With the development of the Internet, network security issues are getting more and more attention. How to ensure the security of websites? What we can do is to prevent problems before they occur. The following are some common security vulnerabilities in website construction:
1. Clear text transmission
Description of the problem: Insufficient protection for system multi-user passwords, attackers can use attack tools to steal legal multi-user password information from the network.
Modification suggestion: The transmitted password must be encrypted.
Note: All passwords are encrypted. To complex encryption. Do not use base64 or md5.
2. SQL injection
Description of the problem: The attacker can use the sql injection vulnerability to obtain a variety of information in the database, such as: the password of the management background, so as to extract the content in the database (exit the database).
Modification suggestions: Filter and verify the input arguments. Use black and white lists.
Note: Filtering and verification should cover all arguments in the system.
3. Cross-site script attack
Description of the problem: There is no verification of the input information, and the attacker can inject malicious instruction codes into the webpage through clever methods. This code is usually JavaScript, but in practice, it can also include Java, VBScript, ActiveX, Flash, or plain HTML. After the attack is successful, the attacker can obtain a higher permission.
Modification suggestions: filter and verify multi-user input. The output is HTML entity encoded.
Note: filtering, validation, HTML entity encoding. To override all arguments.
4. File upload vulnerability
Description of the problem: There is no restriction on uploading files, and executable files or script files may be uploaded. Further lead to the fall of the server.
Modification suggestions: Strictly verify uploaded files to prevent uploading dangerous command codes such as asp, aspx, asa, php, and jsp. Colleagues are well-known to add file header verification to prevent multiple users from uploading illegal files.
5. Leakage of sensitive information
Description of the problem: The system exposes internal information, such as: the absolute path of the website, the source code of the webpage, SQL statements, the version of the middleware, program exceptions and other information.
Modification suggestion: Filter abnormal characters input by multiple users. Mask some error echoes, such as custom 404, 403, 500, etc.
6. Command execution vulnerability
Description of the problem: The instruction code program calls system, exec, shell_exec, etc. of php.
Suggestion for modification: apply a patch, and strictly limit the commands that need to be executed in the system.
7. CSRF (Cross Site Request Forgery)
Description of the problem: Use multiple users who have logged in to perform an attack without knowing it.
Modification suggestion: add token verification. Timestamp or verification code of this image.
8. SSRF vulnerability
Problem description: The server requests forgery.
Modification suggestions: apply patches, or uninstall useless packages
9. Default password, weak password
Description of the problem: Because the preset password and weak password are easy to guess.
Suggested modification: Enhancing password strength does not apply to weak passwords
Note: Do not use common words in the password. Such as: root123456, admin1234, qwer1234, pssw0rd, etc.