Command injection vulnerability
Common exploits
Context before and after closing
- Multi-statement semicolon;
- Conditional execution && ||
- Pipe symbol |
SQL injection
Common vulnerabilities:
where条件:OR 1=1
union -- -:注释后面的语句
Prevention: Use parameterized queries to avoid data being mixed in instructions
XSS (Cross Site Scripting) Vulnerability
Introduction:
一种网站应用程序的安全漏洞攻击,是代码注入的一种;
它允许恶意用户将代码注入到网页上,其他用户在观看网页时就会受到影响;
攻击通常包含了HTML、用户端脚本语言(JavaScript),也可以包括Java、VBScript 、ActiveX、Flash;
攻击成功后可能得到更高的权限、私密网页内容、会话和cookie等
Prevention: input and output filtering, use of browser security mechanisms, etc.
Detection: automatic discovery
CSRF (Cross Site Request Forgery)
Introduction:
通过技术手段欺骗用户的浏览器去访问自己曾经认证过的网站用进行操作(如发邮件、发消息、转账、购买商品);
简单的身份验证只能保证请求发自某个用户的浏览器,不能保证是用户本身发出的
Common: use url, image request, fake form
Prevention: increase token verification, check referer
https://mp.weixin.qq.com/s/Rf4dag7Z1rFNl4LxbAjyqw