CN112632447B - Website dynamic application safety protection method - Google Patents
Website dynamic application safety protection method Download PDFInfo
- Publication number
- CN112632447B CN112632447B CN202110040482.3A CN202110040482A CN112632447B CN 112632447 B CN112632447 B CN 112632447B CN 202110040482 A CN202110040482 A CN 202110040482A CN 112632447 B CN112632447 B CN 112632447B
- Authority
- CN
- China
- Prior art keywords
- data
- signature
- json
- submitted
- token
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/958—Organisation or management of web site content, e.g. publishing, maintaining pages or automatic linking
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Databases & Information Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Bioethics (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Data Mining & Analysis (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a website dynamic application safety protection method, which comprises the following steps: s1, loading basic data of the dynamic application into a json file after the system is started; s2, the user initiates a GET request of the application, executes javascript in the GET request page, analyzes json file and renders the page, and responds the rendered page to the user; s3, the user initiates a POST request, the server issues a token to the POST form, and the form is submitted when submitted; s4, after receiving the submitted token and the data, the server side verifies whether the submitted token is consistent with the issued token or not, and verifies the legality of the submitted data; s5, reading the data in the JSON file in batches, calculating the data signature of each piece of data and judging whether the signature is consistent with the signature of the corresponding data in the signature file; and S6, judging whether the background basic data is updated, reloading the basic data into the json file, and repeating the steps S2-S5. The invention ensures the safety and continuous high availability of dynamic application.
Description
Technical Field
The invention relates to the technical field of website security, in particular to a website dynamic application security protection method.
Background
The existing website dynamic application itself lacks an effective security protection technology, and basically depends on a third-party firewall to ensure security, and with the increase of access volume and the complication of access environment, the security and high availability of the dynamic application will be greatly challenged. In the face of attacks, dynamic applications are either paralyzed or respond slowly and cannot provide normal use. And may even be utilized to obtain some illegal data. Therefore, the method has negative influence on the website and reduces the public trust of the website.
Meanwhile, the traditional network firewall can provide standard protection service, cannot provide customized protection service according to the actual scene of dynamic application, and the dynamic application has no good protection method. In the face of large concurrent access or DDOS attack, the resource consumption of the service end will be very large, which may result in slow service response or even service downtime. Therefore, how to provide a method for dynamically applying security protection to a website is a problem that needs to be solved urgently by those skilled in the art.
Disclosure of Invention
The present invention is directed to solving, at least to some extent, one of the technical problems in the related art. Therefore, one purpose of the invention is to provide a website dynamic application security protection method, the invention improves the access speed of a page after the GET request is staticized, thoroughly solves the security problem of the dynamic request after the GET request is staticized, uses a json file for data transfer, and can still stably run in a system background in a large concurrent access scene to continuously provide services.
The website dynamic application safety protection method according to the embodiment of the invention comprises the following steps:
s1, loading basic data of the dynamic application into a json file after the system is started;
s2, the user initiates a GET request of the application, executes javascript in the GET request page, analyzes json file and renders the page, and responds the rendered page to the user;
s3, the user initiates a POST request, the server issues a token to the POST form, and the form is submitted when submitted;
s4, after receiving the submitted token and the data, the server side verifies whether the submitted token is consistent with the issued token or not, and verifies the legality of the submitted data;
s5, reading the data in the JSON file in batches, calculating the data signature of each piece of data and judging whether the signature is consistent with the signature of the corresponding data in the signature file;
and S6, judging whether the background basic data are updated, reloading the basic data into the json file, and repeating the steps S2-S5 to ensure that the basic data analyzed by the front-end page are always the latest basic data.
Preferably, the parsing json file and rendering page in S2 includes the following steps:
s21, reading the content in the json file into json character strings by using javascript;
s22, converting the json character string into a json object;
and S23, taking out the data in the json object according to different keys and filling the data in the json object to the designated position of the page.
Preferably, the step of verifying consistency in S4 includes the following steps:
if not, directly returning the illegal request of the user;
if they are consistent, token checks pass.
Preferably, the verifying the validity in S4 includes the following steps:
if the data is legal, writing the data into the json file, generating a data signature of the currently written data at the same time, and storing the data signature in a signature file;
and if the information is illegal, prompting the user of illegal information.
Preferably, the data signature and the signature of the corresponding data in S5 include the following judgment:
if the data are inconsistent, judging that the data are tampered, abandoning storage and recording a log;
if consistent, the data is persisted to a database.
Preferably, the data signature is an MD5 value.
Preferably, the verifying the validity of the data in S4 includes the following steps:
and S41, judging whether the mandatory field is filled.
And S42, judging whether the data format of each field meets the check rule, and matching the rule through a regular expression.
S43, judging whether the submitted content contains sensitive information;
and S44, judging whether the field of the content of the non-rich text editor contains an HTML label or not, and if so, risking storage type cross-site attack.
Compared with the prior art, the invention has the beneficial effects that:
(1) the invention provides a dynamic application data exchange method based on a json data structure, which is characterized in that basic data and submitted data of dynamic application are stored in a front-end server in a json format, the json data are analyzed by javascript on a front-end server page, then the page is rendered, all GET requests are staticized, thus the dynamic application accessing a website is just like an article static page accessing the website, for the dynamic request, a token is issued to a form by combining a token technology, then whether the token is legal or not is verified, then submitted form data is verified, the form data is written into a json file and is persisted into a database in batches, finally, the pressure of rear-end service is reduced, and the safety and continuous high availability of the dynamic application are ensured;
(2) according to the method, the basic data to be accessed by the dynamic application is loaded into the json file in advance, and for the GET request, the page is called and rendered by the javascript in the executing process of the page, so that the whole access process is completely free from the participation of a back-end service. For the POST request, the server firstly issues a token to the form, the token is firstly verified when the data are submitted, then the data are verified, after the two are verified, the data are written into a json file, and then the json file is stored in a database in batches. Therefore, the back-end application can be always kept in a stable state, and meanwhile, common SQL injection, cross-site scripts, CSRF and DDOS attacks can be well resisted;
(3) the json file is used as a front-end and back-end data transfer point, front-end and back-end data are interacted with the json file, the front end analyzes a json rendered page through javascript, the back end writes the data into the json file, and therefore the data exchange and real-time transmission process is achieved, the original dynamic GET request of dynamic application is staticized, the number of dynamic requests is greatly reduced, the token technology is used for safety check aiming at the request of a very small number of POSTs, and therefore safety and high availability of the dynamic application in a website are guaranteed.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention. In the drawings:
FIG. 1 is a flow chart of a method for dynamically applying security protection to a website according to the present invention;
fig. 2 is a rendered page in the website dynamic application security protection method according to embodiment 1 of the present invention.
Detailed Description
The present invention will now be described in further detail with reference to the accompanying drawings. These drawings are simplified schematic views illustrating only the basic structure of the present invention in a schematic manner, and thus show only the constitution related to the present invention.
Referring to fig. 1, a method for protecting security of a dynamic application of a website includes the following steps:
s1, loading basic data of the dynamic application into a json file after the system is started;
s2, the user initiates a GET request of the application, executes javascript in the GET request page, analyzes json file and renders the page, and responds the rendered page to the user;
analyzing the json file and rendering the page comprises the following method steps:
s21, reading the content in the json file into json character strings by using javascript;
s22, converting the json character string into a json object;
and S23, taking out the data in the json object according to different keys and filling the data in the json object to the designated position of the page.
S3, the user initiates a POST request, the server issues a token to the POST form, and the form is submitted when submitted;
s4, after receiving the submitted token and the data, the server side verifies whether the submitted token is consistent with the issued token or not, and verifies the legality of the submitted data;
verifying consistency includes the following decisions:
if not, directly returning the illegal request of the user;
if they are consistent, token checks pass.
Verifying legitimacy includes the following judgments:
if the data is legal, writing the data into the json file, generating a data signature of the currently written data at the same time, and storing the data signature in a signature file;
and if the information is illegal, prompting the user of illegal information.
The method for verifying the data validity comprises the following steps:
and S41, judging whether the mandatory field is filled.
And S42, judging whether the data format of each field meets the check rule, and matching the rule through a regular expression.
S43, judging whether the submitted content contains sensitive information;
and S44, judging whether the field of the content of the non-rich text editor contains an HTML label or not, and if so, risking storage type cross-site attack.
S5, reading the data in the JSON file in batches, calculating the data signature of each piece of data and judging whether the signature is consistent with the signature of the corresponding data in the signature file;
the data signature and the signature of the corresponding data comprise the following judgments:
if the data are inconsistent, judging that the data are tampered, abandoning storage and recording a log;
if consistent, the data is persisted to a database.
Preferably, the data signature is an MD5 value.
And S6, judging whether the background basic data are updated, reloading the basic data into the json file, and repeating the steps S2-S5 to ensure that the basic data analyzed by the front-end page are always the latest basic data.
The method comprises the steps that a json file is used as a transfer point of front-end and back-end data, the front-end and back-end data are interacted with the json file, the front end analyzes a json rendered page through javascript, and the back end writes the data into the json file, so that the processes of data exchange and real-time transmission are achieved. The original dynamic GET requests of the dynamic applications are staticized, the number of the dynamic requests is greatly reduced, and the token technology is used for carrying out security verification on the extremely small number of POST requests, so that the security and the high availability of the dynamic applications in the website are guaranteed.
Example 1:
the technology is used in a website leader mailbox system, and the specific application method is as follows:
s1, when the system is initialized, loading the leader data and the letter type data into leader json and mailtype json files, respectively, the file format is as follows:
leader.json
[ { "leaderCode": sz), "leaderName": market length' },
{ "leader code": sj "," leader name ": book mark" } { ]
mailtype.json
[ { "typeCode": ts), "typeName": complaint "},
{ "typeCode": jy "," typeName ": suggestion" } { "typeCode" }
S2, referring to fig. 2, when the user requests to write a letter page, javascript parses leader json and mailtype json, fills the receiving leader and letter type field, and renders the writing page to be displayed to the user;
s3, submitting the form data, and the server side firstly issues a token to the form and inserts the token into the form code in a hidden field mode. the token is stored in the following form:
<input type=”hidden”name=”csrf_token”id=”csrf_token”
value=”c5891c76-b5c6-4b55-a37d-7a1b35db18b3”/>
s4, POST is carried out to submit data, whether the csrf _ token submitted by the client is consistent with the token issued by the server is checked, if not, an illegal request of a user is directly returned, and if so, the legality of the form submitted data is checked. After the form data passes the verification, writing the data into a leader main json file, and calculating and storing a data signature (MD 5) of the data in a leader semialmd 5 json file, wherein the format is as follows:
leadermail.json
[ { "mailid": 1001 "," mailtype ": ts", "leaderCode": sz "," wbtitle ": why our way at the cell gate has not been repaired yet", "wbiosope": 0 "," wbconductor ": the leadership of" respect, you are good, our way at the cell gate is repaired from 1 month of the year, the project is disclosed as ending in 5 months, now all 6 months, the way is still a group of vintage, getting to work every day is very blocked, and when asking for to finish "} {" mailid "]
leadermailmd5.json
[{“mailid”:“1001”,“mailmd5”:“0F100C9BAE00BCEA7893CE0E6131B533”}]
S5, sequentially reading 10 numbers in a leader mail.json file after a last-stored maiid (if the last-stored maiid does not exist, calculation is started from a first row), calculating a data signature of each piece of data, comparing the data signature with the data signature of the corresponding maiid in the leader semiald 5.json file respectively, if the data signatures are inconsistent, tampering the data, abandoning storage and recording logs, if the data are consistent, writing the data into a database in batches, and then recording the last-stored maiid until the data are completely written;
and S6, after the background leader gives the reply letter, writing the reply content into a leader mail playback json file for calling by a foreground javascript. The format is as follows:
leadermailreplay.json
' mailid ': 1001 ' and ' wbrechent ': for ' citizen friend, good, after our investigation, the construction period is slightly delayed due to the influence of epidemic situation, the construction period is currently being performed in the immediate time, the construction period is completely completed in 8 months, the inconvenience brought to your worship and forgiveness, the thank you supervise our work ' }
S7, when a mail type called "consult" is added to the system background, updating mailtype.
mailtype.json
[ { "typeCode": ts), "typeName": complaint "},
{ "typeCode": jy "," typeName ": suggestion" },
{ "typeCode": "zx", "typeName": "consult" }.
In the embodiment, the basic data and the submitted data of the dynamic application are stored in the front-end server in a json format, the json data is analyzed by javascript on the page of the front-end server, and then rendering the page, and staticizing all GET requests, so that the dynamic application accessing the website is just like the static page of the article accessing the website, for the dynamic request, the token technology is combined, the token is issued to the form, then whether the token is legal or not is verified, then, the submitted form data is checked, the form data is written into a json file and is persisted into a database in batches, finally, the pressure of the back-end service is reduced, the safety and the continuous high availability of the dynamic application are ensured, and by loading the basic data to be accessed by the dynamic application into the json file in advance, for the GET request, a page is called and rendered by javascript in the executing process, and the whole access process does not need the participation of a back-end service at all. For the POST request, the server firstly issues a token to the form, the token is firstly verified when the data are submitted, then the data are verified, after the two are verified, the data are written into a json file, and then the json file is stored in a database in batches. Therefore, the back-end application can be always kept in a stable state, and meanwhile, common SQL injection, cross-site scripts, CSRF and DDOS attacks can be well resisted.
According to the method, the access speed of the page is improved after the GET request is staticized, the security problem of the dynamic request is thoroughly solved after the GET request is staticized, the json file is used for data transfer, and the system background can still stably run in a large concurrent access scene, so that the service is continuously provided.
The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art should be considered to be within the technical scope of the present invention, and the technical solutions and the inventive concepts thereof according to the present invention should be equivalent or changed within the scope of the present invention.
Claims (3)
1. A website dynamic application security protection method is characterized by comprising the following steps:
s1, loading basic data of the dynamic application into a json file after the system is started;
s2, the user initiates a GET request of the application, executes javascript in the GET request page, analyzes json file and renders the page, and responds the rendered page to the user;
s3, the user initiates a POST request, the server issues a token to the POST form, and the form is submitted when submitted;
s4, after receiving the submitted token and the data, the server side verifies whether the submitted token is consistent with the issued token or not, and verifies the legality of the submitted data;
wherein, verifying consistency comprises the following judgments:
if not, directly returning the illegal request of the user;
if the two are consistent, the token check is passed;
verifying legitimacy includes the following judgments:
if the data is legal, writing the data into the json file, generating a data signature of the currently written data at the same time, and storing the data signature in a signature file;
if the information is illegal, prompting the user of illegal information;
the verification of the validity of the data in the step S4 includes the following steps:
s41, judging whether the mandatory field is filled;
s42, judging whether the data format of each field meets the check rule, and matching the rule through a regular expression;
s43, judging whether the submitted content contains sensitive information;
s44, judging whether the field of the content of the non-rich text editor contains an HTML label or not, and if so, risking storage type cross-site attack;
s5, reading the data in the JSON file in batches, calculating the data signature of each piece of data and judging whether the signature is consistent with the signature of the corresponding data in the signature file;
the data signature and the signature of the corresponding data in S5 include the following judgments:
if the data are inconsistent, judging that the data are tampered, abandoning storage and recording a log;
if the data are consistent, the data are persisted to a database;
and S6, judging whether the background basic data are updated, reloading the basic data into the json file, and repeating the steps S2-S5 to ensure that the basic data analyzed by the front-end page are always the latest basic data.
2. The method for dynamically applying security protection to websites according to claim 1, wherein the parsing json file and rendering page in S2 comprises the following method steps:
s21, reading the content in the json file into json character strings by using javascript;
s22, converting the json character string into a json object;
and S23, taking out the data in the json object according to different keys and filling the data in the json object to the designated position of the page.
3. The method for dynamically applying security to websites of claim 1, wherein said data signature is an MD5 value.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110040482.3A CN112632447B (en) | 2021-01-13 | 2021-01-13 | Website dynamic application safety protection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110040482.3A CN112632447B (en) | 2021-01-13 | 2021-01-13 | Website dynamic application safety protection method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112632447A CN112632447A (en) | 2021-04-09 |
| CN112632447B true CN112632447B (en) | 2022-03-11 |
Family
ID=75293994
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110040482.3A Active CN112632447B (en) | 2021-01-13 | 2021-01-13 | Website dynamic application safety protection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112632447B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114499960B (en) * | 2021-12-24 | 2024-03-22 | 深圳开源互联网安全技术有限公司 | CSRF vulnerability identification method, device and computer readable storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103957245A (en) * | 2014-04-22 | 2014-07-30 | 北京微众文化传媒有限公司 | Method and device for obtaining Internet data |
| CN106919696A (en) * | 2017-03-07 | 2017-07-04 | 上海携程商务有限公司 | SEO websites construction method and the response method of SEO requests |
| CN108304565A (en) * | 2018-02-09 | 2018-07-20 | 西安博达软件股份有限公司 | The method that mobile site is quickly generated in CMS system |
| CN111447195A (en) * | 2020-03-23 | 2020-07-24 | 杭州趣维科技有限公司 | Web interface design method for preventing request message from being tampered, attacked and replayed |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6286001B1 (en) * | 1999-02-24 | 2001-09-04 | Doodlebug Online, Inc. | System and method for authorizing access to data on content servers in a distributed network |
| CN105491116B (en) * | 2015-11-26 | 2019-04-26 | 广州华多网络科技有限公司 | A kind of cross-window submits the method and system of data |
| CN106371825B (en) * | 2016-08-23 | 2019-08-13 | 武大吉奥信息技术有限公司 | A kind of mobile terminal application interface list dynamic creation method and device |
| CN107426181B (en) * | 2017-06-20 | 2019-09-17 | 竞技世界(北京)网络技术有限公司 | The hold-up interception method and device of malice web access request |
| CN107391470A (en) * | 2017-07-12 | 2017-11-24 | 成都优易数据有限公司 | A kind of single database table handling method based on Form Designer |
| CN108037920A (en) * | 2017-11-03 | 2018-05-15 | 福建省华渔教育科技有限公司 | Client customizing form generation method, storage medium |
| CN110502897A (en) * | 2018-05-16 | 2019-11-26 | 南京大学 | A kind of identification of webpage malicious JavaScript code and antialiasing method based on hybrid analysis |
-
2021
- 2021-01-13 CN CN202110040482.3A patent/CN112632447B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103957245A (en) * | 2014-04-22 | 2014-07-30 | 北京微众文化传媒有限公司 | Method and device for obtaining Internet data |
| CN106919696A (en) * | 2017-03-07 | 2017-07-04 | 上海携程商务有限公司 | SEO websites construction method and the response method of SEO requests |
| CN108304565A (en) * | 2018-02-09 | 2018-07-20 | 西安博达软件股份有限公司 | The method that mobile site is quickly generated in CMS system |
| CN111447195A (en) * | 2020-03-23 | 2020-07-24 | 杭州趣维科技有限公司 | Web interface design method for preventing request message from being tampered, attacked and replayed |
Non-Patent Citations (1)
| Title |
|---|
| "互联网+"政府网站和数据动态安全解决方案;马蔚彦;《信息技术与标准化》;20180930;第23-25页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112632447A (en) | 2021-04-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7861287B2 (en) | System and method for utilizing audit information for challenge/response during a password reset process | |
| JP5651112B2 (en) | Form entry and automatic password generation using digital ID | |
| US11716357B2 (en) | Data access policies | |
| US8959336B1 (en) | Securing locally stored web-based database data | |
| US8392969B1 (en) | Method and apparatus for hosting multiple tenants in the same database securely and with a variety of access modes | |
| CA3047664C (en) | Watermark security | |
| US20050183003A1 (en) | Automatic proxy form filing | |
| US20090064303A1 (en) | Transferable restricted security tokens | |
| US20210105608A1 (en) | Subscription to dependencies in smart contracts | |
| US11075747B1 (en) | Storing time-sensitive secrets in a blockchain network | |
| US20070244816A1 (en) | Systems and methods for opening, funding, and/or using a financial account, such as a checking account | |
| CN110048995B (en) | Method and device for confirming content of multimedia protocol and electronic equipment | |
| US12111939B2 (en) | Fast access to a data resource update in a blockchain network | |
| EP3921793A1 (en) | Payslip verification for blockchain transaction | |
| CN111770086A (en) | Fishing user simulation collection method, device, system and computer readable storage medium | |
| JP2023513845A (en) | An event stream about the sequence of events related to the blockchain | |
| CN112632447B (en) | Website dynamic application safety protection method | |
| US20230129631A1 (en) | Detecting and protecting against inconsistent use of cross-site request forgery mitigation features | |
| US12008141B2 (en) | Privacy preserving synthetic string generation using recurrent neural networks | |
| US8667563B1 (en) | Systems and methods for displaying personalized content | |
| US12093301B1 (en) | Systems and methods for modifying JSON files | |
| Saldamli et al. | Identity management via blockchain | |
| Hucker | The Unending Debate: Appeasement, Chamberlain and the Origins of the Second World War | |
| CN117633753B (en) | Operating system and method based on solid state disk array | |
| Halupecki | The role of the middle layer in the web environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |