A webpage detection method and device, electronic equipment and storage medium

By listening to the target webpage loading event and comparing the string content of the API information object, the system detects whether the webpage's native API has been maliciously tampered with, thus solving the problem of malicious attackers tampering with the API and ensuring webpage security.

CN118487859BActive Publication Date: 2026-06-09CHINA CONSTRUCTION BANK +1

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
CHINA CONSTRUCTION BANK
Filing Date
2024-06-17
Publication Date
2026-06-09

AI Technical Summary

Technical Problem

How can we detect whether a webpage's native API functionality has been tampered with by malicious attackers to ensure webpage security?

Method used

After listening for the target webpage loading completion event, iterate through the first API information list, obtain the first API information object, and search for the matching second API information object from the source webpage. By comparing their string contents, determine whether the target webpage has been maliciously attacked.

Benefits of technology

It can easily and efficiently determine whether a target webpage has been maliciously attacked, promptly detect and restore native API functions, and improve webpage security.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN118487859B_ABST
    Figure CN118487859B_ABST
Patent Text Reader

Abstract

This invention relates to the field of web page security technology, and in particular to a web page detection method, apparatus, electronic device, and storage medium. The method comprises: after listening for a target web page loading completion event, traversing a first application programming interface (API) information list to obtain a first API information object; searching a second API information list in the source web page for a second API information object that matches the identity information of the first API information object; the source web page being a web page where the first API is not proxied; comparing the string content of the first API information object with the string content of the second API information object to obtain a comparison result, and determining whether the target web page has been maliciously attacked based on the comparison result.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of web security technology, and in particular to a web detection method, apparatus, electronic device, and storage medium. Background Technology

[0002] With the rapid development and popularization of the Internet, various Internet-based application platforms have emerged, bringing great convenience to users. However, website security has become an issue that urgently needs attention.

[0003] Currently, malicious attackers utilize various attack methods to steal web page information from various application platforms. For example, they can steal and manipulate web page information by tampering with the functionality of the web page's first application programming interface (API). Specifically, when a web page's first API is tampered with and proxied by malicious attackers, they can use the proxy function to execute malicious script injections, intercept communication data, modify web page attributes, and other malicious operations, leading to serious security risks to the web page system.

[0004] Therefore, how to detect when the functionality of a webpage's native API is tampered with by malicious attackers to ensure webpage security has become an urgent problem to be solved. Summary of the Invention

[0005] This invention provides a webpage detection method, apparatus, electronic device, and storage medium, which are used to provide a solution for detecting when the native API of a webpage has been tampered with by a malicious attacker.

[0006] In a first aspect, embodiments of the present invention provide a webpage detection method, the method comprising:

[0007] After listening for the target webpage loading completion event, iterate through the first application programming interface (API) information list and obtain the first API information object;

[0008] From the second API information list in the source webpage, find the second API information object that matches the identity information of the first API information object; the source webpage is the webpage where the first API is not proxied;

[0009] The string content of the first API information object is compared with the string content of the second API information object to obtain the comparison result, and the target webpage is determined based on the comparison result to determine whether it has been maliciously attacked.

[0010] In one possible implementation, after obtaining the first API information object, the method further includes:

[0011] An iframe element object is embedded in the target webpage, and the style of the iframe element object is set to be invisible in the target webpage;

[0012] After loading the static resource file of the source webpage into the iframe element object, message communication is established between the target webpage and the source webpage to obtain the second API information list in the source webpage.

[0013] In one possible implementation, setting the style of the iframe element object to be invisible in the target webpage includes:

[0014] Set the width and height of the internal page corresponding to the iframe element object to zero.

[0015] In one possible implementation, before listening for the target webpage loading completion event, the method further includes:

[0016] Determine whether the detection time has been reached, the detection time being determined based on the periodic detection duration preset by the timer and the current time;

[0017] When the detection time is reached, webpage detection is performed on the target webpage.

[0018] In one possible implementation, comparing the string content of the first API information object with the string content of the second API information object to obtain a comparison result includes:

[0019] If the string content of the first API information object is different from the string content of the corresponding second API information object, a comparison result indicating that the target webpage has been maliciously attacked is obtained;

[0020] If the string content of the first API information object is the same as the string content of the corresponding second API information object, a comparison result indicating that the target webpage has not been maliciously attacked is obtained.

[0021] In one possible implementation, after obtaining the comparison result indicating that the target webpage has been maliciously attacked, the method further includes:

[0022] Obtain the security level information of the first API information object;

[0023] If the security level indicated by the security level information is within the preset high security level range, then the first browser closure method of the target webpage is invoked to close the target webpage;

[0024] If the security level indicated by the security level information is not within the preset high security level range, a prompt box will pop up on the target webpage to alert the user that the target webpage has been maliciously attacked.

[0025] Secondly, embodiments of the present invention provide a webpage detection device, the device comprising:

[0026] The first processing unit is used to listen for the target webpage loading completion event, traverse the first application programming interface (API) information list, and obtain the first API information object;

[0027] The search unit is used to search for a second API information object that matches the identity information of the first API information object from the second API information list in the source webpage; the source webpage is a webpage where the first API is not proxied;

[0028] The second processing unit is used to compare the string content of the first API information object with the string content of the second API information object, obtain the comparison result, and determine whether the target webpage has been maliciously attacked based on the comparison result.

[0029] In one possible implementation, the first processing unit is further configured to:

[0030] An iframe element object is embedded in the target webpage, and the style of the iframe element object is set to be invisible in the target webpage;

[0031] After loading the static resource file of the source webpage into the iframe element object, message communication is established between the target webpage and the source webpage to obtain the second API information list in the source webpage.

[0032] In one possible implementation, the first processing unit is further configured to:

[0033] Set the width and height of the internal page corresponding to the iframe element object to zero.

[0034] In one possible implementation, the first processing unit is further configured to:

[0035] Determine whether the detection time has been reached, the detection time being determined based on the periodic detection duration preset by the timer and the current time;

[0036] When the detection time is reached, webpage detection is performed on the target webpage.

[0037] In one possible implementation, the second processing unit is specifically used for:

[0038] If the string content of the first API information object is different from the string content of the corresponding second API information object, a comparison result indicating that the target webpage has been maliciously attacked is obtained;

[0039] If the string content of the first API information object is the same as the string content of the corresponding second API information object, a comparison result indicating that the target webpage has not been maliciously attacked is obtained.

[0040] In one possible implementation, the first processing unit is further configured to:

[0041] Obtain the security level information of the first API information object;

[0042] If the security level indicated by the security level information is within the preset high security level range, then the first browser closure method of the target webpage is invoked to close the target webpage;

[0043] If the security level indicated by the security level information is not within the preset high security level range, a prompt box will pop up on the target webpage to alert the user that the target webpage has been maliciously attacked.

[0044] Thirdly, embodiments of the present invention provide an electronic device, including at least one processor; and a memory communicatively connected to the at least one processor; wherein the memory stores instructions executable by the at least one processor, the instructions being executed by the at least one processor to enable the at least one processor to perform any method provided by the first aspect of the present invention.

[0045] Fourthly, embodiments of the present invention provide a computer storage medium, wherein the computer-readable storage medium stores a computer program that causes a computer to perform any of the methods provided in the first aspect of the present invention.

[0046] Fifthly, embodiments of the present invention provide a computer program product comprising: computer program code, which, when executed on a computer, causes the computer to perform any of the methods provided in the first aspect of the embodiments.

[0047] The beneficial effects of this invention are as follows:

[0048] In this embodiment of the invention, after detecting the completion of loading of the target webpage, the first application programming interface (API) information list is traversed to obtain the first API information object; from the second API information list in the source webpage, a second API information object matching the identity information of the first API information object is searched; the source webpage is the webpage where the first API is not proxied. Thus, the string content of the first API information object can be compared with the string content of the second API information object to obtain a comparison result, and based on the comparison result, it can be determined whether the target webpage has been maliciously attacked. Specifically, in the prior art, once the native API of the target webpage is tampered with by a malicious attacker, the string content of the corresponding native API information object of the target webpage will change. Therefore, the string content of the untampered second API information object can be compared with the string content of the potentially tampered first API information object to determine whether the native API of the target webpage has been tampered with by a malicious attacker. The method provided in this embodiment of the invention can simply and efficiently determine whether the target webpage has been maliciously attacked.

[0049] Other features and advantages of the invention will be set forth in the description which follows, and will be apparent in part from the description, or may be learned by practicing the invention. The objects and other advantages of the invention may be realized and obtained by means of the structures particularly pointed out in the written description, claims, and drawings. Attached Figure Description

[0050] To more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the embodiments of the present invention will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0051] Figure 1 This is a schematic diagram of an application scenario in an embodiment of the present invention;

[0052] Figure 2 This is a flowchart illustrating a webpage detection method according to an embodiment of the present invention;

[0053] Figure 3 This is a schematic diagram of the composition structure of a webpage detection device according to an embodiment of the present invention;

[0054] Figure 4 This is a schematic diagram of the hardware structure of an electronic device according to an embodiment of the present invention. Detailed Implementation

[0055] To make the objectives, technical solutions, and advantages of this invention clearer, the technical solutions of the embodiments of this invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only a part of the embodiments of this invention, and not all of them. Based on the embodiments of this invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this invention. Unless otherwise specified, the embodiments and features in the embodiments of this invention can be arbitrarily combined with each other. Furthermore, although a logical order is shown in the flowchart, in some cases, the steps shown or described may be performed in a different order than that shown here.

[0056] The term "comprising" and any variations thereof in the specification and claims of this invention are intended to cover non-exclusive protection. For example, a process, method, system, product, or apparatus that includes a series of steps or units is not limited to the steps or units listed, but may optionally include steps or units not listed, or may optionally include other steps or units inherent to such processes, methods, products, or apparatus.

[0057] In this invention, there are one or more embodiments; "multiple" refers to two or more. "And / or" describes the relationship between the associated objects, indicating that three relationships can exist. For example, A and / or B can represent: A alone, A and B simultaneously, or B alone, where A and B can be singular or plural. The character " / " generally indicates that the preceding and following associated objects are in an "or" relationship. "At least one of the following" or similar expressions refer to any combination of these items, including any combination of single or plural items. For example, at least one of a, b, or c can represent: a, b, c, ab, ac, bc, or abc, where a, b, and c can be single or multiple.

[0058] The following description, in conjunction with the accompanying drawings, illustrates exemplary embodiments of the present invention, including various details to aid understanding. These are to be considered merely exemplary. Therefore, those skilled in the art will recognize that various changes and modifications can be made to the embodiments described herein without departing from the scope of the invention. Similarly, for clarity and brevity, descriptions of well-known functions and structures are omitted in the following description. It should be noted that in the embodiments of the present invention, references may be made to existing industry solutions such as software, components, and models. These should be considered exemplary, intended only to illustrate the feasibility of implementing the technical solutions of the present invention, and do not imply that the applicant has already used or necessarily used such solutions.

[0059] In the technical solution of this invention, the collection, dissemination, and use of data all comply with the requirements of relevant national laws and regulations.

[0060] As mentioned earlier, how to detect when the functionality of a webpage's native API is tampered with by malicious attackers to ensure webpage security has become an urgent problem to be solved.

[0061] In view of this, embodiments of the present invention provide a webpage detection method. This method involves listening for a target webpage loading completion event, traversing a first application programming interface (API) information list to obtain a first API information object; searching a second API information list in the source webpage for a second API information object that matches the identity information of the first API information object; the source webpage is a webpage where the first API is not proxied. Thus, the string content of the first API information object can be compared with the string content of the second API information object to obtain a comparison result, and based on the comparison result, it can be determined whether the target webpage has been maliciously attacked. Specifically, in the prior art, once the native API of a target webpage is tampered with by a malicious attacker, the string content of the corresponding native API information object will change. Therefore, the string content of the untampered second API information object can be compared with the string content of the potentially tampered first API information object to determine whether the native API of the target webpage has been tampered with by a malicious attacker. The method provided by embodiments of the present invention can simply and efficiently determine whether a target webpage has been maliciously attacked.

[0062] After introducing the design concept of the embodiments of the present invention, the following is a brief introduction to the application scenarios to which the technical solutions of the embodiments of the present invention are applicable. It should be noted that the application scenarios described below are only for illustrating the embodiments of the present invention and are not intended to limit it. In specific implementation, the technical solutions provided by the embodiments of the present invention can be flexibly applied according to actual needs.

[0063] The solution provided in this invention can be applied to any business scenario involving webpage detection.

[0064] See Figure 1 The diagram shown is a scenario illustration provided by an embodiment of the present invention. This scenario may include multiple terminal devices 101 and electronic devices 102. Terminal devices 101-1, 101-2, ..., 101-n can be used by different users, where n is a positive integer.

[0065] In this embodiment of the invention, when a user needs to open a webpage, a webpage display request can be triggered on the application platform set on the corresponding terminal device 101. Then, the terminal device 101 can send a webpage display request to the electronic device 102. The electronic device 102 can determine the corresponding target webpage based on the webpage display request, and after listening to the target webpage loading completion event, it traverses the first application programming interface (API) information list to obtain the first API information object; from the second API information list in the source webpage, it searches for a second API information object that matches the identity information of the first API information object; the source webpage is a webpage where the first API is not proxied; the string content of the first API information object is compared with the string content of the second API information object to obtain the comparison result, and based on the comparison result, it is determined whether the target webpage has been maliciously attacked.

[0066] In this embodiment of the invention, the terminal device 101 may be, for example, a mobile phone, a tablet computer (PAD), a personal computer (PC), a smart TV, a smart vehicle device, or a wearable device, etc., and this embodiment of the invention does not limit the device.

[0067] In this embodiment of the invention, the electronic device 102 may be a cloud server that provides basic cloud computing services such as cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, content delivery networks (CDN), and big data and artificial intelligence platforms. It may also be a physical server or a server cluster, but is not limited to these.

[0068] In this embodiment, terminal devices 101 and electronic devices 102, as well as various terminal devices 101, can communicate directly or indirectly through one or more networks 103. The network 103 can be a wired network or a wireless network. For example, the wireless network can be a mobile cellular network or a Wireless-Fidelity (WIFI) network, or other possible networks. This embodiment of the invention does not limit the types of networks that can be used.

[0069] Of course, the method provided in the embodiments of the present invention is not limited to... Figure 1 The application scenarios shown can also be used in other possible scenarios, such as where the electronic device determines the display request and displays the target webpage based on the display request. This embodiment of the invention does not impose any limitations. Figure 1 The functions that each device in the application scenario shown can achieve will be described in subsequent method embodiments, and will not be elaborated on here.

[0070] To further illustrate the technical solutions provided by the embodiments of the present invention, a detailed description is provided below in conjunction with the accompanying drawings and specific implementation methods. Although the embodiments of the present invention provide method operation steps as shown in the following embodiments or drawings, more or fewer operation steps may be included in the method based on conventional or non-inventive methods. In steps where there is no logically necessary causal relationship, the execution order of these steps is not limited to the execution order provided by the embodiments of the present invention. In actual processing or when the device executes the method, it may be executed sequentially or in parallel according to the method shown in the embodiments or drawings.

[0071] Please see Figure 2 , Figure 2 This is a schematic flowchart of a webpage detection method according to an embodiment of the present invention. The method can be executed, for example, by an electronic device, which can be... Figure 1 The specific implementation process of this method for electronic device 102 is as follows:

[0072] Step 201: After listening to the target webpage loading completion event, traverse the first application programming interface (API) information list and obtain the first API information object.

[0073] In this embodiment of the invention, the electronic device can determine whether a detection time has been reached. The detection time is determined based on a pre-set periodic detection duration of a timer and the current time. When the detection time is reached, webpage detection is performed on the target webpage. The pre-set periodic detection duration of the timer can be set according to the actual implementation, such as 60 seconds, 30 seconds, etc., and this embodiment of the invention does not limit this. In other words, this embodiment of the invention can periodically perform webpage detection on the target webpage to ensure its security as much as possible.

[0074] In this embodiment of the invention, when the electronic device detects the completion of loading of the target webpage, such as by detecting the onload event, it can traverse the first application programming interface (API) information list to obtain the first API information object. The first API information object can be understood as an information object corresponding to the target webpage at the current moment, including various interfaces and methods indicated by the native API. It should be noted that the native API of the webpage in this embodiment refers to a set of interfaces and methods provided by the browser to implement functions such as webpage interaction with users, data processing, and page rendering. Developers can use the native API to create highly interactive and feature-rich web applications. The native API includes various functions, such as Document Object Model (DOM) operations, event handling, network requests, and local storage, allowing developers to control and manipulate various parts of the webpage using front-end programming languages ​​such as JavaScript.

[0075] In this embodiment of the invention, after obtaining the first API information object, the electronic device can further embed an iframe element object in the target webpage and set the style of the iframe element object to be invisible in the target webpage. Optionally, an iframe element object can be created, and its src attribute value can be set to the address of the source webpage's entry file to embed the iframe element object into the target webpage. Furthermore, the width and height dimensions of the display style of the internal page corresponding to the iframe element object can be set to zero. Further, the loading event of the iframe element object can be listened to. When the static resource file of the source webpage is loaded into the iframe element object, message communication between the target webpage and the source webpage is established to obtain the second API information list from the source webpage.

[0076] Specifically, the static resource files of the source webpage loaded in the iframe element object are loaded based on the entry address of the source page. In other words, the internal page corresponding to the iframe element object is dynamically added to the current page after the parent page is loaded and is invisible. Therefore, the probability of it being maliciously injected or tampered with to proxy the native API is relatively low. Thus, it can be guaranteed that the internal API of the internal page is native and can be used as a standard comparison template, i.e., the source webpage.

[0077] Step 202: From the second API information list in the source webpage, find the second API information object that matches the identity information of the first API information object; the source webpage is the webpage where the first API is not proxied.

[0078] In this embodiment of the invention, the second API information object can be understood as a native API information object that has not been maliciously injected or proxied.

[0079] Step 203: Compare the string content of the first API information object with the string content of the second API information object to obtain the comparison result, and determine whether the target webpage has been maliciously attacked based on the comparison result.

[0080] In this embodiment of the invention, if the string content of the first API information object is the same as the string content of the corresponding second API information object, a comparison result indicating that the target webpage has not been maliciously attacked is obtained.

[0081] In this embodiment of the invention, if the string content of the first API information object is different from the string content of the corresponding second API information object, a comparison result indicating that the target webpage has been maliciously attacked is obtained.

[0082] For example, if the string content of the first API information object is ""function appendChild(){[nativecode]}"" and the string content of the second API information object is ""function(){alert("I've been proxied");old();}"", then it can be determined that the string content of the first API information object is different from the string content of the corresponding second API information object, meaning that the target webpage has been maliciously attacked.

[0083] Optionally, after obtaining the comparison result indicating that the target webpage has been maliciously attacked, the security level information of the first API information object can also be obtained. If the security level indicated by the security level information is within the preset high security level range, the first browser close method of the target webpage is called to close the target webpage. If the security level indicated by the security level information is not within the preset high security level range, a prompt box is displayed on the target webpage to alert the user that the target webpage has been maliciously attacked. Furthermore, the native API can be restored based on the string content of the second API information object to ensure the normal use of the target webpage.

[0084] In one possible implementation, if the native API information objects of the system corresponding to the application platform of the target webpage have been maliciously tampered with before startup, causing the system to be unable to save a copy of the native API information objects of the target webpage and therefore unable to recover them, they can be classified and processed according to the security level of the native API information objects. For example, if the security level of the native API information objects is greater than a preset level, a prompt box will pop up to inform the user that the target webpage has been maliciously attacked, and the system corresponding to the application platform will be closed directly after the user clicks confirm. If the security level of the native API information objects is not greater than the preset security level, a prompt box will pop up to remind the user to pay attention to webpage security.

[0085] In this embodiment of the invention, the electronic device can periodically monitor whether the native API of the webpage on the application platform has been tampered with by malicious attackers, thereby preventing the native functions of the webpage from being maliciously modified. Furthermore, if the native API of the webpage is proxied, it can be detected in a timely manner and the native API of the webpage can be restored, thereby ensuring that the function of the native API of the webpage is not modified, improving webpage security, and enhancing the user experience.

[0086] Based on the same inventive concept, embodiments of the present invention also provide a webpage detection device. For example... Figure 3 As shown, this is a structural schematic diagram of the webpage detection device 300, which may include:

[0087] The first processing unit 301 is used to listen to the target webpage loading completion event, traverse the first application programming interface (API) information list, and obtain the first API information object;

[0088] The lookup unit 302 is used to look up a second API information object that matches the identity information of the first API information object from the second API information list in the source webpage; the source webpage is a webpage where the first API is not proxied.

[0089] The second processing unit 303 is used to compare the string content of the first API information object with the string content of the second API information object, obtain the comparison result, and determine whether the target webpage has been maliciously attacked based on the comparison result.

[0090] In one possible implementation, the first processing unit 301 is further configured to:

[0091] An iframe element object is embedded in the target webpage, and the style of the iframe element object is set to be invisible in the target webpage;

[0092] After loading the static resource file of the source webpage into the iframe element object, message communication is established between the target webpage and the source webpage to obtain the second API information list in the source webpage.

[0093] In one possible implementation, the first processing unit 301 is further configured to:

[0094] Set the width and height of the internal page corresponding to the iframe element object to zero.

[0095] In one possible implementation, the first processing unit 301 is further configured to:

[0096] Determine whether the detection time has been reached, the detection time being determined based on the periodic detection duration preset by the timer and the current time;

[0097] When the detection time is reached, webpage detection is performed on the target webpage.

[0098] In one possible implementation, the second processing unit 303 is specifically used for:

[0099] If the string content of the first API information object is different from the string content of the corresponding second API information object, a comparison result indicating that the target webpage has been maliciously attacked is obtained;

[0100] If the string content of the first API information object is the same as the string content of the corresponding second API information object, a comparison result indicating that the target webpage has not been maliciously attacked is obtained.

[0101] In one possible implementation, the first processing unit 303 is further configured to:

[0102] Obtain the security level information of the first API information object;

[0103] If the security level indicated by the security level information is within the preset high security level range, then the first browser closure method of the target webpage is invoked to close the target webpage;

[0104] If the security level indicated by the security level information is not within the preset high security level range, a prompt box will pop up on the target webpage to alert the user that the target webpage has been maliciously attacked.

[0105] For ease of description, the above sections are divided into modules (or units) according to their functions and described separately. Of course, in implementing this invention, the functions of each module (or unit) can be implemented in one or more software or hardware components.

[0106] After introducing the webpage detection method and apparatus according to exemplary embodiments of the present invention, the electronic device according to another exemplary embodiment of the present invention will be introduced next.

[0107] Those skilled in the art will understand that various aspects of the present invention can be implemented as systems, methods, or program products. Therefore, various aspects of the present invention can be specifically implemented in the following forms: entirely hardware implementations, entirely software implementations (including firmware, microcode, etc.), or implementations combining hardware and software aspects, collectively referred to herein as “circuits,” “modules,” or “systems.”

[0108] Based on the same inventive concept as the above method embodiments, this invention also provides an electronic device. In this embodiment, the structure of the electronic device can be as follows: Figure 4 As shown, the electronic device is, for example, the aforementioned Figure 1 Electronic devices 102, such as Figure 4 As shown, the electronic device in this embodiment of the invention includes at least one processor 401, a memory 402 connected to the at least one processor 401, and a communication interface 403. This embodiment of the invention does not limit the specific connection medium between the processor 401 and the memory 402. Figure 4 Taking the connection between processor 401 and memory 402 via system bus 400 as an example, the system bus 400 is... Figure 4The connections between other components are indicated by thick lines and are for illustrative purposes only, not as limiting information. The system bus 400 can be divided into address bus, data bus, control bus, etc., for ease of representation. Figure 4 The bus is represented by a single thick line, but this does not mean that there is only one bus or one type of bus.

[0109] In this embodiment of the invention, the memory 402 stores instructions that can be executed by at least one processor 401. By executing the instructions stored in the memory 402, at least one processor 401 can perform the steps included in the aforementioned webpage detection method.

[0110] The processor 401 is the control center of the electronic device. It can connect to various parts of the electronic device through various interfaces and lines. By running or executing instructions stored in the memory 402 and calling data stored in the memory 402, it can realize various functions of the electronic device. Optionally, the processor 401 may include one or more processing units. The processor 401 may integrate an application processor and a modem processor. The processor 401 mainly handles the operating system, client interface, and applications, while the modem processor mainly handles wireless communication. It is understood that the modem processor may not be integrated into the processor 401. In some embodiments, the processor 401 and the memory 402 may be implemented on the same chip; in some embodiments, they may also be implemented on separate chips.

[0111] Processor 401 can be a general-purpose processor, such as a central processing unit (CPU), digital signal processor, application-specific integrated circuit, field-programmable gate array or other programmable logic device, discrete gate or transistor logic device, or discrete hardware component, capable of implementing or executing the methods, steps, and logic block diagrams disclosed in the embodiments of this invention. The general-purpose processor can be a microprocessor or any conventional processor. The steps of the methods disclosed in the embodiments of this invention can be directly manifested as being executed by a hardware processor, or executed by a combination of hardware and software modules within the processor.

[0112] Memory 402, as a non-volatile computer-readable storage medium, can be used to store non-volatile software programs, non-volatile computer-executable programs, and modules. Memory 402 may include at least one type of storage medium, such as flash memory, hard disk, multimedia card, card-type memory, random access memory (RAM), static random access memory (SRAM), programmable read-only memory (PROM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), magnetic storage, magnetic disk, optical disk, etc. Memory 402 can be any other medium capable of carrying or storing desired program code in the form of instructions or data structures that can be accessed by a computer, but is not limited thereto. In embodiments of the present invention, memory 402 may also be a circuit or any other device capable of implementing storage functions for storing program instructions and / or data.

[0113] Communication interface 403 is a transmission interface that can be used for communication. Data can be received or sent through communication interface 403.

[0114] In addition, the electronic device also includes a basic input / output system (I / O system) 404 that helps transmit information between various devices within the electronic device, and a large-capacity storage device 408 for storing the operating system 405, application programs 406 and other program modules 407.

[0115] The basic input / output system 404 includes a display 409 for displaying information and an input device 410 for user input, such as a mouse or keyboard. Both the display 409 and the input device 410 are connected to the processor 401 via the basic input / output system 404 connected to the system bus 400. The basic input / output system 404 may also include an input / output controller for receiving and processing input from multiple other devices such as a keyboard, mouse, or electronic stylus. Similarly, the input / output controller also provides output to a display screen, printer, or other types of output devices.

[0116] Specifically, mass storage device 408 is connected to processor 401 via a mass storage controller (not shown) connected to system bus 400. Mass storage device 408 and its associated computer-readable media provide non-volatile storage for the server package. That is, mass storage device 408 may include computer-readable media (not shown) such as hard disks or CD-ROM drives.

[0117] According to various embodiments of the present invention, the electronic device can also be connected to a remote computer on a network such as the Internet. That is, the electronic device can be connected to the network 411 via the communication interface 403 connected to the system bus 400, or the communication interface 403 can be used to connect to other types of networks or remote computer systems (not shown).

[0118] This invention also provides a computer storage medium, wherein the computer-readable storage medium stores a computer program, the computer program being used to cause a computer to execute the technical solution of the webpage detection method described in the above embodiments.

[0119] This invention also provides a computer program product, which includes computer program code. When the computer program code is run on a computer, it enables the computer to execute the webpage detection method described in the above embodiments.

[0120] Those skilled in the art will understand that all or part of the steps of the above method embodiments can be implemented by hardware related to program instructions. The aforementioned program instructions are computer programs, which can be stored in a computer-readable storage medium. When executed, the computer program performs the steps of the above method embodiments. The readable storage medium can be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples of readable storage media (a non-exhaustive list) include: electrical connections with one or more wires, portable disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fibers, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination thereof.

[0121] The program product of this invention can be a portable compact disc read-only memory (CD-ROM) and include program code, and can run on a computing device. However, the program product of this invention is not limited thereto. In this document, the readable storage medium can be any tangible medium that contains or stores a program that can be used by or in conjunction with a command execution system, device, or apparatus.

[0122] A readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, carrying readable program code. This propagated data signal may take various forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination thereof. A readable signal medium may also be any readable medium other than a readable storage medium, capable of sending, propagating, or transmitting a program for use by or in conjunction with a command execution system, apparatus, or device.

[0123] The program code contained on the readable medium may be transmitted using any suitable medium, including but not limited to wireless, wired, optical fiber, RF, etc., or any suitable combination thereof.

[0124] Program code for performing the operations of this invention can be written in any combination of one or more programming languages, including object-oriented programming languages ​​such as Java and C++, and conventional procedural programming languages ​​such as C or similar languages. The program code can execute entirely on a computing device, partially on an electronic device, as a standalone software package, partially on a computing device and partially on a remote computing device, or entirely on a remote computing device or server. In cases involving remote computing devices, the remote computing device can be connected to the computing device via any type of network, including a local area network (LAN) or a wide area network (WAN), or it can be connected to an external computing device (e.g., via the Internet using an Internet service provider).

[0125] Although preferred embodiments of the invention have been described, those skilled in the art, upon learning the basic inventive concept, can make other changes and modifications to these embodiments. Therefore, the appended claims are intended to be interpreted as including the preferred embodiments as well as all changes and modifications falling within the scope of the invention.

[0126] Obviously, those skilled in the art can make various modifications and variations to this invention without departing from its spirit and scope. Therefore, if these modifications and variations fall within the scope of the claims of this invention and their equivalents, this invention also intends to include these modifications and variations.

Claims

1. A method of web page detection, characterized by, The method includes: After listening to the target webpage loading completion event, iterate through the first application programming interface (API) information list to obtain the first API information object; wherein, the first API information object is the information object of various interfaces and methods indicated by the native APIs included in the target webpage at the current moment; Create an iframe element object and set the src attribute value of the iframe element object to the source webpage entry file address to embed the iframe element object into the target webpage, and set the style of the iframe element object to be invisible in the target webpage; After loading the static resource file of the source webpage into the iframe element object, message communication is established between the target webpage and the source webpage to obtain a second API information list from the source webpage; wherein, the second API information list comes from the static resource file; From the second API information list in the source webpage, find the second API information object that matches the identity information of the first API information object; the source webpage is the original webpage of the first API that has not been proxied; The string content of the first API information object is compared with the string content of the second API information object to obtain the comparison result, and the target webpage is determined based on the comparison result to determine whether it has been maliciously attacked.

2. The method as described in claim 1, characterized in that, Setting the style of the iframe element object to be invisible in the target webpage includes: Set the length and width of the internal page corresponding to the iframe element object to zero.

3. The method as described in claim 1 or 2, characterized in that, Before listening for the target webpage loading completion event, the method further includes: Determine whether the detection time has been reached, the detection time being determined based on the periodic detection duration preset by the timer and the current time; When the detection time is reached, webpage detection is performed on the target webpage.

4. The method as described in claim 1 or 2, characterized in that, The string content of the first API information object is compared with the string content of the second API information object to obtain the comparison result, including: If the string content of the first API information object is different from the string content of the corresponding second API information object, a comparison result indicating that the target webpage has been maliciously attacked is obtained; If the string content of the first API information object is the same as the string content of the corresponding second API information object, a comparison result indicating that the target webpage has not been maliciously attacked is obtained.

5. The method as described in claim 4, characterized in that, After obtaining the comparison result indicating that the target webpage has been maliciously attacked, the method further includes: Obtain the security level information of the first API information object; If the security level indicated by the security level information is within the preset high security level range, then the first browser closure method of the target webpage is invoked to close the target webpage; If the security level indicated by the security level information is not within the preset high security level range, a prompt box will pop up on the target webpage to alert the user that the target webpage has been maliciously attacked.

6. A webpage detection device, characterized in that, The device includes: The first processing unit is configured to, upon detecting the completion of loading of the target webpage, traverse the first application programming interface (API) information list and obtain the first API information object; wherein, the first API information object is an information object of various interfaces and methods indicated by the native APIs corresponding to the target webpage at the current moment; A lookup unit is used to create an iframe element object and set the src attribute value of the iframe element object to the source webpage entry file address to embed the iframe element object into the target webpage, and set the style of the iframe element object to be invisible in the target webpage; after loading the static resource file of the source webpage into the iframe element object, message communication is established between the target webpage and the source webpage to obtain a second API information list in the source webpage; wherein, the second API information list comes from the static resource file; from the second API information list in the source webpage, a second API information object matching the identity information of the first API information object is searched; the source webpage is the native webpage where the first API is not proxied; The second processing unit is used to compare the string content of the first API information object with the string content of the second API information object, obtain the comparison result, and determine whether the target webpage has been maliciously attacked based on the comparison result.

7. An electronic device, characterized in that, The method includes at least one processor; and a memory communicatively connected to the at least one processor; wherein the memory stores instructions executable by the at least one processor to implement the method as described in any one of claims 1-5.

8. A computer storage medium, characterized in that, The computer storage medium stores a computer program that enables the computer to perform the method as described in any one of claims 1-5.

9. A computer program product, characterized in that, The computer program product includes: computer program code, which, when run on a computer, causes the computer to perform the method described in any one of claims 1-5.