22 | [Video] Starting from a security hole, exploring the balance between API performance and security
Hello, I am Wen Ming.
Today's content, I will also explain in the form of video. Old rules, before you start video learning, I want to ask you a few questions:
- When you use OpenResty, have you noticed that there are security risks in the API?
- How to balance the relationship between security and performance?
These problems are also the core content to be solved in today's video class. I hope you can think about it for yourself first, and learn today's video content with questions.
At the same time, I will give the corresponding text introduction, so that you can summarize and review in time after listening to the video content. Below is the introductory text for today's lesson.
core today
Security is an eternal topic. Whether you are writing and developing business code or doing the underlying architecture, you cannot do without security considerations.
CVE-2018-9230 is a security vulnerability related to OpenResty, but it is not a security vulnerability of OpenResty itself. Does that sound like a mouthful? It doesn't matter, let's take a closer look at how the attacker constructs the request.
ngx.req.get_uri_argsThe , ngx.req.get_post_argsand ngx.req.get_headersinterfaces in OpenResty only return the first 100 parameters by default. If the developer of WAF does not pay attention to this detail, he will be attacked by parameter overflow. The attacker can fill in 100 useless parameters and put the payload in the 101st parameter, thereby bypassing WAF detection.
So, how should this CVE be handled?
Obviously, the maintainers of OpenResty need to consider several factors such as backward compatibility, not introducing more security risks and not affecting performance, and make a balanced choice among them.
In the end, the OpenResty maintainers chose to add an err return value to solve this problem. If the input parameters exceed 100, the prompt message of err is truncated. In this way, callers of these APIs must handle error messages and decide whether to reject or allow requests by themselves.
In fact, in the final analysis, security is a kind of balance. Whether to choose a rule-based blacklist method, an identity-based whitelist method, or a combination of both methods depends on your actual business scenario.
Courseware Reference
Today's courseware has been uploaded to my GitHub, you can download and learn by yourself.
The link is as follows: https://github.com/iresty/geektime-slides
If there is anything unclear, you can ask questions in the message area, and you can also share your learning experience in the message area. Looking forward to the dialogue with you, and you are welcome to share this article with your colleagues and friends. Let's communicate and make progress together.