description 24
- 238000012360 testing method Methods 0.000 claims description 93
- 238000001514 detection method Methods 0.000 claims description 60
- 238000009877 rendering Methods 0.000 claims description 10
- 238000012545 processing Methods 0.000 description 14
- 238000010586 diagram Methods 0.000 description 11
- 238000004891 communication Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 7
- 238000004422 calculation algorithm Methods 0.000 description 6
- 230000002441 reversible effect Effects 0.000 description 5
- 239000000243 solution Substances 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000000605 extraction Methods 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000014509 gene expression Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 230000008030 elimination Effects 0.000 description 1
- 238000003379 elimination reaction Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000012806 monitoring device Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
- Debugging And Monitoring (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The method eliminates the public part in each web response page, wherein the public part in each web response page is a part irrelevant to SQL injection of the structured query language in the web page to be tested, calculates the similarity between the non-public part of the first web response page and the non-public part of the second web response page, and detects the SQL injection risk of the web page to be tested according to the calculated similarity, thereby reducing the influence of general content in the web response page on similarity calculation and improving the accuracy of similarity calculation.
Description
Technical Field
The present application relates to the field of network security, and more particularly, to a method and apparatus for detecting web page security.
Background
Detection of structured query language (structured query language, SQL) injection vulnerabilities is one of the scanning capabilities that automated vulnerability scanning tools must possess. In the detection process, the automation tool needs to send a plurality of requests to the server interface, and judges whether SQL injection holes exist according to the response condition of the server. The SQL vulnerability detection scheme commonly used in the industry at present carries out similarity judgment based on a response page of an SQL statement with access parameters of logic true or an SQL statement with logic false, has higher computation complexity and lower accuracy.
Disclosure of Invention
In view of this, the present application provides a method and apparatus for detecting web page security, which improves accuracy of calculating similarity.
In a first aspect, a method for detecting security of a web page is provided, including: sending a first test request and a second test request to a server of a web page to be tested, wherein the first test request comprises a legal test request, and the second test request comprises an illegal test request; receiving a first web response page corresponding to the first test request and a second web response page corresponding to the second test request; rejecting a common part in each web response page, wherein the common part in each web response page is a part irrelevant to SQL injection in the web page to be tested; and calculating the similarity of the non-public part of the first web response page and the non-public part of the second web response page, and detecting the SQL injection risk of the webpage to be tested according to the calculated similarity.
According to the method and the device for calculating the similarity of the web response page, when the similarity of the web response page is calculated, interference of public parts in the web page to the similarity calculation is eliminated, and accuracy of the similarity calculation can be improved.
With reference to the first aspect, in a first possible implementation manner of the first aspect, the rejecting the common portion in each web response page includes:
Respectively acquiring a Document Object Model (DOM) tree of the first web response page and a DOM tree of the second web response page; acquiring a DOM tree of a template of the web page to be tested, wherein the template of the web page to be tested indicates a public part of the web page to be tested; removing subtrees which are the same as the DOM tree of the template in the DOM tree of the first web response page according to the DOM tree of the template of the web page to be tested; and removing the subtrees which are the same as the DOM tree of the template in the DOM tree of the second web response page according to the DOM tree of the template of the web page to be tested.
Therefore, the embodiment of the application realizes the rejection of the public content in the DOM tree of the web response page by using the DOM tree of the template of the web page to be tested, so as to calculate the similarity.
With reference to the first possible implementation manner of the first aspect, in a second possible implementation manner of the first aspect, the obtaining a DOM tree of the template of the web page to be tested specifically includes:
sending at least two access requests to a server of the web page to be tested, wherein the at least two access requests comprise different access parameters; receiving at least two access response pages; obtaining at least two access DOM trees according to the at least two access response pages; and obtaining the DOM tree of the template of the web page according to the at least two access DOM trees, wherein the DOM tree of the template of the web page comprises a common subtree of the at least two access DOM trees.
Therefore, the embodiment of the application obtains the DOM tree of the template of the web page by sending a plurality of access requests to the server of the web page to be tested.
With reference to the second possible implementation manner of the first aspect, in a third possible implementation manner of the first aspect, the obtaining a DOM tree of a template of the web page specifically includes:
and traversing the nodes of the at least two access DOM trees in a reverse direction, and acquiring a common subtree of the at least two access DOM trees.
Therefore, the embodiment of the application can acquire the common subtrees of a plurality of access DOM trees in a traversing way so as to accurately obtain the DOM tree of the template of the web page.
With reference to the first possible implementation manner, the second possible implementation manner, and any one of the third possible implementation manner of the first aspect, in a fourth possible implementation manner of the first aspect, calculating a similarity between the non-public portion of the first web response page and the non-public portion of the second web response page specifically includes:
and calculating the similarity between the DOM tree of the first web response page after the subtree is removed and the DOM tree of the second web response page after the subtree is removed.
Therefore, the embodiment of the application can directly calculate the similarity between the DOM tree of the first web response page and the DOM tree of the second web response page after the subtrees are removed, so that SQL injection risk of the webpage to be tested can be known.
With reference to the first possible implementation manner, the second possible implementation manner, and any one of the third possible implementation manner of the first aspect, in a fifth possible implementation manner of the first aspect, the calculating the similarity of the at least two rejected test DOM trees specifically includes:
rendering the DOM tree of the first web response page after the subtree is removed and the DOM tree of the second web response page after the subtree is removed, and generating at least two test images; and calculating the image similarity of the at least two test images.
Therefore, the embodiment of the application can respectively render the DOM tree of the first web response page and the DOM tree of the second web response page after the subtrees are removed to obtain a plurality of test images, and calculate the test images by using the image similarity calculation method so as to know SQL injection risks of the web pages to be tested conveniently. In addition, the rendered test image can be presented, the webpage to be tested can be reflected more intuitively, and the SQL injection risk of the webpage to be tested can be judged more conveniently.
In a second aspect, a device for detecting security of a web page is provided, including a test response acquisition unit, a similarity calculation unit, and a public part acquisition unit. These units are used to perform the method in the first aspect described above and in the various expressions of the first aspect.
In a third aspect, a computing device is provided, the computing device comprising at least one processor and a storage unit; the storage unit is used for storing instructions; the processor is coupled to the memory unit, which when executed by the at least one processor causes the processor to perform the method of any of the plurality of expressions of the first aspect and the first aspect.
In a fourth aspect, there is provided a computer program product comprising: program code which, when run by a processing unit or transceiver, processor of a computing device, causes the computing device to perform the method of any of the above-described first aspect and possible implementations thereof.
In a fifth aspect, a computer readable storage medium is provided, the computer readable storage medium storing a program for causing a detection apparatus for security of a web page to perform any of the methods of the first aspect and possible implementations thereof.
Drawings
Fig. 1 is a schematic diagram of an example of a system architecture to which embodiments of the present application are applied.
FIG. 2 is a schematic diagram of a page of a web site.
Fig. 3 is a schematic flow chart of a method of detecting web page security according to an embodiment of the present application.
Fig. 4 is a schematic diagram of an example of an embodiment of the present application.
FIG. 5 is a flow chart of reverse traversal according to an embodiment of the present application.
Fig. 6 is a schematic diagram of an example according to an embodiment of the present application.
Fig. 7 is a schematic diagram of one example of extracting a public tree according to an embodiment of the present application.
Fig. 8 is a schematic block diagram of a detection apparatus for security of a web page according to an embodiment of the present application.
Fig. 9 is a schematic block diagram of a detection apparatus for security of a web page according to an embodiment of the present application.
Detailed Description
The technical solutions in the present application will be described below with reference to the accompanying drawings.
The technical scheme of the embodiment of the application can be applied to a network security detection system or a network security scanning system, such as an automatic vulnerability scanning tool, a structured query language (Structured Query Language, SQL) injection scanning system, a cloud vulnerability scanning tool, a Web attack scanning system and other tools for detecting network security. Some terms or concepts related to the description below are briefly described.
SQL injection (injection) is to insert an SQL command into a network (for example, world Wide Web or World Wide Web), and for convenience of description, the following description will take the Web as an example, and this is not limited to the description), and the form submits or inputs a query string of a domain name or a page request, so as to finally achieve the purpose of spoofing the server to execute a malicious SQL command. Specifically, SQL injection is to use existing application programs to inject (malicious) SQL commands into a background database engine for execution, and it can obtain a database on a website with security holes by inputting (malicious) SQL sentences in a Web form. SQL injection is one of the most common ways of Web attack.
Document object model (document object model, DOM), which can access and modify the content and structure of a document in a platform and speech independent manner, is a common method of representing and processing a hypertext markup language (HyperText Markup Language, HTML) document or extensible markup language (Extensible Markup Language, XML) document. The design of the DOM may be used in any programming language. DOM technology allows the user plane to dynamically change, such as dynamically displaying or hiding an element, changing their properties, adding an element, etc. DOM technology greatly enhances the interactivity of pages. The DOM is actually a document model that is described in an object-oriented manner. The DOM defines the objects needed to represent and modify a document, the behavior and properties of these objects, and the relationships between these objects. The DOM may be considered a tree representation of the data and structure on the page.
The risk detection of SQL injection is also called as vulnerability detection of SQL injection, and can be realized through a similarity algorithm and a threshold value. Specifically, the similarity algorithm uses the following formula:where y represents similarity, b represents the number of differential characters, and a represents the total character length. It can be seen that the value of the similarity depends on the number of difference characters and the total string length in the equation. Many characters in the response page of a web page are irrelevant to SQL injection holes. That is, the content of the web page is the same in any response to which a large part of the total string length as the denominator is common, and the more the content of the total string length as the denominator is common, the greater the influence on the similarity is The sensitivity of the similarity is low, and finally, more missed judgment exists in the detection result. Therefore, the embodiments of the present application propose a way to reduce the interference term of the similarity algorithm as much as possible, so as to improve the accuracy of the similarity calculation.
Fig. 1 is a schematic diagram of one example of a system architecture 100 to which embodiments of the present application are applied. As shown in fig. 1, the system architecture 100 includes a server 110 of a web page and a security detection device 120 of the web page. The security detection device 120 is configured to detect SQL injection risk of a web page.
Alternatively, the security detection device 120 of the web page may include a test response acquisition unit 121, a similarity calculation unit 122, and a common part acquisition unit 123. The test response acquisition unit 121 is configured to acquire a web response page required for security detection; the similarity calculation unit 122 is configured to calculate similarity according to the web response page acquired by the test response acquisition unit 121, so as to determine an SQL injection risk or an SQL injection vulnerability of the web page. The common part acquiring unit 123 is configured to acquire a common part from each web response page.
It should be appreciated that embodiments of the present application are not limited to a particular deployment of servers 110 for web pages. Alternatively, the server 110 of the web page may be a server deployed independently, or may be a server deployed in a data center, such as a virtual machine in a public cloud, private cloud, or hybrid cloud platform.
It should also be appreciated that the specific deployment of the security detection device 120 for web pages in embodiments of the present application is not limited. Alternatively, the security detection device 120 of the web page may be deployed on a physical machine/server that is independent of the server of the web page, or may be deployed in a data center where the server of the web page is located, such as a management service or a virtual machine in a public cloud, private cloud, or hybrid cloud platform.
It should also be understood that fig. 1 is only a schematic system architecture diagram of an embodiment of the present application, and is not limited to the embodiment of the present application, and actually fig. 1 may further include other modules or units that interact or communicate with the server 110 of the web page and/or the security detection device 120 of the web page.
The method for detecting the security of the web page according to the embodiment of the present application may be performed by the security detection device 120 (may be simply referred to as a security detection device) of the web page in fig. 1. For convenience of description, the safety detection device will be described by way of example, and this will be described in detail.
In the embodiment of the application, the safety detection device eliminates the public part in the web response page, namely eliminates the part irrelevant to SQL injection in the web page to be tested, and calculates the similarity according to the web response page after elimination.
For ease of understanding, common portions of a web response page are described herein in connection with the example of FIG. 2. Fig. 2 shows a schematic view of a page for an artist. As shown in fig. 2, in the presented web page content, if the user clicks to view different artists, different content is presented with respect to "artist specific content presentation" within the box, but the same with respect to the content in the navigation bar. In the content presented by the web page, the content corresponding to the navigation bar can be understood as public content related to the web page, including "home page, category, artist …" and the like, and "specific content presentation of artist" can be considered as non-public part of the web response page. That is, the templates corresponding to the web pages in fig. 2 can be understood as contents composed of common parts. It should be understood that fig. 2 only schematically shows what may be included in a web page.
The following details a method for detecting web page security in an embodiment of the present application.
FIG. 3 is a schematic flow chart of a method 300 of detecting web page security according to an embodiment of the present application. Alternatively, the method 300 may be performed by a security detection device, such as the security detection device 120 of FIG. 1 described above. The method 300 includes:
S310, a first test request and a second test request are sent to a server of the web page to be tested, wherein the first test request comprises a legal test request, and the second test request comprises an illegal test request.
Optionally, the second test request includes a test request in which the SQL statement logic in the access parameter is true or a test request in which the SQL statement logic in the access parameter is false. It should be further understood that, in addition to the first test request and the second test request, a test request with true SQL statement logic in at least one access parameter and a test request with false SQL statement logic in at least one access parameter may be simultaneously sent to a server of the web page to be tested, so as to increase the number of received web response pages and improve the test precision. Here, the first test request and the second test request may be for the same access parameter of the web page to be tested, for example, the access parameter is "id=1", and the access parameter of the first test request is "id=1"; the access parameter of the second test request is "id=1 and 1=1" or "id=1 and 1=2", the former is a test request in which the SQL statement logic in the access parameter is true, and the latter is a test request in which the SQL statement logic in the access parameter is false.
Wherein the server of the web page to be tested may be the server 110 of the web page in fig. 1.
It should be understood that the above test requests (including true requests and false requests) are only exemplary and not limiting to the embodiments of the present application, and that other requests may be implemented in particular. For example, a request that the SQL statement logic in the access parameter is true may also be some logic condition: for example, "id=2 and id=1+1 or id= (3-1) ×1", etc., the same response content as "id=1 and 1=1" can be obtained.
Specifically, for example, the security detection device sends to the server:
requests in which the SQL statement logic in the access parameters is true (http:// testphp. Vuln web. Com/artists. Phpartist=2%20 and%201=1), and requests in which the SQL statement logic in the access parameters is false (http:// testphp. Vuln web. Com/artists. Phpartist=2%20 and%201=2).
S320, receiving a first web response page corresponding to the first test request and a second web response page corresponding to the second test request.
And S330, rejecting the public part in each web response page, wherein the public part in each web response page is a part irrelevant to SQL injection in the web page to be tested.
Specifically, the security detection device needs to reject the common part in the web response page after obtaining the first web response page and the second web response page.
It should be noted that the common portion in each web response page may be understood as the general content of the web page to be tested. For example, a plurality of access requests are sent for the same web page to be tested, and content which appears in a response page corresponding to each access request is a public part of the web page to be tested. As can be appreciated in connection with FIG. 2 above, the public portion of a web response page can be understood as the content of the public portion of the web page content, such as the navigation bar of FIG. 2.
Optionally, S330 includes:
respectively acquiring a Document Object Model (DOM) tree of the first web response page and a DOM tree of the second web response page;
acquiring a DOM tree of a template of the web page to be tested, wherein the template of the web page to be tested indicates a public part of the web page to be tested;
removing subtrees which are the same as the DOM tree of the template in the DOM tree of the first web response page according to the DOM tree of the template of the web page to be tested;
and removing subtrees in the DOM tree of the second web response page according to the DOM tree of the template of the web page to be tested.
Specifically, the security detection device analyzes the content of the first web response page to obtain a DOM tree of the first web response page. Then, the security detection device uses the DOM tree of the template of the web page to be tested to cut nodes in the DOM tree of the first web response page, and the removed DOM tree of the first web response page does not contain the nodes corresponding to the public part of the web page to be tested. Similarly, the security detection device analyzes the content of the second web response page to obtain a DOM tree of the second web response page, adopts the template of the web page to be tested to cut nodes in the DOM tree of the second web response page, and the removed DOM tree of the second web response page does not contain nodes corresponding to the public part of the web page to be tested.
For ease of understanding, web response pages after common portions are removed are described herein in connection with the example of FIG. 4. As shown in fig. 4, the content of the public portion of the web response page in fig. 4 has been culled, leaving "artist specific content presentation" in comparison to fig. 2. It should be appreciated that the content displayed in the "artist specific content presentation" box may be detailed about the artist, not specifically expanded in fig. 4. Here, fig. 4 can be understood as a normal response page of the web page after the common portion is removed. In addition, for the web page with the public part removed, it will be understood by those skilled in the art that if a test request with true condition is sent to the server of the web page, the same response page as that of fig. 4 can be theoretically obtained; if a test request with a false condition is sent to the server of the web page, the theoretically obtained response page differs from fig. 4 in that the content in the "artist specific content presentation" box is empty.
In this way, each web response page obtained by the security detection device does not include a portion that is not related to the SQL injection in the web page under test.
Alternatively, the security detection device may obtain templates of web pages to be tested. The template of the web page to be tested can be understood as a service model composed of general content of the web page to be tested.
Alternatively, the security detection device may obtain a DOM tree of the template of the web page to be tested. The specific way in which the security detection device acquires the DOM tree of the template of the web page to be tested according to the embodiment of the present application is described in detail below. Optionally, acquiring the template of the web page may specifically include:
the security detection device sends at least two access requests to the server of the web page to be tested, wherein the at least two access requests comprise different access parameters; receiving at least two access response pages; obtaining at least two access DOM trees according to the at least two access response pages; and acquiring the DOM tree of the template of the web page according to the at least two access DOM trees, wherein the DOM tree of the template of the web page to be tested comprises a common subtree of the at least two access DOM trees.
Specifically, the security detection device can send a plurality of access requests to the server of the web page to be tested, wherein the access requests comprise different access parameters so as to obtain different response contents aiming at the web page to be tested. After obtaining a plurality of response pages of a plurality of access requests, the security detection device analyzes the plurality of response pages to obtain a plurality of DOM trees. The security detection device obtains a common subtree of the plurality of DOM trees by traversing and comparing nodes on the plurality of DOM trees. The security monitoring device can obtain the DOM tree of the template of the web page to be tested through the common subtrees of the DOM trees.
Optionally, the security detection device obtains the common subtree of the at least two access DOM trees by traversing the nodes of the at least two access DOM trees in a reverse direction, and a specific method is described in detail later.
Specifically, the web page to be tested provides an access interface, and web response pages of the web page to be tested under different access parameters are obtained through access requests with different access parameters. The at least two access requests may be understood as different URLs for the same web service interface. For example, the web page to be tested includes a news web site interface through which the web sitehttp://a.com/news.phpid=1The content is presented. The web page security detection device to be tested performs crawler scanning on web pages with the service parameter of news.phpid=2 and web pages with the service parameter of news.phpid=3 aiming at the same news website interface, so that different web page contents of the news website interface can be presented. In the web page content with the service parameter of news.phpid=2 and the web page content with the service parameter of news.phpid=3, other content of the web page is similar except for relevant parts of news content, such as public information of public navigation bars of the web page. These similar parts can be understood as public content that forms the templates of the news web site interface. Correspondingly, the DOM tree corresponding to the public content is the news website interface The DOM tree of the template.
It should be understood that the security detection device may also locally store a template of the web page to be tested, and can be directly used, which is not limited thereto.
S340, calculating the similarity of the non-public part of the first web response page and the non-public part of the second web response page, and detecting the SQL injection risk of the webpage to be tested according to the calculated similarity.
It should be noted that, the non-common portion of the first web response page may be understood as: and sending a first test request to a server of the web page to be tested, and removing the public part of the web page in the first web response page, namely the non-public part of the first web response page. Similarly, the non-common portion of the second web response page may be understood as: and sending a second test request to a server of the web page to be tested, and removing the public part of the web page in the second web response page, namely the non-public part of the second web response page.
Specifically, the security detection device takes the non-public part of the first web response page as a reference, if the second test request is a test request with the SQL statement logic in the access parameter being true, when the similarity between the non-public part of the second web response page and the non-public part of the first web response page exceeds a first threshold, the existence of SQL injection holes can be considered; if the second test request is a test request with the SQL statement logic in the access parameter being false, then the SQL injection vulnerability can be considered to exist when the similarity of the non-public portion of the second web response page and the non-public portion of the first web response page is below a second threshold. It should be understood that the first threshold value and the second threshold value may be preset according to needs or experience, and are not limited thereto.
It should be further understood that in this embodiment of the present application, a test request with the SQL statement logic in at least one access parameter being true and a test request with the SQL statement logic in at least one access parameter being false may also be sent to a server of a web page to be tested at the same time, where similarities between non-public portions of multiple web response pages and non-public portions of a first web response page are calculated respectively. Whether SQL injection holes exist or not can be judged according to the calculated multiple similarities and the preset threshold, wherein the preset threshold can be one or more, and the method for judging SQL holes according to the calculated similarities and the preset threshold is not repeated here.
Optionally, S340 includes: and respectively calculating the similarity of the DOM tree of the first web response page after the subtrees are removed and the DOM tree of the second web response page.
In the embodiment of the application, the security detection device removes all the invalid nodes and eliminates the interference nodes by eliminating the public part in the web response page, so that the character string length of the valid node is only needed to be adopted when the similarity is calculated, the character string length of the invalid node is not needed to be included in a similarity formula for calculation, and the accuracy of vulnerability detection can be improved.
Furthermore, because the content actually presented by the page is greatly different from the background code, some hidden codes are not visible in the image, but SQL injection attack only pays attention to the content seen by the user, so that text comparison is also inaccurate, and after subtrees are removed, the embodiment of the application can also use the image (the effective area image presented to the user is subjected to similarity analysis comparison to obtain more accurate analysis results.
Optionally, S340 includes: rendering the DOM tree of the first web response page after the subtree is removed and the DOM tree of the second web response page after the subtree is removed, and generating at least two test images;
and calculating the image similarity of the at least two test images.
Specifically, the security detection device may perform image rendering on the obtained DOM tree of the first web response page after the subtree is removed, and present a corresponding image; and the security detection device can conduct image rendering on the obtained DOM tree of the second web response page after the subtrees are removed, and presents corresponding images. In this way, the user can visually compare the similarity (the user of the rendered image can visually compare, the similarity can not be calculated), or the similarity of the web pages can be calculated by using the image similarity method. Alternatively, the image similarity method may be a binarization algorithm or other similarity comparison algorithm in the image field, which is not limited thereto. Alternatively, if the first image similarity meets the corresponding image similarity threshold and the second image similarity meets the corresponding image similarity threshold, then SQL injection holes may be considered to exist. Of course, the image similarity threshold may be set in advance, which is not limited.
In addition, since the HTML text has many character strings such as notes and the like interfering with the text similarity graph, and the notes and other invisible elements are not presented graphically, the interference of the character strings such as the notes and the like on similarity calculation can be avoided by adopting an image rendering mode. That is, if similarity formula calculation is adopted, the character string such as the annotation adds an extra character string length, thereby affecting the accuracy of the similarity calculation, and these problems can be avoided by using the image rendering method.
Described herein in connection with the example of fig. 6. As shown in fig. 6, for URL:http://testphp.vulnweb.com/ artists.phpartist=2%20and%201=1the method of the embodiment of the application is adopted to remove the div# siteInfo, div# mashead and div# navBar in the DOM tree corresponding to the source code of the website, and the div# content is reserved. The left side of fig. 6 is the source code corresponding to the web address after removing div#siteinfo, div#mashead, and div#navbar (where the source code may be viewed through a DOM element viewer or otherwise obtained, without limitation), and the right side of fig. 6 is the rendered image of the source code. As can be seen from the image on the right in fig. 6: only the content of the non-public part, namely the content corresponding to div# content, is displayed in the removed webpage. In addition, annotation strings are also present in the source code (those skilled in the art will appreciate that only a portion of the annotation strings are schematically outlined in fig. 6, and in fact other annotation strings are present). Similarly, hidden nodes or cascading style sheets (Cascading Style Sheets, CSS) in the web page source code, javaScript code similar to the above noted strings, add additional Thereby affecting the accuracy of the similarity calculation, while using image rendering can avoid these problems.
Optionally, the security detection device acquires a DOM tree of the template of the web page, which specifically includes: and traversing the nodes of at least two access DOM trees in a reverse direction to obtain at least two common subtrees of the access DOM trees, wherein the common subtrees of the at least two access DOM trees are DOM trees of the template of the web page.
Specifically, the security detection device traverses the nodes accessing the DOM tree in reverse, specifically, sequentially upward in the following order: leaf nodes, parent nodes, subtrees, largest subtrees, etc., are compared to obtain a common subtree of the multiple DOM trees. The process of extracting a common subtree according to an embodiment of the present application is described below in conjunction with fig. 5. Taking two DOM trees as an example, the specific flow is shown in FIG. 5, and the safety detection device judges whether the contents of the leaf nodes of the two DOM trees are the same or not by extracting the effective visible text distribution of the leaf nodes of the two DOM trees, and if so, the safety detection device continues traversing; if it is different, the maximum subtree extraction ends. If the two DOM trees have leaf nodes with the same content, parent nodes of the leaf nodes with the same content in the two DOM trees are further extracted, and then whether the parent nodes of the two DOM trees are the same is judged. If the parent nodes are the same, it is also necessary to determine whether other subtrees exist in the two DOM trees except for the same parent node, and if the parent nodes are different, the maximum subtree extraction is ended. If the father nodes are the same and other subtrees except the father nodes in the two DOM trees are judged to exist, the traversal process is continuously executed on the other subtrees; if the father nodes are the same, if judging that other subtrees except the father nodes do not exist in the two DOM trees, continuing to extract the father nodes of the two parties. It should be understood that the process of extracting the common subtrees is described here by taking two DOM trees as an example, and the embodiment of the present application does not limit the number of DOM trees.
The details are described below in connection with the DOM in FIG. 7. As shown in fig. 7, here, the leaf node with the first label of a of DOM tree 1 (id=1) and DOM tree 2 (id=2) is selected for comparison, for example, the leaf node with the label of a of DOM tree 1 and the leaf node with the label of a of DOM tree 2 are both "abouts Us" corresponding to the content in the web page, and the leaf node a of DOM tree 1 and the leaf node a of DOM tree 2 are considered to be the same. Next, the parent node of the leaf node labeled a in the DOM tree with id=1 and the parent node of the leaf node labeled a in the DOM tree with id=2 are extracted, whether the two parent nodes are identical is judged, and if the parent nodes are not identical, the maximum subtree extraction is finished. Here, since the parent nodes corresponding to the leaf nodes labeled a of the DOM tree 1 and the DOM tree 2 are the same, and there are other leaf nodes labeled a, it is also necessary to compare the parent node in the DOM tree 1 with other leaf nodes labeled a under the parent node in the DOM tree 2, and the result is also the same. And the like, the comparison of the upper parent nodes is continued. When subtrees are compared, since subtrees with different contents exist in the tree 1 and the tree 2, for example, the subtree including the content 1 in the tree 1 is different from the subtree including the content 2 in the tree 2, the largest common subtree extracted at this time is the subtree x. Similarly, other largest common subtrees, such as subtree y, may also be extracted, derived inversely from other leaf nodes. Thus, subtree x and subtree y constitute the DOM tree of the template of the web page under test.
It should be understood that the examples in fig. 2, 4-7 are merely for convenience of understanding the embodiments of the present application by those skilled in the art, and are not intended to limit the embodiments of the present application to the specific scenarios illustrated. It will be apparent to those skilled in the art from the examples of fig. 2, 4-7 that various equivalent modifications or variations may be made, and such modifications or variations are within the scope of the embodiments of the present application. The method for detecting the security of the web page according to the embodiment of the present application is described in detail above with reference to fig. 1 to 7. A device for detecting security of a web page according to an embodiment of the present application will be described below with reference to fig. 8 and 9. It should be understood that the technical features described for the method embodiments are equally applicable to the following device embodiments.
Fig. 8 shows a schematic block diagram of a detection device 800 for security of a web page according to an embodiment of the present application, the detection device 800 being usable with the security detection device 120 of fig. 1. Alternatively, the embodiment of the apparatus 800 may be implemented by software and/or hardware, which is not limited in this application. The apparatus 800 includes:
a test response acquisition unit 810 and a similarity calculation unit 820;
the test response acquisition unit 810 is configured to:
Sending a first test request and a second test request to a server of a web page to be tested, wherein the first test request comprises legal test parameters, and the second test request comprises illegal test parameters;
receiving a first web response page corresponding to the first test request and a second web response page corresponding to the second test request;
the similarity calculation unit 820 is configured to:
rejecting public parts in each web response page, wherein the public parts in each web response page are parts irrelevant to SQL injection in the web page to be tested;
and calculating the similarity of the non-public part of the first web response page and the non-public part of the second web response page, and detecting the SQL injection risk of the web page to be tested according to the calculated similarity.
Optionally, the detection device 800 further includes: common part acquisition unit the common part acquisition unit 830,
wherein the public part acquiring unit 830 is configured to acquire a DOM tree of a template of the web page to be tested, where the template of the web page to be tested indicates a public part of the web page to be tested;
the similarity calculation unit 820 is configured to reject a common portion in each web response page, and specifically includes:
Respectively acquiring a DOM tree of the first web response page and a DOM tree of the second web response page;
removing subtrees in the DOM tree of the first web response page according to the DOM tree of the template of the web page to be tested, which is acquired by the public part acquiring unit 830;
and removing subtrees in the DOM tree of the second web response page according to the DOM tree of the template of the web page to be tested.
In an optional implementation manner, the similarity calculating unit 820 is configured to obtain a DOM tree of the template of the web page to be tested, and specifically includes:
sending at least two access requests to a server of the web page to be tested, wherein the at least two access requests contain different access parameters;
receiving at least two access response pages;
obtaining at least two access DOM trees according to the at least two access response pages;
and acquiring the DOM tree of the template of the web page according to the at least two access DOM trees, wherein the DOM tree of the template of the web page comprises a common subtree of the at least two access DOM trees.
Optionally, the similarity calculating unit 820 is configured to obtain a DOM tree of the template of the web page, and specifically includes:
And traversing the nodes of the at least two access DOM trees reversely to acquire a public subtree of the at least two access DOM trees.
In an alternative implementation manner, the similarity calculating unit 820 is configured to calculate a similarity between the non-public part of the first web response page and the non-public part of the second web response page, and specifically includes:
and calculating the similarity between the DOM tree of the first web response page after the subtree is removed and the DOM tree of the second web response page after the subtree is removed.
In an optional implementation manner, the similarity calculating unit 820 is configured to calculate the similarity of the at least two rejected test DOM trees, and specifically includes:
rendering the DOM tree of the first web response page after the subtree is removed and the DOM tree of the second web response page after the subtree is removed, and generating at least two test images;
and calculating the image similarity of the at least two test images.
It should be understood that the apparatus 800 for detecting the security of the web page according to the embodiment of the present application may correspond to the method for detecting the security of the web page in the foregoing method embodiment, for example, the method in fig. 3, and the foregoing and other management operations and/or functions of each module in the apparatus 800 are respectively for implementing the corresponding steps of the method in the foregoing method embodiment, so that the beneficial effects in the foregoing method embodiment may also be implemented, which is not repeated herein for brevity.
Fig. 9 shows a schematic block diagram of a detection apparatus 900 for security of a web page according to an embodiment of the present application. As shown in fig. 9, the detection apparatus 900 includes a processing unit 901 and a communication interface 902, where the processing unit 901 is configured to execute functions defined by an operating system and various software programs running on the detection apparatus 900, for example, functions of various software components on the security detection apparatus 800 shown in fig. 8 described above, and specifically, for example, the processing unit 901 is configured to implement functions of the similarity calculation unit 820. The communication interface 902 is configured to perform communication interaction with other computing nodes, and the communication interface 902 is configured to implement the function of the test response acquiring unit 810. The other computing nodes may be other physical servers and in particular the communication interface 902 may be a network adapter card. Optionally, the detecting apparatus 900 may further include an input/output interface 903, where the input/output interface 903 is connected to an input/output device, for receiving input information and outputting an operation result. The input/output interface 903 may be a mouse, keyboard, display, or optical drive. Optionally, the physical server may further include a secondary memory 904, also commonly referred to as external memory, where the storage medium of the secondary memory 904 may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., an optical disk), or a semiconductor medium (e.g., a solid state disk), etc. The processing unit 901 may have various specific implementations, for example, the processing unit 901 may include a processor 9011 and a memory 9012, the processor 9011 performs related operations according to a program unit stored in the memory 9012, the processor 9011 may be a Central Processing Unit (CPU) or an image processor (graphics processing unit, GPU), and the processor 2011 may be a single-core processor or a multi-core processor. The processing unit 901 may also be implemented by a logic device with built-in processing logic, such as a field programmable gate array (field programmable gate array, FPGA) or a digital signal processor (digital signal processor, DSP), etc. In addition, FIG. 9 is merely one example of a security device that may include more or fewer components than illustrated in FIG. 9, or a different arrangement of components.
The method disclosed in the embodiments of the present application may be applied to a processor or implemented by a processor. The processor may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method embodiments may be implemented by integrated logic circuits of hardware in a processor or instructions in software form. The processor may be a general purpose processor, a digital signal processor (Digital Signal Processor, DSP), an application specific integrated circuit (Application Specific Integrated Circuit, ASIC), an off-the-shelf programmable gate array (Field Programmable Gate Array, FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, a system on chip (SoC), a central processor (central processor unit, CPU), a network processor (network processor, NP), a digital signal processing circuit (digital signal processor, DSP), a microcontroller (micro controller unit, MCU), a programmable controller (programmable logic device, PLD) or other integrated chip. The disclosed methods, steps, and logic blocks in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of a method disclosed in connection with the embodiments of the present application may be embodied directly in hardware, in a decoded processor, or in a combination of hardware and software modules in a decoded processor. The software modules may be located in a random access memory, flash memory, read only memory, programmable read only memory, or electrically erasable programmable memory, registers, etc. as well known in the art. The storage medium is located in a memory, and the processor reads the information in the memory and, in combination with its hardware, performs the steps of the above method.
It will be appreciated that the memory in embodiments of the present application may be either volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. The nonvolatile memory may be a read-only memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an electrically Erasable EPROM (EEPROM), or a flash memory. The volatile memory may be random access memory (random access memory, RAM) which acts as an external cache. By way of example, and not limitation, many forms of RAM are available, such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (DDR SDRAM), enhanced SDRAM (ESDRAM), synchronous DRAM (SLDRAM), and direct memory bus RAM (DR RAM). It should be noted that the memory of the systems and methods described herein is intended to comprise, without being limited to, these and any other suitable types of memory.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.
In the several embodiments provided in this application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a read-only memory (ROM), a random access memory (random access memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (11)
1. A method of detecting web page security, comprising:
sending a first test request and a second test request to a server of a web page to be tested, wherein the first test request comprises a legal test request, and the second test request comprises an illegal test request;
receiving a first web response page corresponding to the first test request and a second web response page corresponding to the second test request;
rejecting the public part in each web response page, wherein the public part in each web response page is a part irrelevant to Structured Query Language (SQL) injection in the web page to be tested, and the method comprises the following steps: respectively acquiring a Document Object Model (DOM) tree of the first web response page and a DOM tree of the second web response page; acquiring a DOM tree of a template of the web page to be tested, wherein the template of the web page to be tested indicates a public part of the web page to be tested; removing subtrees which are the same as the DOM tree of the template in the DOM tree of the first web response page according to the DOM tree of the template of the web page to be tested; removing subtrees which are the same as the DOM tree of the template in the DOM tree of the second web response page according to the DOM tree of the template of the web page to be tested;
And calculating the similarity of the non-public part of the first web response page and the non-public part of the second web response page, and detecting the SQL injection risk of the webpage to be tested according to the calculated similarity.
2. The method according to claim 1, wherein the obtaining the DOM tree of the template of the web page to be tested specifically comprises:
sending at least two access requests to a server of the web page to be tested, wherein the at least two access requests comprise different access parameters;
receiving at least two access response pages;
obtaining at least two access DOM trees according to the at least two access response pages;
and acquiring the DOM tree of the template of the web page according to the at least two access DOM trees, wherein the DOM tree of the template of the web page comprises a common subtree of the at least two access DOM trees.
3. The method according to claim 2, wherein the obtaining the DOM tree of the template of the web page specifically comprises:
and traversing the nodes of the at least two access DOM trees reversely to acquire a public subtree of the at least two access DOM trees.
4. A method according to any of claims 1-3, wherein said calculating the similarity of the non-common part of the first web response page to the non-common part of the second web response page comprises:
And calculating the similarity between the DOM tree of the first web response page after the subtree is removed and the DOM tree of the second web response page after the subtree is removed.
5. A method according to any one of claims 1-3, wherein said calculating the similarity of said at least two culled test DOM trees comprises:
rendering the DOM tree of the first web response page after the subtree is removed and the DOM tree of the second web response page after the subtree is removed, and generating at least two test images;
and calculating the image similarity of the at least two test images.
6. The device for detecting the safety of the web page is characterized by comprising a test response acquisition unit, a public part acquisition unit and a similarity calculation unit;
the test response acquisition unit is used for:
sending a first test request and a second test request to a server of a web page to be tested, wherein the first test request comprises legal test parameters, and the second test request comprises illegal test parameters;
receiving a first web response page corresponding to the first test request and a second web response page corresponding to the second test request;
the common portion acquisition unit is configured to:
Acquiring a DOM tree of a template of the web page to be tested, wherein the template of the web page to be tested indicates a public part of the web page to be tested;
the similarity calculation unit is used for:
rejecting public parts in each web response page, wherein the public parts in each web response page are parts irrelevant to SQL injection in the web page to be tested, and the method specifically comprises the following steps:
respectively acquiring a DOM tree of the first web response page and a DOM tree of the second web response page;
removing subtrees which are the same as the DOM tree of the template in the DOM tree of the first web response page according to the DOM tree of the template of the web page to be tested, which is acquired by the public part acquisition unit;
removing subtrees which are the same as the DOM tree of the template in the DOM tree of the second web response page according to the DOM tree of the template of the web page to be tested;
and calculating the similarity of the non-public part of the first web response page and the non-public part of the second web response page, and detecting the SQL injection risk of the web page to be tested according to the calculated similarity.
7. The detection apparatus according to claim 6, wherein the similarity calculation unit is configured to obtain a DOM tree of a template of the web page to be tested, and specifically includes:
Sending at least two access requests to a server of the web page to be tested, wherein the at least two access requests contain different access parameters;
receiving at least two access response pages;
obtaining at least two access DOM trees according to the at least two access response pages;
and acquiring the DOM tree of the template of the web page according to the at least two access DOM trees, wherein the DOM tree of the template of the web page comprises a common subtree of the at least two access DOM trees.
8. The detection apparatus according to claim 7, wherein the similarity calculation unit is configured to obtain a DOM tree of a template of the web page, and specifically includes:
and traversing the nodes of the at least two access DOM trees reversely to acquire a public subtree of the at least two access DOM trees.
9. The detection apparatus according to any one of claims 6 to 8, wherein the similarity calculation unit is configured to calculate a similarity between the non-common portion of the first web response page and the non-common portion of the second web response page, and specifically includes:
and calculating the similarity between the DOM tree of the first web response page after the subtree is removed and the DOM tree of the second web response page after the subtree is removed.
10. The detection apparatus according to any one of claims 6 to 8, wherein the similarity calculation unit is configured to calculate a similarity of the at least two rejected test DOM trees, and specifically includes:
rendering the DOM tree of the first web response page after the subtree is removed and the DOM tree of the second web response page after the subtree is removed, and generating at least two test images;
and calculating the image similarity of the at least two test images.
11. A computing device comprising at least one processor and a storage unit;
the storage unit is used for storing instructions;
the processor is coupled with the storage unit, which when executed by the at least one processor, causes the processor to perform the method of any of claims 1-5.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/CN2018/101148 WO2020034212A1 (en) | 2018-08-17 | 2018-08-17 | Method and device for checking web page security |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112470154A CN112470154A (en) | 2021-03-09 |
| CN112470154B true CN112470154B (en) | 2024-03-05 |
Family
ID=69524556
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201880095842.6A Active CN112470154B (en) | 2018-08-17 | 2018-08-17 | Method and device for detecting web page security |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN112470154B (en) |
| WO (1) | WO2020034212A1 (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB2598412A (en) | 2020-08-18 | 2022-03-02 | Clario Tech Ltd | A method for detecting a web skimmer on a "payment page" |
| CN113377867B (en) * | 2021-06-10 | 2022-10-21 | 四川省明厚天信息技术股份有限公司 | Data synchronization method and device and electronic equipment |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102831345A (en) * | 2012-07-30 | 2012-12-19 | 西北工业大学 | Injection point extracting method in SQL (Structured Query Language) injection vulnerability detection |
| CN106919503A (en) * | 2016-11-15 | 2017-07-04 | 阿里巴巴集团控股有限公司 | The method of testing and device of application program |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8510237B2 (en) * | 2011-03-15 | 2013-08-13 | Qualcomm Incorporated | Machine learning method to identify independent tasks for parallel layout in web browsers |
| CN102799830B (en) * | 2012-08-06 | 2015-06-17 | 厦门市美亚柏科信息股份有限公司 | Improved SQL (Structured Query Language) injection flaw detection method |
| CN105279086B (en) * | 2015-10-16 | 2018-01-19 | 山东大学 | A kind of method of the automatic detection e-commerce website logic leak based on flow chart |
| CN106503244A (en) * | 2016-11-08 | 2017-03-15 | 天津海量信息技术股份有限公司 | A kind of processing method of URL similarity |
-
2018
- 2018-08-17 WO PCT/CN2018/101148 patent/WO2020034212A1/en active Application Filing
- 2018-08-17 CN CN201880095842.6A patent/CN112470154B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102831345A (en) * | 2012-07-30 | 2012-12-19 | 西北工业大学 | Injection point extracting method in SQL (Structured Query Language) injection vulnerability detection |
| CN106919503A (en) * | 2016-11-15 | 2017-07-04 | 阿里巴巴集团控股有限公司 | The method of testing and device of application program |
Non-Patent Citations (2)
| Title |
|---|
| 基于DOM树序列值比对的SQL注入漏洞检测;罗明宇;《计算机工程与设计》;第第36卷卷(第第2期期);第350-354页 * |
| 基于网页DOM树比对的SQL注入漏洞检测;张晨;《计算机工程》;第第38卷卷(第第18期期);第111-115页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2020034212A1 (en) | 2020-02-20 |
| CN112470154A (en) | 2021-03-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107204960B (en) | Webpage identification method and device and server | |
| US9448999B2 (en) | Method and device to detect similar documents | |
| US20150295942A1 (en) | Method and server for performing cloud detection for malicious information | |
| JP6203374B2 (en) | Web page style address integration | |
| CN108021692B (en) | Method for monitoring webpage, server and computer readable storage medium | |
| US20090070366A1 (en) | Method and system for web document clustering | |
| US9904936B2 (en) | Method and apparatus for identifying elements of a webpage in different viewports of sizes | |
| WO2015047920A1 (en) | Title and body extraction from web page | |
| CN109033282B (en) | Webpage text extraction method and device based on extraction template | |
| CN105279277A (en) | Knowledge data processing method and device | |
| CN109376291B (en) | Website fingerprint information scanning method and device based on web crawler | |
| CN102314497B (en) | Method and equipment for identifying body contents of markup language files | |
| CN106960058B (en) | Webpage structure change detection method and system | |
| CN109857992A (en) | Medical data structuring analytic method, device, readable medium and electronic equipment | |
| CN106021383A (en) | Method and device for computing similarity of webpages | |
| CN112470154B (en) | Method and device for detecting web page security | |
| CN111224923B (en) | Detection method, device and system for counterfeit websites | |
| CN109271598B (en) | Method, device and storage medium for extracting news webpage content | |
| Mehta et al. | DOM tree based approach for web content extraction | |
| CN107786529B (en) | Website detection method, device and system | |
| CN106446123A (en) | Webpage verification code element identification method | |
| CN111460803A (en) | Equipment identification method based on Web management page of industrial Internet of things equipment | |
| CN111125704B (en) | Webpage Trojan horse recognition method and system | |
| CN107783983B (en) | Information display method and device | |
| CN114528811B (en) | Article content extraction method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20220208 Address after: 550025 Huawei cloud data center, jiaoxinggong Road, Qianzhong Avenue, Gui'an New District, Guiyang City, Guizhou Province Applicant after: Huawei Cloud Computing Technology Co.,Ltd. Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Applicant before: HUAWEI TECHNOLOGIES Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |