WO2014048186A1 - Method and system for verifying website security - Google Patents

Method and system for verifying website security Download PDF

Info

Publication number
WO2014048186A1
WO2014048186A1 PCT/CN2013/081632 CN2013081632W WO2014048186A1 WO 2014048186 A1 WO2014048186 A1 WO 2014048186A1 CN 2013081632 W CN2013081632 W CN 2013081632W WO 2014048186 A1 WO2014048186 A1 WO 2014048186A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
website
verification
scanning site
security
Prior art date
Application number
PCT/CN2013/081632
Other languages
French (fr)
Chinese (zh)
Inventor
邓振波
苏云琳
贺立华
权庆安
Original Assignee
北京奇虎科技有限公司
奇智软件(北京)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京奇虎科技有限公司, 奇智软件(北京)有限公司 filed Critical 北京奇虎科技有限公司
Publication of WO2014048186A1 publication Critical patent/WO2014048186A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Definitions

  • the present invention relates to the field of computer technologies, and in particular, to a website security verification method and system.
  • BACKGROUND As websites become more and more diversified, content or information is updated from time to time, and each new page or link may bring new vulnerabilities. Therefore, the security of the website is detected before going online or It is a job that must be checked every time it is updated.
  • manual website detection is a big burden for users. Especially when the current website is hundreds to thousands of pages, it is almost impossible to manually perform security detection on each page. Detection tools for security testing of websites have emerged.
  • This detection tool can comprehensively detect the security vulnerabilities in the website, identify the mainstream type of hanging horses and the hanging horse code on the market, and effectively identify sensitive, vulgar content and black chains (hidden links) in the website pages, etc. Wait.
  • the security detection of the website can be completed conveniently and automatically, and the final detection report can visually find out whether there is a security risk in the website.
  • the detailed security test report generally only has the permission of the webmaster or administrator, and ordinary users can only see the security score of the website.
  • the webmaster or administrator of the website wants to view the security information of the website, it needs to register with a special web scanning site, and the detailed scanning result can be seen after logging in, which is cumbersome. Summary of the invention
  • a website security verification method including: determining login information of a user in a web scan site; Generating a class account according to the login information in the web scanning site, and transmitting the class account to the management control center of the enterprise security product; the management control center of the enterprise security product receives the pair When the website is requested to perform security verification, the account is logged in to the web scanning site to obtain a corresponding security verification result.
  • a website security verification system including: a login information determining unit, configured to determine login information of a user in a web scan site; and a backhaul unit, configured to be according to the webpage Scanning the login information in the site to generate a class account, and returning the class account to the management control center of the enterprise security product; the single sign-on unit, the management control center for the enterprise security product receives the pair When the website is requested to perform security verification, the account is logged in to the web scanning site to obtain a corresponding security verification result.
  • a computer program comprising computer readable code causing the server to perform any of claims 1-6 when run on a server The website security verification method described.
  • a computer readable medium storing the computer program according to claim 14 is provided.
  • the beneficial effects of the present invention are: According to the website security verification method and system of the present invention, the function of the web scan can be combined with the management control center of the enterprise security product, and the login information of the user in the web scan site is generated after the account is generated. Back to the management and control center of the enterprise security product, so when logging in to the management control center of the enterprise security product, it is equivalent to logging in to the web scanning site, and then you can directly view the security verification result of the specified website. Therefore, the process of securely verifying a web page can be simplified.
  • FIG. 1 shows a flow chart of a method in accordance with one embodiment of the present invention
  • FIG. 2 shows a schematic diagram of a system in accordance with one embodiment of the present invention
  • Figure 3 schematically shows a block diagram of a server for performing the method according to the invention
  • Fig. 4 schematically shows a memory unit for holding or carrying a program code implementing a method according to the invention.
  • S101 determining login information of the user in the web scanning site
  • the site security verification function can be combined with the enterprise security product.
  • the enterprise security product For ease of understanding, a brief introduction to the enterprise security product is provided.
  • the enterprise security product usually consists of two parts: the management control center and the security product client.
  • the management control center is deployed on the machine of the IT staff such as the network management system.
  • the client is installed on the PC terminal of each employee, and the management control center is the enterprise centralized.
  • the management intranet computer has built an all-round platform, which satisfies the urgent needs of enterprises for centralized anti-virus, physical examination and patching on a unified platform.
  • the management and control center of the enterprise security product has the same thing as the site security scanning product: It is used by IT personnel such as enterprise network management, and is generally used by IT personnel such as enterprise network management. demand. In other words, in a business, The personnel who perform centralized management operations such as centralized anti-virus on all computers in the enterprise are the same as those who need to inquire about the detailed security report of the enterprise portal. Therefore, based on the above features, it is in the embodiment of the present invention.
  • the site security scanning function can be combined with the enterprise security product to facilitate the IT staff of the enterprise network management to query the security report of the enterprise portal.
  • site security scanning can be used as a functional module of the enterprise security product.
  • the operation portal of "enterprise portal security” can be seen from the interface. .
  • the aforementioned "Enterprise Portal Security" function module itself is actually a web scanning site.
  • the network management of the enterprise is also required to log in at the web scanning site.
  • a class account may be generated according to the login information of the user in the web scanning site.
  • a class account similar to an account's credentials, usually consists of multiple factors (eg, username, password, etc.).
  • one way may be to provide the user with an entry for registering in the web scan site (including inputting a username, a password, etc.), and after receiving the user's registration request through the web scan site registration portal, the web can be completed. Scan the registration in the site, and then based on this registration information, you can get the login information of the user in the web scanning site.
  • the above method of obtaining user login information by means of registration is equivalent to creating a brand new credential for the user, and in another way, the method of binding an account can be used, that is, using some existing credential, here Add new permissions based on the basis.
  • a user should separately register different login information on different websites or systems. However, if the user does not want to remember too many account login information, he can directly have previously been in other systems.
  • the registered account information is bound to the current system, so that the account information registered in other systems can be directly used to log in to the current system.
  • the user can log in directly with the login information in the instant messaging system when logging in to the forum, and so on. Therefore, in this implementation manner, the user may be provided with an interface for binding an account information, and the binding request of the user is received through the web scanning site binding portal, and the existing account related information carried in the binding request is compared with the web scanning site. Binding is performed, and then the login information of the user in the web scanning site can be obtained according to the binding result.
  • S102 Generate a class account according to the login information in the web scanning site, and return the class account to the management control center of the enterprise security product;
  • a class account After obtaining the login information in the web scanning site, a class account can be generated and returned to the management control center of the enterprise security product for single sign-on.
  • the request for security verification of the specified website can be initiated directly on the management control center interface of the enterprise security product, and the management control center of the enterprise security product is received.
  • the user can automatically log in to the web scanning site according to the previously generated class account, and obtain the security verification report of the user-specified website. After the report is obtained, it can be provided to the user for presentation, or it can be returned to the requester when receiving a query request from another program, and so on.
  • the website is inquired for the query. After the request for the security verification result, the administrator identity can also be verified first. If the verification is passed, the class account is used to log in to the web scanning site to obtain the corresponding security verification result.
  • the identity of an administrator For example, in one of the modes, the user may be notified to add the specified code to the specified page of the website to be verified. If the page element corresponding to the specified code (such as a picture or text, etc.) appears in the specified page, the verification is passed. .
  • the user may be notified to download the special file to the specified website, and the special file is uploaded to the website to be inquired. If the special file appears in the website to be verified, the verification is passed. Similar to the first method, generally only the management or maintenance personnel of the website have the authority to add a file to the website. The information displayed completes the operation of adding a file to the website, and the executor of the operation (ie, the requesting party of the query) has the right to query the detailed security verification result of the website.
  • the first verification method described above is equivalent to the way of code verification
  • the second verification method is equivalent to the file verification method.
  • it can also be implemented by means of customer service verification.
  • the user is prompted to post their own login ID in the instant messaging (IM) system on the page of the website to be verified, and use the ID to send some specified information (such as verification URL, login mailbox, etc.) to a specified ID.
  • the user may be notified that if the website to be verified obtains the official certification of a Weibo website, the user may be authenticated by the user to pay attention to a specified Weibo, and the official authentication microblog will send information such as the website to be verified.
  • the specified Weibo if the operation is successful, it can prove that the current operator has the administrator status and has the right to obtain detailed security verification results.
  • the function of the web scan can be combined with the management control center of the enterprise security product, and the login information of the user in the web scan site is generated into an account, and then returned to the management of the enterprise security product.
  • the control center in this way, when logging in to the management control center of the enterprise security product, it is equivalent to logging in to the web scanning site, and then directly viewing the security verification result of the specified website. Therefore, the process of securely verifying the webpage can be simplified.
  • the embodiment of the present invention further provides a website security verification system.
  • the system may include:
  • the login information determining unit 201 is configured to determine login information of the user in the web scanning site
  • the returning unit 202 is configured to generate a class account according to the login information in the web scanning site, and return the class account to the management control center of the enterprise security product; the single sign-on unit 203, When the management control center for the enterprise security product receives the request for performing security verification on the specified website, the user logs in to the web scanning site to obtain the corresponding security verification result.
  • the login information determining unit 201 may include:
  • a registration subunit configured to receive a registration request of the user through the web scan site registration portal, and complete registration in the web scan site;
  • the first determining subunit is configured to determine, according to the registration information, the login information of the user in the web scanning site.
  • the login information determining unit 201 may include: a binding subunit, configured to receive a binding request of the user through the web scanning site binding entry, and bind the existing account related information carried in the binding request to the web scanning site; The login information of the user in the web scan site is determined according to the binding result.
  • system may further include:
  • An authentication unit where the management control center for the enterprise security product receives the request for performing security verification on the specified website, and then verifies the viewing right of the user;
  • a triggering unit configured to trigger, when the verification is passed, the step of logging in to the web scanning site by using the account to acquire a corresponding security verification result.
  • the identity verification unit includes:
  • a first notification subunit configured to notify the user to add the specified code to the specified page of the website to be verified
  • a first verification subunit configured to pass the page element corresponding to the specified code in the specified page.
  • the identity verification unit may also include:
  • a second notification sub-unit configured to notify the user to download a special file to the specified website, and upload the special file to the website to be queried;
  • a second verification subunit configured to pass the verification if the special file appears in the website to be verified.
  • the function of the web scan can be combined with the management control center of the enterprise security product, and the login information of the user in the web scan site is generated into an account, and then transmitted back to the enterprise version.
  • the management and control center of the security product in this way, when logging in to the management control center of the enterprise security product, it is equivalent to logging in to the web scanning site, and then directly viewing the security verification result of the specified website. Therefore, the process of securing the security of the webpage can be simplified.
  • the various component embodiments of the present invention may be implemented in hardware, or in a software module running on one or more processors, or in a combination thereof.
  • DSP digital signal processor
  • the invention may also be embodied as a device or device program (eg, a computer program and a computer program) for performing some or all of the methods described herein.
  • Product e.g., a computer program and a computer program
  • Such a program implementing the invention may be stored on a computer readable medium or may be in the form of one or more signals. Such signals may be downloaded from an Internet website, provided on a carrier signal, or provided in any other form.
  • Device such as an application server.
  • the server conventionally includes a processor 310 and a computer program product or computer readable medium in the form of a memory 320.
  • Memory 320 can be an electronic memory such as flash memory, EEPROM (Electrically Erasable Programmable Read Only Memory), EPROM, hard disk, or ROM.
  • the memory 320 has a memory space 330 for program code 331 for performing any of the method steps described above.
  • storage space 330 for program code may include various program code 331 for implementing various steps in the above methods, respectively.
  • the program code can be read from or written to one or more computer program products.
  • These computer program products include program code carriers such as hard disks, compact disks (CDs), memory cards or floppy disks.
  • Such computer program products are typically portable or fixed storage units as described with reference to FIG.
  • the storage unit may have a storage section, a storage space, and the like arranged similarly to the storage 320 in the server of FIG.
  • the program code can be compressed, for example, in an appropriate form.
  • the storage unit includes computer readable code 33, i.e., code that can be read by a processor, such as 310, which, when executed by a server, causes the server to perform various steps in the methods described above.
  • an embodiment or “one or more embodiments” as used herein means that the particular features, structures, or characteristics described in connection with the embodiments are included in at least one embodiment of the invention.
  • the phrase “in one embodiment” herein does not necessarily refer to the same embodiment.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

Disclosed are a method and a system for verifying website security. The method may comprise: determining login information of a user in a web scanning site; generating a class account according to the login information in the web scanning site and sending the class account back to a management control center of an enterprise-edition security product; when the management control center of the enterprise-edition security product receives a request for performing security verification on a specified website, using the class account to log in to the web scanning site to obtain a corresponding security verification result. Through the present invention, a security verification process for a web page can be simplified.

Description

网站安全驺证方法及系统 技术领域  Website security test method and system
本发明涉及计算机技术领域, 尤其涉及一种网站安全验证方法及系 统。 背景技术 随着网站越来越多元化, 内容或资讯都会不定期更新, 而每个新增的页 面或连结, 都有可能带来新的漏洞, 因此, 网站的安全性检测不论在上线前 或是每次更新时, 都是务必检查的工作。 但是手动的网站检测, 对使用者 而言是 4艮大的负担, 尤其以目前网站动辄数百至数千页, 以人工方式对每一 页进行激底的安全检测近乎不可能, 此时, 用于对网站进行安全性检测的检 测工具便应运而生了。 这种检测工具能够全面的检测出网站存在的安全漏洞 ,识别市面上主流 的挂马类型和挂马代码, 有效的识别出网站页面中存在的敏感、 低俗内容和 黑链(隐藏链接) , 等等。 通过这种检测工具, 能够方便而自动地完成对网 站的安全性检测,从最终的检测报告中便可以直观地发现网站中是否存在安 全性隐患。 当然, 详细的安全检测报告一般只有网站的站长或者管理员等才 有权限查看, 普通的用户只能看到网站的安全评分。 然而, 在现有技术中, 网站的站长或者管理员如果要查看自己的网站安 全信息, 需要到专门的 web扫描站点进行注册,登录后才能看到详细的扫描 结果, 过程比较繁瑣。 发明内容  The present invention relates to the field of computer technologies, and in particular, to a website security verification method and system. BACKGROUND As websites become more and more diversified, content or information is updated from time to time, and each new page or link may bring new vulnerabilities. Therefore, the security of the website is detected before going online or It is a job that must be checked every time it is updated. However, manual website detection is a big burden for users. Especially when the current website is hundreds to thousands of pages, it is almost impossible to manually perform security detection on each page. Detection tools for security testing of websites have emerged. This detection tool can comprehensively detect the security vulnerabilities in the website, identify the mainstream type of hanging horses and the hanging horse code on the market, and effectively identify sensitive, vulgar content and black chains (hidden links) in the website pages, etc. Wait. Through this detection tool, the security detection of the website can be completed conveniently and automatically, and the final detection report can visually find out whether there is a security risk in the website. Of course, the detailed security test report generally only has the permission of the webmaster or administrator, and ordinary users can only see the security score of the website. However, in the prior art, if the webmaster or administrator of the website wants to view the security information of the website, it needs to register with a special web scanning site, and the detailed scanning result can be seen after logging in, which is cumbersome. Summary of the invention
鉴于上述问题, 提出了本发明以便提供一种克服上述问题或者至少 部分地解决或者减緩上述问题的网站安全验证方法和相应的网站安全验 证系统。 依据本发明的一个方面, 提供了一种网站安全验证方法, 包括: 确定用户在 web扫描站点中的登录信息; 根据所述在所述 web扫描站点中的登录信息生成类账号 ,并将所述类账 号回传给所述企业版安全产品的管理控制中心; 所述企业版安全产品的管理控制中心接收到对指定网站进行安全验证 的请求时,利用所述类账号登录到所述 web扫描站点获取相应的安全验证结 果。 根据本发明的另一方面, 提供了一种网站安全验证系统, 包括: 登录信息确定单元, 用于确定用户在 web扫描站点中的登录信息; 回传单元, 用于根据所述在所述 web 扫描站点中的登录信息生成类账 号, 并将所述类账号回传给所述企业版安全产品的管理控制中心; 单点登录单元,用于所述企业版安全产品的管理控制中心接收到对指定 网站进行安全验证的请求时,利用所述类账号登录到所述 web扫描站点获取 相应的安全验证结果。 In view of the above problems, the present invention has been made in order to provide a website security verification method and a corresponding website security verification system that overcome the above problems or at least partially solve or alleviate the above problems. According to an aspect of the present invention, a website security verification method is provided, including: determining login information of a user in a web scan site; Generating a class account according to the login information in the web scanning site, and transmitting the class account to the management control center of the enterprise security product; the management control center of the enterprise security product receives the pair When the website is requested to perform security verification, the account is logged in to the web scanning site to obtain a corresponding security verification result. According to another aspect of the present invention, a website security verification system is provided, including: a login information determining unit, configured to determine login information of a user in a web scan site; and a backhaul unit, configured to be according to the webpage Scanning the login information in the site to generate a class account, and returning the class account to the management control center of the enterprise security product; the single sign-on unit, the management control center for the enterprise security product receives the pair When the website is requested to perform security verification, the account is logged in to the web scanning site to obtain a corresponding security verification result.
根据本发明的又一个方面, 提供了一种计算机程序, 其包括计算机 可读代码, 当所述计算机可读代码在服务器上运行时, 导致所述服务器 执行根据权利要求 1-6中的任一个所述的网站安全验证方法。  According to still another aspect of the present invention, a computer program comprising computer readable code causing the server to perform any of claims 1-6 when run on a server The website security verification method described.
根据本发明的再一个方面, 提供了一种计算机可读介质, 其中存储 了如权利要求 14所述的计算机程序。 本发明的有益效果为: 根据本发明的网站安全验证方法及系统,能够将 web扫描的功能与企业 版安全产品的管理控制中心相结合,将用户在 web扫描站点中的登录信息生 成类账号后, 回传给企业版安全产品的管理控制中心, 这样, 在登录到企业 版安全产品的管理控制中心时, 就相当于登录到了 web扫描站点, 进而就可 以直接查看指定网站的安全验证结果。 因此, 可以简化对网页进行安全验证 的流程。  According to still another aspect of the present invention, a computer readable medium storing the computer program according to claim 14 is provided. The beneficial effects of the present invention are: According to the website security verification method and system of the present invention, the function of the web scan can be combined with the management control center of the enterprise security product, and the login information of the user in the web scan site is generated after the account is generated. Back to the management and control center of the enterprise security product, so when logging in to the management control center of the enterprise security product, it is equivalent to logging in to the web scanning site, and then you can directly view the security verification result of the specified website. Therefore, the process of securely verifying a web page can be simplified.
上述说明仅是本发明技术方案的概述, 为了能够更清楚了解本发明 的技术手段, 而可依照说明书的内容予以实施, 并且为了让本发明的上 述和其它目的、 特征和优点能够更明显易懂, 以下特举本发明的具体实 施方式。 附图说明 The above description is only an overview of the technical solutions of the present invention, and the technical means of the present invention can be more clearly understood, and can be implemented in accordance with the contents of the specification, and the above and other objects, features and advantages of the present invention can be more clearly understood. Specific embodiments of the invention are set forth below. DRAWINGS
通过阅读下文优选实施方式的详细描述,各种其他的优点和益处对于 本领域普通技术人员将变得清楚明了。 附图仅用于示出优选实施方式的 目的, 而并不认为是对本发明的限制。 而且在整个附图中, 用相同的参 考符号表示相同的部件。 在附图中: 图 1示出了根据本发明一个实施例的方法的流程图; 以及 图 2示出了根据本发明一个实施例的系统的示意图;  Various other advantages and benefits will become apparent to those skilled in the art from a The drawings are only for the purpose of illustrating the preferred embodiments and are not to be construed as limiting. Throughout the drawings, the same reference numerals are used to refer to the same parts. In the drawings: FIG. 1 shows a flow chart of a method in accordance with one embodiment of the present invention; and FIG. 2 shows a schematic diagram of a system in accordance with one embodiment of the present invention;
图 3 示意性地示出了用于执行根据本发明的方法的服务器的框图; 以及  Figure 3 schematically shows a block diagram of a server for performing the method according to the invention;
图 4 示意性地示出了用于保持或者携带实现根据本发明的方法的程 序代码的存储单元。 具体实施例  Fig. 4 schematically shows a memory unit for holding or carrying a program code implementing a method according to the invention. Specific embodiment
下面结合附图和具体的实施方式对本发明作进一步的描述。  The invention is further described below in conjunction with the drawings and specific embodiments.
S101 : 确定用户在 web扫描站点中的登录信息; S101: determining login information of the user in the web scanning site;
首先需要说明的是, 为了便于对站点进行安全验证, 在本发明实施 例中, 可以将站点安全验证的功能与企业版安全产品相结合。 为了便于 理解, 首先对企业版安全产品进行简单的介绍。  First of all, in order to facilitate the security verification of the site, in the embodiment of the present invention, the site security verification function can be combined with the enterprise security product. For ease of understanding, a brief introduction to the enterprise security product is provided.
传统的企业网络环境中, 企业终端电脑上堆积着各类不同的安全桌 面产品, 如反病毒软件等, 这些软件产品通常来自不同厂商, 无法统一 管理, 并且占用大量的系统资源, 大大影响企业的工作效率。 为解决该 安全问题, 企业版安全产品也就应运而生了。 企业版安全产品通常由管 理控制中心及安全产品客户端两部分组成, 其中, 管理控制中心部署在 网管等 IT人员的机器上, 客户端安装在各个员工的 PC终端机上, 管理 控制中心为企业集中管理内网电脑搭建了一个全能平台, 在统一的平台 上满足了广大企业对于集中杀毒、 体检、 打补丁等迫切需求。  In the traditional enterprise network environment, various security desktop products, such as anti-virus software, are accumulated on the enterprise terminal computers. These software products usually come from different vendors, cannot be managed uniformly, and occupy a large amount of system resources, which greatly affects the enterprise. Work efficiency. To solve this security problem, enterprise security products have emerged. The enterprise security product usually consists of two parts: the management control center and the security product client. The management control center is deployed on the machine of the IT staff such as the network management system. The client is installed on the PC terminal of each employee, and the management control center is the enterprise centralized. The management intranet computer has built an all-round platform, which satisfies the urgent needs of enterprises for centralized anti-virus, physical examination and patching on a unified platform.
可见, 企业版安全产品的管理控制中心与站点安全扫描产品具有一 点相同之处: 都是由企业的网管等 IT人员使用, 并且, 一般也都是企业 的网管等 IT人员才有使用的权限或需求。 也就是说, 在一个企业中, 对 企业内部所有电脑进行集中杀毒等管理操作的人员, 与需要查询该企业 门户网站详细安全报告的人员是相同的。 因此, 正是基于上述特点, 在 本发明实施例中。 可以将站点安全扫描的功能与企业版安全产品相结合, 以期方便企业的网管的 IT人员, 查询企业门户网站的安全报告。 It can be seen that the management and control center of the enterprise security product has the same thing as the site security scanning product: It is used by IT personnel such as enterprise network management, and is generally used by IT personnel such as enterprise network management. demand. In other words, in a business, The personnel who perform centralized management operations such as centralized anti-virus on all computers in the enterprise are the same as those who need to inquire about the detailed security report of the enterprise portal. Therefore, based on the above features, it is in the embodiment of the present invention. The site security scanning function can be combined with the enterprise security product to facilitate the IT staff of the enterprise network management to query the security report of the enterprise portal.
在实际应用中, 可以将站点安全扫描作为企业版安全产品的一个功 能模块, 在网管登录到企业版安全产品的管理控制中心之后, 就可以从 界面中看到 "企业门户网站安全" 的操作入口。  In practical applications, site security scanning can be used as a functional module of the enterprise security product. After the network administrator logs in to the management control center of the enterprise security product, the operation portal of "enterprise portal security" can be seen from the interface. .
具体实现时, 前述 "企业门户网站安全" 功能模块本身实际上也是 一个 web扫描站点, 为了能够查询某企业门户网站的安全报告, 同样需 要该企业的网管等在该 web扫描站点中进行登录。 而在本发明实施例中, 为了便于用户查询自己企业门户网站的安全报告, 避免每次查询时都重 新登录到 web扫描站点, 可以根据用户在 web扫描站点中的登录信息生 成一个类账号, 所谓的类账号, 类似于账号的一种凭证, 一般由多个因 素组成 (例如, 用户名、 密码等) 。 将类账号回传给企业版安全产品的 管理控制中心, 就可以实现类似单点登录的效果, 也即, 用户只要登录 到企业版安全产品的管理控制中心就相当于登录到了 web扫描站点中, 进而就可以直接获取到自己企业门户网站的安全报告了, 而不用再手动 指定登录到 web扫描站点的操作。  In the specific implementation, the aforementioned "Enterprise Portal Security" function module itself is actually a web scanning site. In order to be able to query the security report of an enterprise portal website, the network management of the enterprise is also required to log in at the web scanning site. In the embodiment of the present invention, in order to facilitate the user to query the security report of the enterprise portal website, and avoid re-logging to the web scanning site every time the query is performed, a class account may be generated according to the login information of the user in the web scanning site. A class account, similar to an account's credentials, usually consists of multiple factors (eg, username, password, etc.). By returning the class account back to the management control center of the enterprise security product, the effect of single sign-on can be realized, that is, the user only logs in to the web control site by logging in to the management control center of the enterprise security product. In turn, you can directly obtain security reports from your own corporate portal without having to manually specify the login to the web scan site.
其中, 在需要确定用户在 web扫描站点中的登录信息时, 可以有多 种方式。 例如, 其中一种方式可以是, 向用户提供在 web扫描站点中进 行注册的入口 (包括输入用户名、 密码等入口 ) , 通过 web扫描站点注 册入口接收用户的注册请求之后, 就可以完成在 web扫描站点中的注册, 然后根据这种注册信息就可以获取到用户在 web扫描站点中的登录信息。  There are many ways to determine the login information of the user in the web scanning site. For example, one way may be to provide the user with an entry for registering in the web scan site (including inputting a username, a password, etc.), and after receiving the user's registration request through the web scan site registration portal, the web can be completed. Scan the registration in the site, and then based on this registration information, you can get the login information of the user in the web scanning site.
上述通过注册的方式获取用户登录信息, 相当于是为用户创建一个 全新的凭证, 而另一种方式下, 可以釆用绑定某账号的方式, 也即, 利 用已有的某种凭证, 在此基础上增加新的权限。 需要说明的是, 一般情 况下, 一个用户在不同的网站或系统中, 应该单独注册不同的登录信息, 但是, 如果用户不想记太多的账户登录信息, 则可以直接将之前在其他 系统中已经注册过的账户信息, 与当前系统绑定, 这样, 直接用该在其 他系统中注册的账户信息就可以登录到当前系统。 例如, 某用户将自己 在即时通信系统中的登录信息绑定到某论坛, 则该用户登录该论坛时, 就可以直接用自己在即时通信系统中的登录信息进行登录, 等等。 因此, 在该实施方式下, 可以向用户提供绑定某账户信息的入口, 通过 web扫描站点绑定入口接收用户的绑定请求, 将绑定请求中携带的 已有账户相关信息与 web扫描站点进行绑定, 然后根据绑定结果就可以 获取到用户在 web扫描站点中的登录信息。 The above method of obtaining user login information by means of registration is equivalent to creating a brand new credential for the user, and in another way, the method of binding an account can be used, that is, using some existing credential, here Add new permissions based on the basis. It should be noted that, in general, a user should separately register different login information on different websites or systems. However, if the user does not want to remember too many account login information, he can directly have previously been in other systems. The registered account information is bound to the current system, so that the account information registered in other systems can be directly used to log in to the current system. For example, if a user binds his or her own login information in the instant messaging system to a forum, the user can log in directly with the login information in the instant messaging system when logging in to the forum, and so on. Therefore, in this implementation manner, the user may be provided with an interface for binding an account information, and the binding request of the user is received through the web scanning site binding portal, and the existing account related information carried in the binding request is compared with the web scanning site. Binding is performed, and then the login information of the user in the web scanning site can be obtained according to the binding result.
S 102: 根据所述在所述 web扫描站点中的登录信息生成类账号, 并 将所述类账号回传给所述企业版安全产品的管理控制中心;  S102: Generate a class account according to the login information in the web scanning site, and return the class account to the management control center of the enterprise security product;
在获取到在 web扫描站点中的登录信息之后, 就可以据此生成一个 类账号, 并回传给企业版安全产品的管理控制中心, 以便实现单点登录。  After obtaining the login information in the web scanning site, a class account can be generated and returned to the management control center of the enterprise security product for single sign-on.
S 103 : 所述企业版安全产品的管理控制中心接收到对指定网站进行 安全验证的请求时, 利用所述类账号登录到所述 web扫描站点获取相应 的安全验证结果。  S103: When the management control center of the enterprise security product receives the request for performing security verification on the specified website, the user logs in to the web scanning site to obtain a corresponding security verification result.
实现上述账号的注册或绑定之后, 对于用户而言, 就可以直接在企 业版安全产品的管理控制中心界面上发起对指定网站进行安全验证的请 求, 企业版安全产品的管理控制中心在接收到该请求之后, 就可以根据 之前生成的类账号自动登录到 web扫描站点, 并获取用户指定网站的安 全验证报告。 在获取到该报告之后, 可以提供给用户进行展现, 或者还 可以在接收到其他程序的查询请求时, 返回给请求方, 等等。  After the registration or binding of the above account is implemented, for the user, the request for security verification of the specified website can be initiated directly on the management control center interface of the enterprise security product, and the management control center of the enterprise security product is received. After the request, the user can automatically log in to the web scanning site according to the previously generated class account, and obtain the security verification report of the user-specified website. After the report is obtained, it can be provided to the user for presentation, or it can be returned to the requester when receiving a query request from another program, and so on.
当然, 在实际应用中, 一般只有某个企业的网管或者企业门户网站 的管理员才有查询其门户网站的详细安全验证结果的权限, 因此, 在本 发明实施例中, 在接收到查询某网站的安全验证结果的请求之后, 还可 以首先验证管理员身份, 如果验证通过, 再利用类账号登录到 web扫描 站点获取相应的安全验证结果。 具体的验证管理员身份的方法可以有多 种。 例如, 在其中一种方式下, 可以通知用户将指定代码加入到待验证 网站的指定页面中, 如果该指定页面中出现该指定代码对应的页面元素 (例如图片或者文字等等) , 则验证通过。 也就是说, 一般只有网站管 理或者维护人员, 才能进行向网站中添加代码的操作, 因此, 如果能够 按照指定的方式添加成功, 则可以证明当前的请求方是该网站的管理或 者维护人员, 具有查看详细安全验证结果的权限。  Of course, in an actual application, only the administrator of a certain enterprise or the administrator of the enterprise portal has the right to query the detailed security verification result of the portal. Therefore, in the embodiment of the present invention, the website is inquired for the query. After the request for the security verification result, the administrator identity can also be verified first. If the verification is passed, the class account is used to log in to the web scanning site to obtain the corresponding security verification result. There are many ways to verify the identity of an administrator. For example, in one of the modes, the user may be notified to add the specified code to the specified page of the website to be verified. If the page element corresponding to the specified code (such as a picture or text, etc.) appears in the specified page, the verification is passed. . That is to say, only the website management or maintenance personnel can perform the operation of adding code to the website. Therefore, if the success can be added in the specified manner, it can be proved that the current requester is the management or maintenance personnel of the website, View the permissions for detailed security verification results.
或者, 在另一种方式下, 还可以通知用户到指定网站中下载专用文 件, 并将专用文件上传到待查询网站中, 如果待验证网站中出现该专用 文件, 则验证通过。 与第一种方式类似, 一般只有网站的管理或者维护 人员等才具有向网站中增加某文件的操作权限, 因此, 如果能够根据指 示的信息完成向网站中添加文件的操作, 则证明操作的执行方 (也即查 询的请求方) 具有查询该网站详细安全验证结果的权限。 Alternatively, in another mode, the user may be notified to download the special file to the specified website, and the special file is uploaded to the website to be inquired. If the special file appears in the website to be verified, the verification is passed. Similar to the first method, generally only the management or maintenance personnel of the website have the authority to add a file to the website. The information displayed completes the operation of adding a file to the website, and the executor of the operation (ie, the requesting party of the query) has the right to query the detailed security verification result of the website.
前面所述第一种验证方式相当于是代码验证的方式, 第二种验证方 式相当于是文件验证方式, 此外, 还可以通过客服验证的方式来实现。 例如, 提示用户在待验证网站的页面中公布自己在即时通信 (IM ) 系统 中的登录 ID, 并用该 ID将一些指定信息 (例如验证网址、 登录邮箱等) 发送到某指定的 ID。 或者, 还可以通知用户, 在待验证网站得到了某微 博网站的官方认证的情况下, 可以用户官方认证微博关注某指定的微博, 并用该官方认证微博将待验证网址等信息发送到该指定的微博, 如果操 作成功则可以证明当前操作人员具有管理员身份, 具有获得详细安全验 证结果的权限。  The first verification method described above is equivalent to the way of code verification, and the second verification method is equivalent to the file verification method. In addition, it can also be implemented by means of customer service verification. For example, the user is prompted to post their own login ID in the instant messaging (IM) system on the page of the website to be verified, and use the ID to send some specified information (such as verification URL, login mailbox, etc.) to a specified ID. Alternatively, the user may be notified that if the website to be verified obtains the official certification of a Weibo website, the user may be authenticated by the user to pay attention to a specified Weibo, and the official authentication microblog will send information such as the website to be verified. To the specified Weibo, if the operation is successful, it can prove that the current operator has the administrator status and has the right to obtain detailed security verification results.
总之在本发明实施例中, 能够将 web扫描的功能与企业版安全产品 的管理控制中心相结合, 将用户在 web扫描站点中的登录信息生成类账 号后, 回传给企业版安全产品的管理控制中心, 这样, 在登录到企业版 安全产品的管理控制中心时, 就相当于登录到了 web扫描站点, 进而就 可以直接查看指定网站的安全验证结果。 因此, 可以简化对网页进行安 全马全证的流程。  In summary, in the embodiment of the present invention, the function of the web scan can be combined with the management control center of the enterprise security product, and the login information of the user in the web scan site is generated into an account, and then returned to the management of the enterprise security product. The control center, in this way, when logging in to the management control center of the enterprise security product, it is equivalent to logging in to the web scanning site, and then directly viewing the security verification result of the specified website. Therefore, the process of securely verifying the webpage can be simplified.
与本发明实施例提供的网站安全验证方法相对应, 本发明实施例还 提供了一种网站安全验证系统, 参见图 2, 该系统可以包括:  Corresponding to the website security verification method provided by the embodiment of the present invention, the embodiment of the present invention further provides a website security verification system. Referring to FIG. 2, the system may include:
登录信息确定单元 201 , 用于确定用户在 web扫描站点中的登录信 息;  The login information determining unit 201 is configured to determine login information of the user in the web scanning site;
回传单元 202,用于根据所述在所述 web扫描站点中的登录信息生成 类账号, 并将所述类账号回传给所述企业版安全产品的管理控制中心; 单点登录单元 203 ,用于所述企业版安全产品的管理控制中心接收到 对指定网站进行安全验证的请求时, 利用所述类账号登录到所述 web扫 描站点获取相应的安全验证结果。  The returning unit 202 is configured to generate a class account according to the login information in the web scanning site, and return the class account to the management control center of the enterprise security product; the single sign-on unit 203, When the management control center for the enterprise security product receives the request for performing security verification on the specified website, the user logs in to the web scanning site to obtain the corresponding security verification result.
具体实现时, 所述登录信息确定单元 201可以包括:  In a specific implementation, the login information determining unit 201 may include:
注册子单元, 用于通过 web扫描站点注册入口接收用户的注册请求, 完成在所述 web扫描站点中的注册;  a registration subunit, configured to receive a registration request of the user through the web scan site registration portal, and complete registration in the web scan site;
第一确定子单元, 用于根据注册信息确定用户在 web扫描站点中的 登录信息。  The first determining subunit is configured to determine, according to the registration information, the login information of the user in the web scanning site.
或者, 在另一种实现方式下, 所述登录信息确定单元 201可以包括: 绑定子单元, 用于通过 web扫描站点绑定入口接收用户的绑定请求, 将绑定请求中携带的已有账户相关信息与所述 web扫描站点进行绑定; 第二确定子单元, 用于根据绑定结果确定用户在 web扫描站点中的 登录信息。 Alternatively, in another implementation manner, the login information determining unit 201 may include: a binding subunit, configured to receive a binding request of the user through the web scanning site binding entry, and bind the existing account related information carried in the binding request to the web scanning site; The login information of the user in the web scan site is determined according to the binding result.
在实际应用中, 该系统还可以包括:  In practical applications, the system may further include:
身份验证单元, 用于所述企业版安全产品的管理控制中心接收到对 指定网站进行安全验证的请求之后, 对用户的查看权限进行验证;  An authentication unit, where the management control center for the enterprise security product receives the request for performing security verification on the specified website, and then verifies the viewing right of the user;
触发单元, 用于如果验证通过, 则触发所述利用所述类账号登录到 所述 web扫描站点获取相应的安全验证结果的步骤。  And a triggering unit, configured to trigger, when the verification is passed, the step of logging in to the web scanning site by using the account to acquire a corresponding security verification result.
其中, 所述身份验证单元包括:  The identity verification unit includes:
第一通知子单元, 用于通知用户将指定代码加入到待验证网站的指 定页面中;  a first notification subunit, configured to notify the user to add the specified code to the specified page of the website to be verified;
第一验证子单元, 用于如果所述指定页面中出现所述指定代码对应 的页面元素, 则 3全证通过。  a first verification subunit, configured to pass the page element corresponding to the specified code in the specified page.
或者, 所述身份验证单元也可以包括:  Alternatively, the identity verification unit may also include:
第二通知子单元, 用于通知用户到指定网站中下载专用文件, 并将 所述专用文件上传到待查询网站中;  a second notification sub-unit, configured to notify the user to download a special file to the specified website, and upload the special file to the website to be queried;
第二验证子单元, 用于如果所述待验证网站中出现所述专用文件, 则验证通过。  a second verification subunit, configured to pass the verification if the special file appears in the website to be verified.
总之在本发明实施例提供的上述系统中, 能够将 web扫描的功能与 企业版安全产品的管理控制中心相结合, 将用户在 web扫描站点中的登 录信息生成类账号后, 回传给企业版安全产品的管理控制中心, 这样, 在登录到企业版安全产品的管理控制中心时, 就相当于登录到了 web扫 描站点, 进而就可以直接查看指定网站的安全验证结果。 因此, 可以简 化对网页进行安全 3全证的流程。 本发明的各个部件实施例可以以硬件实现, 或者以在一个或者多个 处理器上运行的软件模块实现, 或者以它们的组合实现。 本领域的技术 人员应当理解, 可以在实践中使用微处理器或者数字信号处理器 (DSP ) 一些或者全部功能。 本发明还可以实现为用于执行这里所描述的方法的 一部分或者全部的设备或者装置程序 (例如, 计算机程序和计算机程序 产品) 。 这样的实现本发明的程序可以存储在计算机可读介质上, 或者 可以具有一个或者多个信号的形式。 这样的信号可以从因特网网站上下 载得到, 或者在载体信号上提供, 或者以任何其他形式提供。 器, 例如应用服务器。 该服务器传统上包括处理器 310 和以存储器 320 形式的计算机程序产品或者计算机可读介质。 存储器 320 可以是诸如闪 存、 EEPROM (电可擦除可编程只读存储器) 、 EPROM、 硬盘或者 ROM 之类的电子存储器。 存储器 320 具有用于执行上述方法中的任何方法步 骤的程序代码 331的存储空间 330。 例如, 用于程序代码的存储空间 330 可以包括分别用于实现上面的方法中的各种步骤的各个程序代码 331。这 些程序代码可以从一个或者多个计算机程序产品中读出或者写入到这一 个或者多个计算机程序产品中。 这些计算机程序产品包括诸如硬盘, 紧 致盘 (CD ) 、 存储卡或者软盘之类的程序代码载体。 这样的计算机程序 产品通常为如参考图 4 所述的便携式或者固定存储单元。 该存储单元可 以具有与图 4的服务器中的存储器 320类似布置的存储段、 存储空间等。 程序代码可以例如以适当形式进行压缩。 通常, 存储单元包括计算机可 读代码 33 Γ , 即可以由例如诸如 310之类的处理器读取的代码, 这些代 码当由服务器运行时, 导致该服务器执行上面所描述的方法中的各个步 骤。 In the above system provided by the embodiment of the present invention, the function of the web scan can be combined with the management control center of the enterprise security product, and the login information of the user in the web scan site is generated into an account, and then transmitted back to the enterprise version. The management and control center of the security product, in this way, when logging in to the management control center of the enterprise security product, it is equivalent to logging in to the web scanning site, and then directly viewing the security verification result of the specified website. Therefore, the process of securing the security of the webpage can be simplified. The various component embodiments of the present invention may be implemented in hardware, or in a software module running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that some or all of the functionality of a microprocessor or digital signal processor (DSP) may be used in practice. The invention may also be embodied as a device or device program (eg, a computer program and a computer program) for performing some or all of the methods described herein. Product). Such a program implementing the invention may be stored on a computer readable medium or may be in the form of one or more signals. Such signals may be downloaded from an Internet website, provided on a carrier signal, or provided in any other form. Device, such as an application server. The server conventionally includes a processor 310 and a computer program product or computer readable medium in the form of a memory 320. Memory 320 can be an electronic memory such as flash memory, EEPROM (Electrically Erasable Programmable Read Only Memory), EPROM, hard disk, or ROM. The memory 320 has a memory space 330 for program code 331 for performing any of the method steps described above. For example, storage space 330 for program code may include various program code 331 for implementing various steps in the above methods, respectively. The program code can be read from or written to one or more computer program products. These computer program products include program code carriers such as hard disks, compact disks (CDs), memory cards or floppy disks. Such computer program products are typically portable or fixed storage units as described with reference to FIG. The storage unit may have a storage section, a storage space, and the like arranged similarly to the storage 320 in the server of FIG. The program code can be compressed, for example, in an appropriate form. Typically, the storage unit includes computer readable code 33, i.e., code that can be read by a processor, such as 310, which, when executed by a server, causes the server to perform various steps in the methods described above.
本文中所称的 "一个实施例"、 "实施例"或者"一个或者多个实施例 "意 味着, 结合实施例描述的特定特征、 结构或者特性包括在本发明的至少 一个实施例中。 此外, 请注意, 这里"在一个实施例中"的词语例子不一定 全指同一个实施例。  "an embodiment," or "one or more embodiments" as used herein means that the particular features, structures, or characteristics described in connection with the embodiments are included in at least one embodiment of the invention. In addition, it is noted that the phrase "in one embodiment" herein does not necessarily refer to the same embodiment.
在此处所提供的说明书中, 说明了大量具体细节。 然而, 能够理解, 中, 并未详细示出公知的方法、 结构和技术, 以便不模糊对本说明书的 理解。  Numerous specific details are set forth in the description provided herein. However, well-known methods, structures, and techniques have not been shown in detail so as not to obscure the understanding of the specification.
应该注意的是上述实施例对本发明进行说明而不是对本发明进行限 制, 并且本领域技术人员在不脱离所附权利要求的范围的情况下可设计 出替换实施例。 在权利要求中, 不应将位于括号之间的任何参考符号构 造成对权利要求的限制。单词"包含"不排除存在未列在权利要求中的元件 或步骤。 位于元件之前的单词 "一"或"一个"不排除存在多个这样的元件。 本发明可以借助于包括有若干不同元件的硬件以及借助于适当编程的计 算机来实现。 在列举了若干装置的单元权利要求中, 这些装置中的若干 个可以是通过同一个硬件项来具体体现。 单词第一、 第二、 以及第三等 的使用不表示任何顺序。 可将这些单词解释为名称。 It is to be noted that the above-described embodiments are illustrative of the invention and are not intended to limit the scope of the invention, and those skilled in the art can devise alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as a limitation. The word "comprising" does not exclude the presence of the elements or the steps in the claims. The word "a" or "an" preceding the <RTIgt; The invention can be implemented by means of hardware comprising several distinct elements and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means can be embodied by the same hardware item. The use of the words first, second, and third does not indicate any order. These words can be interpreted as names.
此外, 还应当注意, 本说明书中使用的语言主要是为了可读性和教 导的目的而选择的, 而不是为了解释或者限定本发明的主题而选择的。 因此, 在不偏离所附权利要求书的范围和精神的情况下, 对于本技术领 域的普通技术人员来说许多修改和变更都是显而易见的。 对于本发明的 范围, 对本发明所做的公开是说明性的, 而非限制性的, 本发明的范围 由所附权利要求书限定。  In addition, it should be noted that the language used in the specification has been selected primarily for the purpose of readability and teaching, and is not intended to be interpreted or limited. Therefore, many modifications and variations will be apparent to those of ordinary skill in the art. The disclosure of the present invention is intended to be illustrative, and not restrictive, and the scope of the invention is defined by the appended claims.

Claims

权 利 要 求 Rights request
1、 一种网站安全 3全证方法, 包括: 确定用户在 web扫描站点中的登录信息; 根据所述在所述 web扫描站点中的登录信息生成类账号 ,并将所述类账 号回传给所述企业版安全产品的管理控制中心; 所述企业版安全产品的管理控制中心接收到对指定网站进行安全验证 的请求时,利用所述类账号登录到所述 web扫描站点获取相应的安全验证结 果。 1. A website security 3 full certificate method, including: determining the user's login information in the web scanning site; generating a class account based on the login information in the web scanning site, and returning the class account to The management and control center of the enterprise version security product; When the management control center of the enterprise version security product receives a request for security verification of the designated website, it uses the class account to log in to the web scanning site to obtain the corresponding security verification. result.
2、 如权利要求 1所述的方法, 所述确定用户在 web扫描站点中的登录 信息包括步骤: 通过 web扫描站点注册入口接收用户的注册请求, 完成在所述 web扫 描站点中的注册; 根据注册信息确定用户在 web扫描站点中的登录信息。 2. The method of claim 1, wherein determining the user's login information in the web scanning site includes the steps of: receiving the user's registration request through the web scanning site registration portal, and completing the registration in the web scanning site; according to The registration information determines the user's login information in the web scanning site.
3、 如权利要求 1所述的方法, 所述确定用户在 web扫描站点中的登录 信息包括步骤: 通过 web扫描站点绑定入口接收用户的绑定请求,将绑定请求中携带的 已有账户相关信息与所述 web扫描站点进行绑定; 根据绑定结果确定用户在 web扫描站点中的登录信息。 3. The method of claim 1, wherein determining the user's login information in the web scanning site includes the steps of: receiving the user's binding request through the web scanning site binding portal, and binding the existing account carried in the binding request. The relevant information is bound to the web scanning site; and the user's login information in the web scanning site is determined according to the binding result.
4、 如权利要求 1至 3任一项所述的方法, 所述企业版安全产品的管理 控制中心接收到对指定网站进行安全验证的请求之后, 还包括步骤: 对用户的查看权限进行验证; 如果验证通过,则触发所述利用所述类账号登录到所述 web扫描站点获 取相应的安全验证结果的步骤。 4. The method according to any one of claims 1 to 3, after the management control center of the enterprise version security product receives a request for security verification of the designated website, it further includes the step of: verifying the user's viewing authority; If the verification is passed, the step of logging in to the web scanning site using the class account to obtain the corresponding security verification result is triggered.
5、 如权利要求 4所述的方法, 所述对用户的查看权限进行验证包括步 骤: 通知用户将指定代码加入到待验证网站的指定页面中; 如果所述指定页面中出现所述指定代码对应的页面元素, 则验证通过。 5. The method of claim 4, wherein verifying the user's viewing authority includes the steps: Notify the user to add the specified code to the specified page of the website to be verified; if the page element corresponding to the specified code appears in the specified page, the verification is passed.
6、 如权利要求 4所述的方法, 所述对用户的查看权限进行验证包括步 骤: 通知用户到指定网站中下载专用文件, 并将所述专用文件上传到待查询 网站中; 如果所述待验证网站中出现所述专用文件, 则验证通过。 6. The method of claim 4, wherein the verification of the user's viewing authority includes the steps of: notifying the user to download a special file from a designated website, and uploading the special file to the website to be queried; if the to-be-queried website If the special file appears in the verification website, the verification is passed.
7、 一种网站安全验证系统, 包括: 登录信息确定单元, 用于确定用户在 web扫描站点中的登录信息; 回传单元, 用于根据所述在所述 web 扫描站点中的登录信息生成类账 号, 并将所述类账号回传给所述企业版安全产品的管理控制中心; 单点登录单元,用于所述企业版安全产品的管理控制中心接收到对指定 网站进行安全验证的请求时,利用所述类账号登录到所述 web扫描站点获取 相应的安全验证结果。 7. A website security verification system, including: a login information determination unit, used to determine the user's login information in the web scanning site; a return unit, used to generate a class based on the login information in the web scanning site account, and transmit the account number back to the management control center of the enterprise version security product; a single sign-on unit, used when the management control center of the enterprise version security product receives a request for security verification of the designated website , use the said account to log in to the web scanning site to obtain the corresponding security verification result.
8、 如权利要求 7所述的系统, 所述登录信息确定单元包括: 注册子单元, 用于通过 web扫描站点注册入口接收用户的注册请求, 完 成在所述 web扫描站点中的注册; 第一确定子单元,用于根据注册信息确定用户在 web扫描站点中的登录 信息。 8. The system of claim 7, the login information determination unit includes: a registration subunit, configured to receive a user's registration request through a web scanning site registration portal, and complete registration in the web scanning site; first The determination subunit is used to determine the user's login information in the web scanning site based on the registration information.
9、 如权利要求 7所述的系统, 所述登录信息确定单元包括: 绑定子单元, 用于通过 web扫描站点绑定入口接收用户的绑定请求, 将 绑定请求中携带的已有账户相关信息与所述 web扫描站点进行绑定; 第二确定子单元,用于根据绑定结果确定用户在 web扫描站点中的登录 信息。 9. The system of claim 7, the login information determination unit includes: a binding subunit, configured to receive the user's binding request through the web scanning site binding portal, and convert the existing account carried in the binding request The relevant information is bound to the web scanning site; the second determination subunit is used to determine the user's login information in the web scanning site according to the binding result.
10、 如权利要求 7至 9任一项所述的系统, 还包括: 身份验证单元,用于所述企业版安全产品的管理控制中心接收到对指定 网站进行安全验证的请求之后, 对用户的查看权限进行验证; 触发单元, 用于如果验证通过, 则触发所述利用所述类账号登录到所述 web扫描站点获取相应的安全验证结果的步骤。 10. The system according to any one of claims 7 to 9, further comprising: The identity verification unit is used to verify the user's viewing permissions after the management control center of the enterprise version security product receives a request for security verification of the designated website; the triggering unit is used to trigger the utilization if the verification is passed. The step of logging in to the web scanning site with the account type to obtain corresponding security verification results.
11、 如权利要求 10所述的系统, 所述身份验证单元包括: 第一通知子单元,用于通知用户将指定代码加入到待验证网站的指定页 面中; 第一验证子单元,用于如果所述指定页面中出现所述指定代码对应的页 面元素, 则 3全证通过。 11. The system according to claim 10, the identity verification unit includes: a first notification subunit, used to notify the user to add the specified code to the specified page of the website to be verified; a first verification subunit, used if If the page element corresponding to the specified code appears in the specified page, then all certificates 3 are passed.
12、 如权利要求 10所述的系统, 所述身份验证单元包括: 第二通知子单元, 用于通知用户到指定网站中下载专用文件, 并将所述 专用文件上传到待查询网站中; 第二验证子单元, 用于如果所述待验证网站中出现所述专用文件, 则验 证通过。 12. The system according to claim 10, the identity verification unit includes: a second notification subunit, used to notify the user to download a special file from a designated website, and upload the special file to the website to be queried; The second verification subunit is used to pass the verification if the special file appears in the website to be verified.
13、 一种计算机程序, 包括计算机可读代码, 当所述计算机可读代 码在服务器上运行时,导致所述服务器执行根据权利要求 1-6中的任一个 所述的网站安全验证方法。 13. A computer program, including computer readable code, which when the computer readable code is run on a server, causes the server to execute the website security verification method according to any one of claims 1-6.
14、 一种计算机可读介质, 其中存储了如权利要求 13所述的计算机 程序。 14. A computer-readable medium in which the computer program according to claim 13 is stored.
PCT/CN2013/081632 2012-09-26 2013-08-16 Method and system for verifying website security WO2014048186A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201210364630.8A CN102957690B (en) 2012-09-26 2012-09-26 Website security verification method and system
CN201210364630.8 2012-09-26

Publications (1)

Publication Number Publication Date
WO2014048186A1 true WO2014048186A1 (en) 2014-04-03

Family

ID=47765916

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2013/081632 WO2014048186A1 (en) 2012-09-26 2013-08-16 Method and system for verifying website security

Country Status (2)

Country Link
CN (1) CN102957690B (en)
WO (1) WO2014048186A1 (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102957690B (en) * 2012-09-26 2016-06-29 北京奇虎科技有限公司 Website security verification method and system
CN103152211B (en) * 2013-03-29 2016-01-06 北京奇虎科技有限公司 The installation method of application program and system
CN103678600B (en) * 2013-12-13 2019-07-23 北京奇虎科技有限公司 The processing method and equipment of web data
CN104135482A (en) * 2014-08-07 2014-11-05 浪潮(北京)电子信息产业有限公司 Authentication method and device as well as server
CN109491908B (en) * 2018-11-06 2021-12-10 北京字节跳动网络技术有限公司 Page detection method and device, electronic equipment and storage medium
CN109257382A (en) * 2018-11-09 2019-01-22 深圳互联先锋科技有限公司 A kind of web portal security management method and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101159557A (en) * 2007-11-21 2008-04-09 华为技术有限公司 Single point logging method, device and system
CN102215232A (en) * 2011-06-07 2011-10-12 浪潮齐鲁软件产业有限公司 Single sign-on method
CN102957690A (en) * 2012-09-26 2013-03-06 北京奇虎科技有限公司 Website security verification method and system

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7467402B2 (en) * 2004-08-24 2008-12-16 Whitehat Security, Inc. Automated login session extender for use in security analysis systems
US7526796B2 (en) * 2006-09-29 2009-04-28 Iovation, Inc. Methods and apparatus for securely signing on to a website via a security website
CN101674285B (en) * 2008-09-08 2012-12-26 中兴通讯股份有限公司 Single sign-on system and method thereof
CN101350797B (en) * 2008-09-17 2011-11-30 腾讯科技(深圳)有限公司 Website logging method capable of simplifying user operation, system, client and server
CN102404392A (en) * 2011-11-10 2012-04-04 山东浪潮齐鲁软件产业股份有限公司 Integration type registering method for web application or website

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101159557A (en) * 2007-11-21 2008-04-09 华为技术有限公司 Single point logging method, device and system
CN102215232A (en) * 2011-06-07 2011-10-12 浪潮齐鲁软件产业有限公司 Single sign-on method
CN102957690A (en) * 2012-09-26 2013-03-06 北京奇虎科技有限公司 Website security verification method and system

Also Published As

Publication number Publication date
CN102957690B (en) 2016-06-29
CN102957690A (en) 2013-03-06

Similar Documents

Publication Publication Date Title
JP6556943B2 (en) Single sign-on method for appliance secure shell
US10719455B2 (en) Storage device authentication
US8327434B2 (en) System and method for implementing a proxy authentication server to provide authentication for resources not located behind the proxy authentication server
JP6064636B2 (en) Information processing system, information processing apparatus, authentication method, and program
US9553732B2 (en) Certificate evaluation for certificate authority reputation advising
CN105871838B (en) A kind of log-in control method and customer center platform of third party&#39;s account
WO2014048186A1 (en) Method and system for verifying website security
CN105472052B (en) Cross-domain server login method and system
US10326758B2 (en) Service provision system, information processing system, information processing apparatus, and service provision method
US10362019B2 (en) Managing security credentials
KR20170094276A (en) Short-duration digital certificate issuance based on long-duration digital certificate validation
CN104901970B (en) A kind of Quick Response Code login method, server and system
JP6785808B2 (en) Policy forced delay
US10135810B2 (en) Selective authentication system
JP2005317022A (en) Account creation via mobile device
JP2017033339A (en) Service provision system, information processing device, program and service use information creation method
EP3069464A2 (en) Identity pool bridging for managed directory services
CN105743905B (en) A kind of method that realizing secure log, unit and system
Sharma et al. Identity and access management-a comprehensive study
CN107835160A (en) Third party&#39;s user authen method based on Quick Response Code
US20220303269A1 (en) Information processing apparatus and computer readable medium
US20180115555A1 (en) Authenticating data transfer
JP2019016834A5 (en)
CN103647652B (en) A kind of method for realizing data transfer, device and server
CN112966253A (en) Third-party application integrated login method, login device and platform

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13841803

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13841803

Country of ref document: EP

Kind code of ref document: A1