技术领域technical field
本发明涉及计算机网络安全技术领域,尤其涉及一种保护web应用安全的网站结构拟态方法。The invention relates to the technical field of computer network security, in particular to a website structure imitation method for protecting web application security.
背景技术Background technique
随着Web2.0、社交网络、微博等等一系列新型的互联网产品的诞生,基于Web环境的互联网应用越来越广泛,企业信息化的过程中各种应用都架设在Web平台上,Web业务的迅速发展也引起黑客们的强烈关注,接踵而至的就是Web安全威胁的凸显,黑客利用网站操作系统的漏洞和Web服务程序的SQL注入漏洞等得到Web服务器的控制权限,轻则篡改网页内容,重则窃取重要内部数据,更为严重的则是在网页中植入恶意代码,使得网站访问者受到侵害。而目前常见的保护web应用安全的手段有防火墙、IDS、模式识别、URL过滤等技术,但这些技术都很被动,只有当发生某种入侵事件后再针对这种入侵采取相应的保护措施,如果出现新的攻击手段往往就很难防住。With the birth of a series of new Internet products such as Web2.0, social network, and Weibo, Internet applications based on the Web environment are becoming more and more extensive. In the process of enterprise informatization, various applications are set up on the Web platform. The rapid development of business has also attracted the strong attention of hackers, followed by the emergence of web security threats. Hackers use the loopholes in the website operating system and the SQL injection loopholes in the web service program to gain control of the web server, and at least tamper with the webpage. The serious one is to steal important internal data, and the more serious one is to implant malicious code in the webpage, so that the website visitors are violated. At present, the common means of protecting web application security include firewall, IDS, pattern recognition, URL filtering and other technologies, but these technologies are very passive. Only when an intrusion event occurs, corresponding protection measures are taken against this intrusion. It is often difficult to defend against new attack methods.
发明内容Contents of the invention
本发明的目的在于针对现有网络安全技术的不足,提出了一种保护web应用安全的网站结构拟态方法;该方法转被动防御为主动防御,实现简便。The object of the present invention is to propose a website structure mimetic method for protecting web application security against the deficiencies of the existing network security technology; the method turns passive defense into active defense, and is easy to implement.
本发明的目的是通过以下技术法案来实现的:一种保护web应用安全的网站结构拟态方法,其特征在于,包括以下步骤:The purpose of the present invention is achieved through the following technical bills: a method for protecting web application security website structure imitation, characterized in that it comprises the following steps:
步骤1:客户端向后台服务器的网站发起访问请求时,在后台服务器返回给客户端的页面中插入一个url,该url在浏览器中是不可见的;Step 1: When the client initiates an access request to the website of the background server, a url is inserted into the page returned by the background server to the client, and the url is invisible in the browser;
步骤2:分析客户端向后台服务器发起的请求,该步骤包括以下子步骤:Step 2: Analyze the request initiated by the client to the background server, this step includes the following sub-steps:
(2.1)取出发起这个请求的客户端的IP地址,判断该IP地址是否被标记;(2.1) Take out the IP address of the client that initiated the request, and determine whether the IP address is marked;
(2.2)如果该IP地址被标记,则转到步骤(2.4);(2.2) If the IP address is flagged, go to step (2.4);
(2.3)判断请求的URL是否为我们插入页面中的URL:如果不是,把该请求转发到后台服务器上;否则,转到步骤(2.4);(2.3) Determine whether the requested URL is the URL we inserted into the page: if not, forward the request to the background server; otherwise, go to step (2.4);
(2.4)标记该IP,更新该IP访问后台web应用的时间;把该请求转发到一个虚拟web应用上;(2.4) Mark the IP, update the time when the IP accesses the background web application; forward the request to a virtual web application;
步骤3:虚拟web应用处理该请求,构造一个博客返回给客户端;该步骤包括以下子步骤:Step 3: the virtual web application processes the request, constructs a blog and returns it to the client; this step includes the following sub-steps:
(3.1)虚拟web应用在接到请求后,先从保存URL的数据库中取出一个URL列表;(3.1) After receiving the request, the virtual web application first fetches a URL list from the database storing URLs;
(3.2)针对URL列表中的每一个URL,从一个文本文件中随机截取一段文字,构造一个超链接:<a href=”URL”>截取的一段文字</a>;(3.2) For each URL in the URL list, randomly intercept a piece of text from a text file and construct a hyperlink: <a href="URL">Intercepted section of text</a>;
(3.3)生成一个html页面,将步骤3.2构造的所有超链接插入该页面中,构造一篇博客,将构造的该篇博客返回给客户端;(3.3) Generate an html page, insert all the hyperlinks constructed in step 3.2 into the page, construct a blog, and return the constructed blog to the client;
步骤4:如果在设置的时间内没有再收到过该ip的访问请求,则取消对该IP的标记。Step 4: If the access request of the IP is not received within the set time, cancel the marking of the IP.
本发明的有益效果是:本发明提出了一种主动保护web应用安全的方法。由于该方法会主动隐藏后台web应用的真实结构,当黑客用爬虫工具爬取网站结构的时候得到的是一种构造的不真实的网站结构,从而有效地保护了web应用的信息,化被动为主动,并且能够防御住新类型攻击。The beneficial effects of the present invention are: the present invention proposes a method for proactively protecting web application security. Because this method will actively hide the real structure of the background web application, when a hacker crawls the website structure with a crawler tool, what he gets is a structured and unreal website structure, thereby effectively protecting the information of the web application and turning passive into Active and capable of defending against new types of attacks.
附图说明Description of drawings
图1是网络架构的示意图;FIG. 1 is a schematic diagram of a network architecture;
图2是网站结构拟态防御方法的流程图。 Fig. 2 is a flow chart of the website structure mimic defense method.
具体实施方案specific implementation plan
下面根据附图详细描述本发明,本发明的目的和效果将变得更加明显。 The purpose and effects of the present invention will become more apparent as the present invention is described in detail below with reference to the accompanying drawings.
本发明保护web应用安全的网站结构拟态方法,包括以下步骤:The website structure mimetic method for protecting web application security of the present invention comprises the following steps:
步骤1:在所有页面中插入一个url,该url在浏览器中是不可见的。Step 1: Insert a url in all pages which is invisible in browser.
步骤2:分析客户端向后台服务器发起的请求。Step 2: Analyze the request initiated by the client to the background server.
(2.1)取出发起这个请求的客户端的IP地址,判断该IP地址是否被标记。(2.1) Take out the IP address of the client that initiated the request, and determine whether the IP address is marked.
(2.2)如果该IP地址被标记,则转到步骤(2.4)。(2.2) If the IP address is flagged, go to step (2.4).
(2.3)判断请求的URL是否为我们插入页面中的URL。如果不是,则把该请求转发到后台真实的web服务器上。否则,转到步骤(2.4)。(2.3) Determine whether the requested URL is the URL we inserted into the page. If not, the request is forwarded to the real web server in the background. Otherwise, go to step (2.4).
(2.4)标记该IP,更新该IP访问后台web应用的时间。把该请求转发到与我们配套的另一个虚拟web应用上。(2.4) Mark the IP and update the time when the IP accesses the background web application. Forward the request to another virtual web application that matches us.
步骤3:虚拟web应用处理该请求,构造一个返回页面。Step 3: The virtual web application processes the request and constructs a return page.
(3.1)虚拟web应用在接到请求后,为了使返回的页面看起来正常,先从保存URL的数据库中取出一个URL列表。(3.1) After the virtual web application receives the request, in order to make the returned page look normal, it first fetches a URL list from the database storing the URLs.
(3.2)针对URL列表中的每一个URL,从一个保存了一本小说《简·爱》的文本文件中随机截取一小段文字,构造一个类似于如下的超链接:(3.2) For each URL in the URL list, randomly intercept a small piece of text from a text file that saves a novel "Jane Eyre", and construct a hyperlink similar to the following:
<a href=”URL”>截取的小段文字</a>。<a href="URL">Intercepted short text</a>.
(3.3)生成一个html页面,将之前所有构造的超链接插入该页面中,形成一篇类似于博客的文章,将构造的该篇博客反回给客户端。(3.3) Generate an html page, insert all previously constructed hyperlinks into the page to form an article similar to a blog, and return the constructed blog to the client.
步骤4:如果在两个小时内没有收到过该ip的访问请求,则取消对该IP的标记。Step 4: If no access request of the IP is received within two hours, cancel the marking of the IP.
本发明把网站的资源树状结构体做了一个变换,隐藏了真实的网站结构。当黑客想通过分析网站结构来找到容易被攻击的攻击面就会找到虚假的攻击面,极大的阻碍了黑客对一个网站的入侵。这样,即使我们的后台web应用存在某些漏洞,也可以使得黑客不能发现,极大保护了我们web应用的安全。The invention transforms the resource tree structure of the website to hide the real website structure. When a hacker wants to find an attack surface that is easy to be attacked by analyzing the structure of the website, he will find a false attack surface, which greatly hinders the hacker from invading a website. In this way, even if there are some loopholes in our background web application, it can prevent hackers from finding out, which greatly protects the security of our web application.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510355582.XACN104951711B (en) | 2015-06-24 | 2015-06-24 | A kind of website structure mimicry method of protection web applications safety |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510355582.XACN104951711B (en) | 2015-06-24 | 2015-06-24 | A kind of website structure mimicry method of protection web applications safety |
| Publication Number | Publication Date |
|---|---|
| CN104951711Atrue CN104951711A (en) | 2015-09-30 |
| CN104951711B CN104951711B (en) | 2017-11-07 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510355582.XAActiveCN104951711B (en) | 2015-06-24 | 2015-06-24 | A kind of website structure mimicry method of protection web applications safety |
| Country | Link |
|---|---|
| CN (1) | CN104951711B (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110581843A (en)* | 2019-08-21 | 2019-12-17 | 浙江大学 | A Mimic Web Gateway Multi-application Flow Directional Distribution Method |
| CN114553460A (en)* | 2021-12-20 | 2022-05-27 | 东方博盾(北京)科技有限公司 | Internet shadow defense method and system |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080133540A1 (en)* | 2006-12-01 | 2008-06-05 | Websense, Inc. | System and method of analyzing web addresses |
| US20110154473A1 (en)* | 2009-12-23 | 2011-06-23 | Craig Anderson | Systems and methods for cross site forgery protection |
| CN102546576A (en)* | 2010-12-31 | 2012-07-04 | 北京启明星辰信息技术股份有限公司 | Webpagehanging trojan detecting and protecting method and system as well as method for extracting corresponding code |
| CN104378363A (en)* | 2014-10-30 | 2015-02-25 | 中国科学院信息工程研究所 | Dynamic application address conversion method and gateway system |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080133540A1 (en)* | 2006-12-01 | 2008-06-05 | Websense, Inc. | System and method of analyzing web addresses |
| US20110154473A1 (en)* | 2009-12-23 | 2011-06-23 | Craig Anderson | Systems and methods for cross site forgery protection |
| CN102546576A (en)* | 2010-12-31 | 2012-07-04 | 北京启明星辰信息技术股份有限公司 | Webpagehanging trojan detecting and protecting method and system as well as method for extracting corresponding code |
| CN104378363A (en)* | 2014-10-30 | 2015-02-25 | 中国科学院信息工程研究所 | Dynamic application address conversion method and gateway system |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110581843A (en)* | 2019-08-21 | 2019-12-17 | 浙江大学 | A Mimic Web Gateway Multi-application Flow Directional Distribution Method |
| CN114553460A (en)* | 2021-12-20 | 2022-05-27 | 东方博盾(北京)科技有限公司 | Internet shadow defense method and system |
| Publication number | Publication date |
|---|---|
| CN104951711B (en) | 2017-11-07 |
| Publication | Publication Date | Title |
|---|---|---|
| Song et al. | Advanced evasion attacks and mitigations on practical ML‐based phishing website classifiers | |
| Gandhi et al. | Dimensions of cyber-attacks: Cultural, social, economic, and political | |
| US8910247B2 (en) | Cross-site scripting prevention in dynamic content | |
| CN104954384B (en) | A kind of url mimicry methods of protection Web applications safety | |
| CN101582887B (en) | Security protection method, gateway device and security protection system | |
| CN104967628B (en) | A kind of decoy method of protection web applications safety | |
| US9147067B2 (en) | Security method and apparatus | |
| CN107046535B (en) | A kind of abnormality sensing and method for tracing and system | |
| CN101901232A (en) | Method and device for processing webpage data | |
| O'Gorman et al. | The elderwood project | |
| CN104580249A (en) | Botnet, Trojan horse and worm network analysis method and system based on logs | |
| CN103023869B (en) | Malicious attack prevention method and browser | |
| CN105704120A (en) | Method for safe network access based on self-learning form | |
| CN107276986B (en) | Method, device and system for protecting website through machine learning | |
| Chaudhary et al. | Cross-site scripting (XSS) worms in Online Social Network (OSN): Taxonomy and defensive mechanisms | |
| CN102932353B (en) | A kind of method and apparatus preventing malicious attack | |
| CN104951711B (en) | A kind of website structure mimicry method of protection web applications safety | |
| CN105025017A (en) | Firewall-based anti-horse method and firewall | |
| Ofuonye et al. | Securing web-clients with instrumented code and dynamic runtime monitoring | |
| Tiwari et al. | Optimized client side solution for cross site scripting | |
| Batarfi et al. | Csrfdtool: Automated detection and prevention of a reflected cross-site request forgery | |
| Gupta et al. | Web Penetration Testing | |
| Mun et al. | Secure short url generation method that recognizes risk of target url | |
| Byrne | Application firewalls in a defence-in-depth design | |
| Inserra et al. | Cybersecurity Information Sharing: One Step Toward US Security, Prosperity, and Freedom in Cyberspace |
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |