Web security product analysis-webpage tamper-proofing Product

If Enterprise Web pages are tampered with, the consequences are unpredictable. This not only affects normal access, but may also lead to loss of customer credibility. It is difficult to defend against unknown attacks, but it is relatively easy to look at my own web pages. Therefore, the first thing people think of is the anti-tampering technology to keep their web pages intact, at least not causing great harm to society. Web page tampered products appeared in the early days of the Web. After several storms, the technologies of various manufacturers were gradually unified.

Deploy anti-tampering products on webpages: create a separate management server (the number of Web servers is small, which can be omitted), and then install an Agent program on each Web server, the Administrator is responsible for the "website file monitoring" of the server. The management server manages these Agent monitoring policies.

A) first-generation technology

Back up the files in the home directory of the Web server, and use a scheduled cyclic process to compare the backup files with the files used by the Service one by one. Otherwise, the backup files are overwritten. When a website is updated and published, the home directory and backup are also updated. In this way, when the website is large, the number of webpages is huge, the scanning time is too long, and the performance of the Web server is also crowded.

B) second-generation technology

The Hash algorithm is used to Hash each file in the main directory to generate the "fingerprint" of the file. The regular cycle process directly calculates the Hash fingerprint of the file used for the service, and then checks the fingerprint, the fingerprint is usually relatively small and convenient. the fingerprint is irreversible and is not afraid of imitation.

C) Third-Generation Technology

Since there are too many pages on the website and the access volume of pages below Level 3 is usually exponentially degraded, and no one visits will of course be tampered with, it is not cost-effective to scan these pages repeatedly. Change your mind: there should be no danger in reading files, and the danger is the rewriting of files. If the check is performed only when the file is changed, the occupation of server resources can be greatly reduced. The specific method is to enable a guard process to monitor the deletion and modification of the main directory file of the Web server, this operation is found to determine whether there is a legal identity and whether it is an authorized maintenance operation. Otherwise, the operation is blocked and the file is not rewritten, thus preventing web page tampering. This technology is also known as Event-triggered tamper-proofing.

This technology requires a test of familiarity with server operating systems, but hackers are also a master. Your monitoring process is user-level. Hackers can gain high-level permissions to bypass your "message hook ", monitoring becomes a decoration.

D) fourth-generation technology

Since the process has higher permissions than the operating system, it should be the most appropriate to let the operating system do this job. It is impossible for hackers to "work" over the operating system ". Therefore, in Windows, the system-level directory file modification and care process (System Call) is provided, which can be called directly by tamper-resistant products, or the file security protection function of the operating system is used, lock the main directory file (Windows also protects important files in the system against tampering to avoid virus intrusion), and only allows the website to publish the system (update the webpage) files can be modified. Other system processes cannot be deleted.

This method should be completely thorough, but we can see that the tamper-proofing technology will become a "patent" for the operating system in the future, and the security manufacturers are reluctant to see it. Fortunately, Linux does not support it yet.

The webpage tamper-proofing system can be used on Web servers or middleware servers to ensure the integrity of webpage files.

Anti-tampering of webpages has a good effect on Protecting Static pages, but there is no way to protect dynamic pages, because pages are generated when users access them and the content is related to the database. Many SQL injections exploit this vulnerability to continue to intrude into Web servers.

So far, many anti-tampering products have provided an IPS software module to prevent SQL injection and XML injection attacks against Web services. For example, WebGuard, iGuard, InforGuard and other products from domestic manufacturers.