CN110210231B - Security protection method, system, equipment and computer readable storage medium - Google Patents
Security protection method, system, equipment and computer readable storage medium Download PDFInfo
- Publication number
- CN110210231B CN110210231B CN201910482080.1A CN201910482080A CN110210231B CN 110210231 B CN110210231 B CN 110210231B CN 201910482080 A CN201910482080 A CN 201910482080A CN 110210231 B CN110210231 B CN 110210231B
- Authority
- CN
- China
- Prior art keywords
- url
- spliced
- abnormal
- white list
- preset
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/955—Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
- G06F16/9566—URL specific, e.g. using aliases, detecting broken or misspelled links
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Data Mining & Analysis (AREA)
- Computer And Data Communications (AREA)
Abstract
The application discloses a security protection method, a system, equipment and a computer readable storage medium, which are applied to WAF, wherein the method comprises the steps of obtaining downlink service URL; acquiring an abnormal URL in the service URL based on a preset rule; judging whether the abnormal URL belongs to a preset white list or not, wherein the preset white list comprises a preset safety URL type; if the abnormal URL does not belong to the preset white list, intercepting the abnormal URL; and if the abnormal URL belongs to the preset white list, releasing the abnormal URL. According to the security protection method, the WAF can avoid that the security URL is judged to be the abnormal URL by means of the preset white list, and the false alarm rate of identifying and intercepting traversal attacks is reduced. The application provides a safety protection system, equipment and a computer readable storage medium, which also solve the corresponding technical problems.
Description
Technical Field
The present disclosure relates to the field of information transmission technologies, and in particular, to a security protection method, system, device, and computer readable storage medium.
Background
The current solution to the traversal attack of WAF (Web Application Firewall, web site application level intrusion prevention system) for target traversal, SQL (Structured Query Language ) injection holes, etc. is to identify and intercept by some low-level or high-level rules.
However, in the existing method, URLs which do not belong to traversal attack exist in URLs based on low-order or high-order rule identification and interception, that is, the false alarm rate of the existing method is high, and after the partial flow is filtered, the popularization of client business in a search engine is greatly affected.
In summary, how to reduce the false alarm rate of identifying and intercepting traversal attacks is a problem to be solved by those skilled in the art.
Disclosure of Invention
The purpose of the application is to provide a safety protection method, which can solve the technical problem of how to reduce the false alarm rate of identifying and intercepting traversal attacks to a certain extent. The application also provides a safety protection system, equipment and a computer readable storage medium.
In order to achieve the above object, the present application provides the following technical solutions:
a method of security protection for a WAF, comprising:
acquiring a downlink service URL;
based on a preset rule, acquiring an abnormal URL in the service URL;
judging whether the abnormal URL belongs to a preset white list or not, wherein the preset white list comprises a preset safety URL type;
if the abnormal URL does not belong to the preset white list, intercepting the abnormal URL; and if the abnormal URL belongs to the preset white list, releasing the abnormal URL.
Preferably, the determining whether the abnormal URL belongs to a preset whitelist includes:
judging whether the type of the abnormal URL belongs to directory traversal or SQL injection loopholes;
and if the type of the abnormal URL belongs to the target traversal or the SQL injection vulnerability, executing the step of judging whether the abnormal URL belongs to a preset white list.
Preferably, before determining whether the abnormal URL belongs to the preset whitelist, the method further includes:
performing tag analysis on the HTML in the HTTP response to obtain an analysis result;
filtering the obtained downlink URL according to the analysis result to obtain a filtered URL;
intercepting the request URL to obtain an intercepted URL;
splicing the intercepted URL and the filtered URL to obtain a spliced URL;
and judging whether the spliced URL contains target words, if so, adding the spliced URL into the preset white list, wherein the target words comprise words for judging the spliced URL as a safe spliced URL.
Preferably, the intercepting the request URL to obtain an intercepted URL includes:
when a question mark exists in the request URL, determining a first question mark in the request URL;
determining the position of the last slash before the first question mark as a recording position;
intercepting the content from the beginning of the request URL to the recording position as the intercepted URL.
Preferably, the intercepting the request URL to obtain an intercepted URL includes:
when no question mark exists in the request URL, determining the position of the last slash in the request URL as a recording position;
intercepting the content from the beginning of the request URL to the recording position as the intercepted URL.
Preferably, the determining whether the spliced URL includes a target word includes:
replacing the reverse slash in the spliced URL with a forward slash to obtain a first spliced URL;
judging whether the first spliced URL is provided with parameters or not;
if the first spliced URL has parameters, backtracking the content before the first question mark in the first spliced URL to obtain a second spliced URL, and judging whether the second spliced URL contains a target word or not;
if the first spliced URL does not have parameters, backtracking the whole content of the first spliced URL to obtain a third spliced URL, and judging whether the third spliced URL contains a target word or not;
the backtracking processing comprises deleting adjacent upper-level catalogues and first symbols, replacing double-slashes with single-slashes and deleting second symbols; the first symbol comprises two point symbols and a slash; the second symbol includes a dot symbol and a slash.
Preferably, the target word comprises a target traversal keyword and an SQL injection keyword;
the target traversal keyword comprises a percentage symbol and a third symbol, wherein the third symbol comprises two point symbols;
the SQL injection keywords comprise from and select.
A security system for use with a WAF, comprising:
the first acquisition module is used for acquiring a downlink service URL;
the first analysis module is used for acquiring abnormal URLs in the service URLs based on preset rules;
the first judging module is used for judging whether the abnormal URL belongs to a preset white list or not, wherein the preset white list comprises a preset safety URL type;
the first execution module is used for intercepting the abnormal URL when the abnormal URL does not belong to the preset white list; and when the abnormal URL belongs to the preset white list, releasing the abnormal URL.
A safety shield apparatus, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the security method as described in any one of the above when executing the computer program.
A computer readable storage medium having stored therein a computer program which when executed by a processor implements the steps of the security method as claimed in any one of the preceding claims.
The safety protection method is applied to WAF and used for acquiring downlink service URL; in the service URL, analyzing to obtain an abnormal URL conforming to a preset rule; judging whether the abnormal URL belongs to a preset white list or not, wherein the preset white list comprises a preset safety URL type; if the abnormal URL does not belong to the preset white list, intercepting the abnormal URL; and if the abnormal URL belongs to the preset white list, releasing the abnormal URL. In the safety protection method provided by the application, the WAF analyzes and obtains the abnormal URL conforming to the preset rule in the acquired service URL, and the abnormal URL is the abnormal URL in the service URL because the preset rule comprises the rule for judging that the service URL belongs to the abnormal URL; and judging whether the abnormal URL belongs to a preset white list or not, if not, intercepting the abnormal URL, and if so, releasing the abnormal URL, wherein the released abnormal URL is the safe URL, the intercepted abnormal URL is unsafe abnormal URL or possibly misjudged safe URL because the preset white list comprises the preset safe URL type, and the misinformation rate of identifying and intercepting traversal attacks is reduced by judging the safe URL as the abnormal URL by means of the preset white list. The application provides a safety protection system, equipment and a computer readable storage medium, which also solve the corresponding technical problems.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present application, and that other drawings may be obtained according to the provided drawings without inventive effort to a person skilled in the art.
FIG. 1 is a first flowchart of a method for protecting security according to an embodiment of the present application;
fig. 2 is a schematic diagram of a preset whitelist configuration in an embodiment of the present application;
fig. 3 is a schematic structural diagram of a safety protection system according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a safety protection device according to an embodiment of the present application;
fig. 5 is another schematic structural diagram of a safety protection device according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
Referring to fig. 1, fig. 1 is a first flowchart of a security protection method according to an embodiment of the present application.
The safety protection method provided by the embodiment of the application is applied to WAF, and can comprise the following steps:
step S101: a downlink service URL (uniform resource locator) is acquired.
In practical application, the WAF may first obtain a downlink service URL, where the downlink service URL refers to a service URL obtained after the WAF receives and responds to a web page request, and correspondingly, the URL in the web page request is an uplink URL.
Step S102: and acquiring an abnormal URL in the service URL based on a preset rule.
In practical application, after the service URL is obtained, the abnormal URL in the service URL may be obtained based on a preset rule, for example, the abnormal URL conforming to the preset rule in the service URL may be obtained by analysis, and the preset rule includes a rule for determining that the service URL belongs to the abnormal URL, so that the abnormal URL in the service URL may be obtained by analysis. In a specific application scenario, the preset rule may include a low-order rule or a high-order rule, for example, it may be a snort rule or the like.
Step S103: judging whether the abnormal URL belongs to a preset white list, wherein the preset white list comprises a preset safety URL type, if the abnormal URL does not belong to the preset white list, executing step S104, and if the abnormal URL belongs to the preset white list, executing step S105.
In practical application, after the abnormal URL is obtained by analysis, whether the abnormal URL is a secure URL can be judged by means of a preset white list. Since the preset white list includes the preset safety URL type, and the abnormal URL is an abnormal URL conforming to the preset rule, the abnormal URL may be an unsafe abnormal URL or a misjudged safety URL, so that the abnormal URL conforming to the preset white list is the safety URL misjudged by the preset rule.
Step S104: the abnormal URL is intercepted.
Step S105: the abnormal URL is released.
The safety protection method is applied to WAF and used for acquiring downlink service URL; acquiring an abnormal URL in the service URL based on a preset rule; judging whether the abnormal URL belongs to a preset white list or not, wherein the preset white list comprises a preset safety URL type; if the abnormal URL does not belong to the preset white list, intercepting the abnormal URL; and if the abnormal URL belongs to the preset white list, releasing the abnormal URL. In the safety protection method provided by the application, WAF acquires abnormal URL in the service URL based on a preset rule in the acquired service URL; and judging whether the abnormal URL belongs to a preset white list or not, if not, intercepting the abnormal URL, and if so, releasing the abnormal URL, wherein the released abnormal URL is the safe URL, the intercepted abnormal URL is unsafe abnormal URL or possibly misjudged safe URL because the preset white list comprises the preset safe URL type, and the misinformation rate of identifying and intercepting traversal attacks is reduced by judging the safe URL as the abnormal URL by means of the preset white list.
In practical application, because of the diversity of traversal attacks, if the steps are executed for each type of traversal attack, more judgment time is occupied, the accuracy is not improved, in order to reduce the judgment time as much as possible and maintain the judgment accuracy, the above processing can be only performed on the directory traversal type and the SQL injection vulnerability type with larger misjudgment rate, and the process of judging whether the abnormal URL belongs to the preset white list can be specifically: judging whether the type of the abnormal URL belongs to directory traversal or SQL injection loopholes; if the type of the abnormal URL belongs to the target traversal or SQL injection loopholes, executing the step of judging whether the abnormal URL belongs to a preset white list.
Referring to fig. 2, fig. 2 is a schematic diagram illustrating a configuration of a preset whitelist in an embodiment of the present application.
In practical application, the construction mode of the preset white list can be various, in the application, in order to construct the white list faster and ensure the accuracy of the preset white list, before judging whether the abnormal URL belongs to the preset white list, the preset white list can be constructed according to the following steps:
step S201: and (3) carrying out tag analysis on the HTML (hypertext markup language) in the HTTP (- -Hyper Text Transfer Protocol, hypertext transfer protocol) response to obtain an analysis result.
In practical application, the HTML in the HTTP response may be first subjected to tag analysis, and the description of the analysis result obtained may refer to table 1.
TABLE 1 HTML tag resolution results
Step S202: and filtering the obtained downlink URL according to the analysis result to obtain a filtered URL.
In practical application, the obtained down URLs containing the URLs of the relative catalogs can be filtered according to the analysis result to obtain filtered URLs, for example, the down URLs can be filtered according to the domain name information in the analysis result to obtain filtered URLs meeting the requirements of corresponding domain names, and the down URLs belong to the URLs of the HTTP responses. Of course, other filtering methods are possible, and the application is not specifically limited herein.
Step S203: and intercepting the request URL to obtain an intercepted URL.
In practical application, the request URL refers to a URL with a request function received by the WAF. The process of intercepting the request URL may be determined according to a specific application scenario. It should be noted that, the request URL referred to in the present application may be a URL input to the WAF by a user, and the downlink URL refers to a URL obtained by the WAF after performing processing such as corresponding search on the received request URL; in addition, the relation between the downlink URL and the service URL can be flexibly determined according to actual needs, for example, the downlink URL can be completely consistent with the service URL, and the downlink URL can also contain the service URL, other URLs and the like.
In a specific application scene, when a question mark exists in the request URL, determining a first question mark in the request URL, and determining the position of a last slash before the first question mark as a recording position; the content from the beginning to the recording position in the interception request URL is the interception URL. Assuming that the request URL is/product/price/index.
In a specific application scene, when no question mark exists in the request URL, the position of the last slash in the request URL can be determined as a recording position; the content from the beginning to the recording position in the interception request URL is the interception URL. Assuming that the request URL is/product/price/it-yun.html, the intercept URL is/product/price/.
Step S204: and splicing the intercepted URL and the filtered URL to obtain the spliced URL.
In practical application, after the filtered URL and the spliced URL are obtained, the intercepted URL and the filtered URL can be spliced to obtain the spliced URL. In a specific application scene, the intercepted URL and the filtered URL should be spliced according to the sequence that the intercepted URL is in front and the filtered URL is in back.
Step S205: whether the spliced URL contains a target word is judged, and if so, step S206 is executed.
Step S206: and adding the spliced URL into a preset white list, wherein the target words comprise words for judging the spliced URL as a safe spliced URL.
In practical application, the target word includes a word that determines the spliced URL as a safe spliced URL, where the safe spliced URL refers to a spliced URL with a safe type, that is, the spliced URL includes the target word, and the spliced URL is determined as the safe spliced URL.
In a specific application scenario, the process of judging whether the spliced URL includes the target word may be specifically: replacing the reverse slash in the spliced URL with the forward slash to obtain a first spliced URL; judging whether the first spliced URL is provided with parameters or not; if the first spliced URL has parameters, backtracking the content before the first question mark in the first spliced URL to obtain a second spliced URL, and judging whether the second spliced URL contains a target word or not; if the first spliced URL does not have parameters, backtracking the whole content of the first spliced URL to obtain a third spliced URL, and judging whether the third spliced URL contains target words or not; the backtracking processing comprises deleting the adjacent upper-level catalogue and the first symbol, replacing the double-slash with the single-slash and deleting the second symbol; the first symbol comprises two dot symbols and a slash; the second symbol includes a dot symbol and a slash. Taking the first spliced URL with parameters as/a/b/index.htmlvid=/var/ac/cja.js, and taking the corresponding second spliced URL as/a/index.htmlvid=/var/ac/cja.js; with the first splice URL without parameters being/product/price/nice/ab/ac/ad/index.html, the corresponding third splice URL is: product/price/nice/ac/index.
In practical application, the target word may include a target traversal keyword and an SQL injection keyword; the target traversal keyword may include a percentage symbol, a third symbol, the third symbol including two point symbols; SQL injection keywords may include from, select.
The application also provides a safety protection system, which has the corresponding effect of the safety protection method provided by the embodiment of the application. Referring to fig. 3, fig. 3 is a schematic structural diagram of a safety protection system according to an embodiment of the present application.
The embodiment of the application provides a safety protection system, which is applied to a WAF and can include:
a first obtaining module 101, configured to obtain a downlink service URL;
a first analysis module 102, configured to obtain an abnormal URL in the service URL based on a preset rule;
a first judging module 103, configured to judge whether the abnormal URL belongs to a preset whitelist, where the preset whitelist includes a preset security URL type;
the first execution module 104 is configured to intercept the abnormal URL when the abnormal URL does not belong to the preset whitelist; and when the abnormal URL belongs to a preset white list, releasing the abnormal URL.
The embodiment of the application provides a safety protection system, which is applied to WAF, and the first judging module may include:
the first judging unit is used for judging whether the type of the abnormal URL belongs to directory traversal or SQL injection loopholes; if the type of the abnormal URL belongs to the target traversal or SQL injection loophole, prompting the first judging module to execute the step of judging whether the abnormal URL belongs to a preset white list.
The embodiment of the application provides a safety protection system, which is applied to a WAF and can further include:
the first analysis module is used for carrying out label analysis on the HTML in the HTTP response before the first judgment module judges whether the abnormal URL belongs to the preset white list, so as to obtain an analysis result;
the first filtering module is used for filtering the obtained downlink URL according to the analysis result to obtain a filtered URL;
the first intercepting module is used for intercepting the request URL to obtain an intercepted URL;
the first splicing module is used for splicing the intercepted URL and the filtered URL to obtain a spliced URL;
and the second judging module is used for judging whether the spliced URL contains target words, if so, the spliced URL is added to a preset white list, and the target words comprise words for judging the spliced URL as safe spliced URLs.
The embodiment of the application provides a security protection system, which is applied to WAF, and the first intercepting module may include:
a first determining unit, configured to determine, when a question mark exists in the request URL, a first question mark in the request URL;
a second determining unit configured to determine a position of a last slash before the first question mark as a recording position;
and the first interception unit is used for intercepting the content from the beginning to the recording position in the request URL as an interception URL.
The embodiment of the application provides a security protection system, which is applied to WAF, and the first intercepting module may include:
a third determining unit configured to determine, when there is no question mark in the request URL, a position of a last slash in the request URL as a recording position;
and the second interception unit is used for intercepting the content from the beginning to the recording position in the request URL as an intercepted URL.
The embodiment of the application provides a safety protection system, which is applied to WAF, and the second judging module may include:
the first replacing unit is used for replacing the reverse slash in the spliced URL with the forward slash to obtain a first spliced URL;
the second judging unit is used for judging whether the first spliced URL is provided with parameters or not;
the first execution unit is used for carrying out backtracking processing on the content before the first question mark in the first spliced URL when the first spliced URL has parameters to obtain a second spliced URL, and judging whether the second spliced URL contains a target word or not;
the second execution unit is used for carrying out backtracking processing on the whole content of the first spliced URL when the first spliced URL does not have parameters, obtaining a third spliced URL, and judging whether the third spliced URL contains target words or not;
the backtracking processing comprises deleting the adjacent upper-level catalogue and the first symbol, replacing the double-slash with the single-slash and deleting the second symbol; the first symbol comprises two dot symbols and a slash; the second symbol includes a dot symbol and a slash.
The safety protection system is applied to WAF, and the target words comprise target traversal keywords and SQL injection keywords; the target traversal keyword comprises a percentage symbol and a third symbol, wherein the third symbol comprises two point symbols; SQL injection keywords include from, select.
The application also provides safety protection equipment and a computer readable storage medium, which have the corresponding effects of the safety protection method provided by the embodiment of the application. Referring to fig. 4, fig. 4 is a schematic structural diagram of a safety protection device according to an embodiment of the present application.
The safety protection device provided in the embodiment of the present application includes a memory 201 and a processor 202, where a computer program is stored in the memory, and when the processor executes the computer program stored in the memory, the following steps are implemented:
acquiring a downlink service URL;
acquiring an abnormal URL in the service URL based on a preset rule;
judging whether the abnormal URL belongs to a preset white list or not, wherein the preset white list comprises a preset safety URL type;
if the abnormal URL does not belong to the preset white list, intercepting the abnormal URL; and if the abnormal URL belongs to the preset white list, releasing the abnormal URL.
The embodiment of the application provides safety protection equipment, which comprises a memory and a processor, wherein a computer subprogram is stored in the memory, and the processor specifically realizes the following steps when executing the computer subprogram stored in the memory: judging whether the type of the abnormal URL belongs to directory traversal or SQL injection loopholes; if the type of the abnormal URL belongs to the target traversal or SQL injection loopholes, executing the step of judging whether the abnormal URL belongs to a preset white list.
The embodiment of the application provides safety protection equipment, which comprises a memory and a processor, wherein a computer subprogram is stored in the memory, and the processor specifically realizes the following steps when executing the computer subprogram stored in the memory: before judging whether the abnormal URL belongs to a preset white list, carrying out label analysis on the HTML in the HTTP response to obtain an analysis result; filtering the obtained downlink URL according to the analysis result to obtain a filtered URL; intercepting the request URL to obtain an intercepted URL; splicing the intercepted URL and the filtered URL to obtain a spliced URL; and judging whether the spliced URL contains target words, if so, adding the spliced URL into a preset white list, wherein the target words comprise words for judging the spliced URL as a safe spliced URL.
The embodiment of the application provides safety protection equipment, which comprises a memory and a processor, wherein a computer subprogram is stored in the memory, and the processor specifically realizes the following steps when executing the computer subprogram stored in the memory: when a question mark exists in the request URL, determining a first question mark in the request URL; determining the position of the last slash before the first question mark as a recording position; the content from the beginning to the recording position in the interception request URL is the interception URL.
The embodiment of the application provides safety protection equipment, which comprises a memory and a processor, wherein a computer subprogram is stored in the memory, and the processor specifically realizes the following steps when executing the computer subprogram stored in the memory: when no question mark exists in the request URL, determining the position of the last slash in the request URL as a recording position; the content from the beginning to the recording position in the interception request URL is the interception URL.
The embodiment of the application provides safety protection equipment, which comprises a memory and a processor, wherein a computer subprogram is stored in the memory, and the processor specifically realizes the following steps when executing the computer subprogram stored in the memory: replacing the reverse slash in the spliced URL with the forward slash to obtain a first spliced URL; judging whether the first spliced URL is provided with parameters or not; if the first spliced URL has parameters, backtracking the content before the first question mark in the first spliced URL to obtain a second spliced URL, and judging whether the second spliced URL contains a target word or not; if the first spliced URL does not have parameters, backtracking the whole content of the first spliced URL to obtain a third spliced URL, and judging whether the third spliced URL contains target words or not; the backtracking processing comprises deleting the adjacent upper-level catalogue and the first symbol, replacing the double-slash with the single-slash and deleting the second symbol; the first symbol comprises two dot symbols and a slash; the second symbol includes a dot symbol and a slash.
In the safety protection device provided by the embodiment of the application, the target word comprises a target traversal keyword and an SQL injection keyword; the target traversal keyword comprises a percentage symbol and a third symbol, wherein the third symbol comprises two point symbols; SQL injection keywords include from, select.
Referring to fig. 5, another safety protection device provided in an embodiment of the present application may further include: an input port 203 connected to the processor 202 for transmitting an externally input command to the processor 202; a display unit 204 connected to the processor 202, for displaying the processing result of the processor 202 to the outside; and the communication module 205 is connected with the processor 202 and is used for realizing the communication between the safety protection equipment and the outside. The display unit 204 may be a display panel, a laser scanning display, or the like; communication means employed by the communication module 205 include, but are not limited to, mobile high definition link technology (HML), universal Serial Bus (USB), high Definition Multimedia Interface (HDMI), wireless connection: wireless fidelity (WiFi), bluetooth communication, bluetooth low energy communication, ieee802.11s based communication.
The embodiment of the application provides a computer readable storage medium, in which a computer program is stored, and when the computer program is executed by a processor, the steps of the security protection method described in any embodiment above are implemented.
The computer readable storage medium referred to in this application includes Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The description of related parts in a security protection system, a device and a computer readable storage medium provided in the embodiments of the present application is referred to the detailed description of corresponding parts in a security protection method provided in the embodiments of the present application, and is not repeated here. In addition, the parts of the above technical solutions provided in the embodiments of the present application, which are consistent with the implementation principles of the corresponding technical solutions in the prior art, are not described in detail, so that redundant descriptions are avoided.
It is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (8)
1. A method of security protection applied to a WAF, comprising:
acquiring a downlink service URL;
based on a preset rule, acquiring an abnormal URL in the service URL;
judging whether the abnormal URL belongs to a preset white list or not, wherein the preset white list comprises a preset safety URL type;
if the abnormal URL does not belong to the preset white list, intercepting the abnormal URL; if the abnormal URL belongs to the preset white list, releasing the abnormal URL;
before determining whether the abnormal URL belongs to the preset whitelist, the method further includes: performing tag analysis on the HTML in the HTTP response to obtain an analysis result; filtering the obtained downlink URL according to the analysis result to obtain a filtered URL; intercepting the request URL to obtain an intercepted URL; splicing the intercepted URL and the filtered URL to obtain a spliced URL; judging whether the spliced URL contains target words, if so, adding the spliced URL into the preset white list, wherein the target words comprise words for judging the spliced URL as a safe spliced URL;
wherein, the determining whether the spliced URL includes a target word includes: replacing the reverse slash in the spliced URL with a forward slash to obtain a first spliced URL; judging whether the first spliced URL is provided with parameters or not; if the first spliced URL has parameters, backtracking the content before the first question mark in the first spliced URL to obtain a second spliced URL, and judging whether the second spliced URL contains a target word or not; if the first spliced URL does not have parameters, backtracking the whole content of the first spliced URL to obtain a third spliced URL, and judging whether the third spliced URL contains a target word or not; the backtracking processing comprises deleting adjacent upper-level catalogues and first symbols, replacing double-slashes with single-slashes and deleting second symbols; the first symbol comprises two point symbols and a slash; the second symbol includes a dot symbol and a slash.
2. The method of claim 1, wherein the determining whether the abnormal URL belongs to a preset whitelist comprises:
judging whether the type of the abnormal URL belongs to directory traversal or SQL injection loopholes;
and if the type of the abnormal URL belongs to the target traversal or the SQL injection vulnerability, executing the step of judging whether the abnormal URL belongs to a preset white list.
3. The method of claim 1, wherein intercepting the request URL to obtain an intercepted URL comprises:
when a question mark exists in the request URL, determining a first question mark in the request URL;
determining the position of the last slash before the first question mark as a recording position;
intercepting the content from the beginning of the request URL to the recording position as the intercepted URL.
4. The method of claim 1, wherein intercepting the request URL to obtain an intercepted URL comprises:
when no question mark exists in the request URL, determining the position of the last slash in the request URL as a recording position;
intercepting the content from the beginning of the request URL to the recording position as the intercepted URL.
5. The method of claim 1, wherein the target words comprise target traversal keywords and SQL injection keywords;
the target traversal keyword comprises a percentage symbol and a third symbol, wherein the third symbol comprises two point symbols;
the SQL injection keywords comprise from and select.
6. A security system for use with a WAF, comprising:
the first acquisition module is used for acquiring a downlink service URL;
the first analysis module is used for acquiring abnormal URLs in the service URLs based on preset rules;
the first judging module is used for judging whether the abnormal URL belongs to a preset white list or not, wherein the preset white list comprises a preset safety URL type;
the first execution module is used for intercepting the abnormal URL when the abnormal URL does not belong to the preset white list; when the abnormal URL belongs to the preset white list, releasing the abnormal URL;
wherein, still include:
the first analysis module is used for carrying out label analysis on the HTML in the HTTP response before the first judgment module judges whether the abnormal URL belongs to a preset white list or not to obtain an analysis result;
the first filtering module is used for filtering the obtained downlink URL according to the analysis result to obtain a filtered URL;
the first intercepting module is used for intercepting the request URL to obtain an intercepted URL;
the first splicing module is used for splicing the intercepted URL and the filtered URL to obtain a spliced URL;
the second judging module is used for judging whether the spliced URL contains a target word, if so, the spliced URL is added into the preset white list, and the target word comprises a word for judging the spliced URL as a safe spliced URL;
wherein, the second judging module includes:
the first replacing unit is used for replacing the reverse slash in the spliced URL with the forward slash to obtain a first spliced URL;
the second judging unit is used for judging whether the first spliced URL is provided with parameters or not;
the first execution unit is used for carrying out backtracking processing on the content before the first question mark in the first spliced URL when the first spliced URL has parameters to obtain a second spliced URL, and judging whether the second spliced URL contains a target word or not;
the second execution unit is used for carrying out backtracking processing on the whole content of the first spliced URL when the first spliced URL does not have parameters, obtaining a third spliced URL, and judging whether the third spliced URL contains a target word or not; the backtracking processing comprises deleting adjacent upper-level catalogues and first symbols, replacing double-slashes with single-slashes and deleting second symbols; the first symbol comprises two point symbols and a slash; the second symbol includes a dot symbol and a slash.
7. A safety shield apparatus, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the safety protection method according to any one of claims 1 to 5 when executing said computer program.
8. A computer readable storage medium, characterized in that the computer readable storage medium has stored therein a computer program which, when executed by a processor, implements the steps of the safety protection method according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910482080.1A CN110210231B (en) | 2019-06-04 | 2019-06-04 | Security protection method, system, equipment and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910482080.1A CN110210231B (en) | 2019-06-04 | 2019-06-04 | Security protection method, system, equipment and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110210231A CN110210231A (en) | 2019-09-06 |
| CN110210231B true CN110210231B (en) | 2023-07-14 |
Family
ID=67790682
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910482080.1A Active CN110210231B (en) | 2019-06-04 | 2019-06-04 | Security protection method, system, equipment and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110210231B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112019546B (en) * | 2020-08-28 | 2022-11-25 | 杭州安恒信息技术股份有限公司 | Protection strategy adjusting method, system, equipment and computer storage medium |
| CN112350992A (en) * | 2020-09-28 | 2021-02-09 | 广东电力信息科技有限公司 | Safety protection method, device, equipment and storage medium based on web white list |
| CN114726559A (en) * | 2020-12-22 | 2022-07-08 | 深信服科技股份有限公司 | URL detection method, system, equipment and computer readable storage medium |
| CN115022015B (en) * | 2022-05-31 | 2024-02-20 | 中国工商银行股份有限公司 | Method, apparatus, computer device, storage medium, and program product for detecting seal |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20140042674A (en) * | 2012-09-28 | 2014-04-07 | 가부시키가이샤 디에누에 | Network system and non-transitory computer-readable storage medium |
| CN105704146A (en) * | 2016-03-18 | 2016-06-22 | 四川长虹电器股份有限公司 | System and method for SQL injection prevention |
| WO2016173327A1 (en) * | 2015-04-28 | 2016-11-03 | 北京瀚思安信科技有限公司 | Method and device for detecting website attack |
| CN107360162A (en) * | 2017-07-12 | 2017-11-17 | 北京奇艺世纪科技有限公司 | A kind of network application means of defence and device |
| CN108173814A (en) * | 2017-12-08 | 2018-06-15 | 深信服科技股份有限公司 | Detection method for phishing site, terminal device and storage medium |
| CN108737471A (en) * | 2017-04-20 | 2018-11-02 | 苏宁云商集团股份有限公司 | A kind of Network Access Method and device |
| CN109597948A (en) * | 2018-10-17 | 2019-04-09 | 深圳壹账通智能科技有限公司 | Access method, system and the storage medium of URL link |
| CN109688137A (en) * | 2018-12-27 | 2019-04-26 | 深信服科技股份有限公司 | A kind of detection method, system and the associated component of SQL injection attack |
| CN109768992A (en) * | 2019-03-04 | 2019-05-17 | 深信服科技股份有限公司 | Webpage malicious scanning processing method and device, terminal device, readable storage medium storing program for executing |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103368958A (en) * | 2013-07-05 | 2013-10-23 | 腾讯科技(深圳)有限公司 | Method, device and system for detecting webpage |
| CN104766014B (en) * | 2015-04-30 | 2017-12-01 | 安一恒通(北京)科技有限公司 | For detecting the method and system of malice network address |
-
2019
- 2019-06-04 CN CN201910482080.1A patent/CN110210231B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20140042674A (en) * | 2012-09-28 | 2014-04-07 | 가부시키가이샤 디에누에 | Network system and non-transitory computer-readable storage medium |
| WO2016173327A1 (en) * | 2015-04-28 | 2016-11-03 | 北京瀚思安信科技有限公司 | Method and device for detecting website attack |
| CN105704146A (en) * | 2016-03-18 | 2016-06-22 | 四川长虹电器股份有限公司 | System and method for SQL injection prevention |
| CN108737471A (en) * | 2017-04-20 | 2018-11-02 | 苏宁云商集团股份有限公司 | A kind of Network Access Method and device |
| CN107360162A (en) * | 2017-07-12 | 2017-11-17 | 北京奇艺世纪科技有限公司 | A kind of network application means of defence and device |
| CN108173814A (en) * | 2017-12-08 | 2018-06-15 | 深信服科技股份有限公司 | Detection method for phishing site, terminal device and storage medium |
| CN109597948A (en) * | 2018-10-17 | 2019-04-09 | 深圳壹账通智能科技有限公司 | Access method, system and the storage medium of URL link |
| CN109688137A (en) * | 2018-12-27 | 2019-04-26 | 深信服科技股份有限公司 | A kind of detection method, system and the associated component of SQL injection attack |
| CN109768992A (en) * | 2019-03-04 | 2019-05-17 | 深信服科技股份有限公司 | Webpage malicious scanning processing method and device, terminal device, readable storage medium storing program for executing |
Non-Patent Citations (1)
| Title |
|---|
| 关于渗透测试在Web软件***安全性测试中的应用研究;徐莺等;《通信技术》;20180910;第51卷(第09期);第2234-2240页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110210231A (en) | 2019-09-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110210231B (en) | Security protection method, system, equipment and computer readable storage medium | |
| US9405910B2 (en) | Automatic library detection | |
| US20150295942A1 (en) | Method and server for performing cloud detection for malicious information | |
| KR101724307B1 (en) | Method and system for detecting a malicious code | |
| KR102355973B1 (en) | Apparatus and method for detecting smishing message | |
| US8448260B1 (en) | Electronic clipboard protection | |
| Desai et al. | Malicious web content detection using machine leaning | |
| US20140304839A1 (en) | Electronic clipboard protection | |
| WO2011156679A1 (en) | System and method for blocking the transmission of sensitive data using dynamic data tainting | |
| US8407766B1 (en) | Method and apparatus for monitoring sensitive data on a computer network | |
| CN102833258A (en) | Website access method and system | |
| CN103279710A (en) | Method and system for detecting malicious codes of Internet information system | |
| CN102663319A (en) | Prompting method and device for download link security | |
| CN104767747A (en) | Click jacking safety detection method and device | |
| CN105391674A (en) | Information processing method and system, server, and client | |
| US9571518B2 (en) | Identifying malicious web infrastructures | |
| Begum et al. | RFI and SQLi based local file inclusion vulnerabilities in web applications of Bangladesh | |
| Kaizer et al. | Towards automatic identification of javascript-oriented machine-based tracking | |
| JP5656266B2 (en) | Blacklist extraction apparatus, extraction method and extraction program | |
| WO2016201994A1 (en) | Method and device for determining domain name credibility | |
| JP2012088803A (en) | Malignant web code determination system, malignant web code determination method, and program for malignant web code determination | |
| KR20190020963A (en) | Protecting personal information leakage interception system | |
| CN114006746A (en) | Attack detection method, device, equipment and storage medium | |
| CN112087455B (en) | WAF site protection rule generation method, system, equipment and medium | |
| CN105471821A (en) | Browser-based information processing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB03 | Change of inventor or designer information |
Inventor after: Wei Kaizhi Inventor after: Hu Wenguang Inventor before: Wei Kaizhi |
|
| CB03 | Change of inventor or designer information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |