A, XSS vulnerabilities
XSS is the abbreviation XSS (Cross Site Scripting), divided into storage, reflective two kinds of loopholes
1. Storage type xss vulnerability (Risk factor: High)
Hazard Vulnerability
XSS the memory storing the user input data into the database, displaying the front page. An attacker can authenticate to steal and worm attacks. Storage-type XSS also known as "persistent XSS type"
Vulnerability verification
2. reflective XSS vulnerability (Risk Level: Medium)
Hazard Vulnerability
XSS reflective data input by the user "reflected" to the browser. Attackers often need to entice users to "click" a malicious link to attack is successful, reflective XSS also called "non-persistent XSS type"
Vulnerability verification
Remedy
1. Use HttpOnly help mitigate XSS attacks, but note that at the time of deployment, if the business complex, you need to place all Set-Cookie, Cookie are key to add HttpOnly. Missed a place, they are likely to make the program fail
2, the input format to check on the server side, such as filling in the website registered user name can only be letters, numbers, the phone number should be no longer than 16 digital; check the input whether to include special characters, such as <,>, ', ", /, etc., if found, then filtering or encoding; the input is XSS feature matching, such as finding the data contains" script "," javascript "," prompt "," confirm ", etc. sensitive character
3, in general, in addition to rich text output outside, when the variable output to HTML pages, you can use the encoding or escaping of ways to defend against XSS attacks. For coding HTML code is HtmlEncode, in PHP, there is htmlentities () and htmlspecialchars () function to meet two safety requirements. Appropriate, JavaScript code can be used JavascriptEncode way, with different JavascriptEncode HtmlEncode encoding, it needs to use "\" to escape special characters. When XSS against, also called the output variables within quotes must, in order to avoid safety problems; in addition HtmlEncode, JavascriptEncode, there are many situations for various coding functions, such as XMLEncode, JSONEncode etc.
Two, SQL injection vulnerability (Risk factor: High)
Hazard Vulnerability
SQL injection is widely used in the illegal invasion server, access to the Web control. It is a security breach on the application layer. In the design process is usually flawed, the data entered by the user does not do a good job filtering, leading to a malicious user can construct some SQL statements to the server to perform, leading to data in the database is stolen, tampered with or even eventually cause the server to delete the invasion other hazards
Vulnerability verification
Normal users enter "admin", password is "password"
The final execution of the SQL statement is:
select count(*) from admin where username = ' admin ' and password = ' password '
Enter special users " 'or 1 = 1--"
The final implementation of SQL statement is:
select count(*) from admin where username = ''or 1=1--' and password = ''
Remedy
Parameters for all input / output before entering the database calls, strict filtering and detection, to solve the SQL injection vulnerability, we recommend the following ways:
1, the parameters passed in clear type, if the parameter is a number, you should check whether the contents of the input parameters is digital, if you examine the other type, you should perform error handling, avoid entering the database calls
2, the parameters contained in the incoming special characters should be escaped, such as single quotes; keyword database filtration treatment such as "select", "update", "insert", "and", etc., and should have strict matching strategy to prevent attackers to bypass restrictions by case, coding, etc.
3, incoming detection parameters, should be performed on the server side
4, exception handling, to avoid exposure of sensitive information Error
5, the rational allocation of the database user permissions, permission should implement the principle of minimizing the
6, it is recommended to use parameterized queries or precompiled approach to database queries
Three, CSRF CSRF Vulnerability (Risk factor: High)
Hazard Vulnerability
An attacker induce the victim entering third party websites, third-party websites, cross-site request is sent to the attack site. Using the registered credentials victims in the attack site has been acquired, the background to bypass the user authentication, to achieve the purpose impersonate the user to perform an action on the site of attack
Vulnerability verification
A typical CSRF attack with the following processes:
* Log victims a.com, and retains the login credentials (Cookie)
Attackers lured the victim visited b.com
* B.com sends a request to the a.com: a.com/act=xx. A.com default browser will carry the Cookie
* A.com after receiving the request, the request to verify and confirm the victim's evidence is, mistaken for a request sent by the victims themselves
* A.com behalf of the victims of the execution act = xx
* Complete attack, the attacker in the knowledge of the victim, posing as victims, so that the operation is performed a.com own definition of |
Remedy
CSRF vulnerabilities can be the main defense from three levels, namely the defense side of the defense service, the client's defense and security equipment
1. Each HTTP request to add a token unpredictable, and to ensure that the token be unique for each user session. The best way is to include the unique token in a hidden field in the HTTP request, the URL to avoid exposed
2. Set short trusted user session time