Lying interfaces privacy and security reprint

Others 2019-12-20 00:02:21 views: null

Lying interfaces privacy and security

 

As a back-end program ape to write their own 接口as their own 孩子, as necessarily manufacturing came out, it would have to be responsible in the end for his later life;
With the expansion of business, need the support of the business interface more and more users to use quantitative large, hackers eyeing the TV and move, always looking for the interests of others can steal the inlet in the business, so we should give more consideration to security issues, preventive measures. Safety

Scenes

Server program ape developed according to the needs of business-related interfaces, to meet the functional needs of the user and server interaction, available to front-end or client (PC client software, APP-side applications) use, most programs ape in the development of interfaces when you consider just how to implement logic functions on business, and often with little to consider security issues will interface, the interface is http / https protocol server generally provided by Fiddler, Wireshark, Charles and other packet capture tool , you can crawl to the request, and then analyzed, simulation request, concurrent requests, attack or modify information.

example:

Problem 1. User interface exposes equivalent privacy information streaking in broad daylight, the light is seen

Description: The program ape in doing business interfaces often do not protect user privacy awareness, the user's private information exposed, once people use it will give users trouble, and was found to reduce trust in the platform;

Defense:

  1. User privacy data encryption, plus an asterisk, such as JSON data related to the user's mobile phone number in there, the user's mailbox, payment accounts, mailing address and other private data;
  2. Privacy encryption parameters needed for its user request interface: If user login request login interface, you need to encrypt user passwords reversible, so the interface is malicious agents to obtain the plaintext password capture request;
  3. Do not share it with the address of a user ID in plain text, or user login token

Question 2. Interface expose sensitive information, like the key inserted in the key port did not unplug as long as you will be able to open the door to go

JSON data set of user participation in the activities do not have conclusive data related to business logic, such as: auction bidding activity, the lowest unique bid to take the prize, the result of the acquisition bid price statistics interface exposes the results of all bids.

Defense:

  1. Data needs to be sensitive to field or field of business has a decisive role in the partial character string plus *;

3. Data problem was easily taken away (the main business interface-related data such as JSON: Home Product List data)

Description: JSON data interface will be other people do take their related functions; thus causing additional expenditures server

Defense:

  1. IP request volume limits the amount of requests within the time limit, limiting rule other IP request, 
    such as: statistical records (mongdb to be recorded), the regular monitoring record found is greater than the limit number of requests to the IP block;
  2. Check the request header, such as: User-Agent request header is not checksum customer initiates APP, the Referer is not a source, the source of the domain name is not own domain address (only in this way is a multi-threshold);

4. The grafting problem, malicious modification request information (modification parameter, COOKIE, request headers)

Description: by modifying the parameters of the request to initiate the request, such as: landing interface to modify the user name and password, the password database collision.

Tips:
Modify request parameter may cause many security problems, such as: SQL injection, XSS cross site scripting attacks, portal my [ WEB security program ape lying eyes ] have related to the introduction and solutions 
of the following schemes for clients such as PC software and APP, WEB-side JS to do the encryption, then not very recommended, JS code is exposed, so if you do have to be confused encrypted with JS JS code

Defense:

  1. Adding a signature parameter, the parameter name to a logical combination of sort keys + splicing the MD5, then terminated by the time the service request is signed by the signature is also the same logic parameters compared are the same, so that the parameters can not be modified, modified to prompt illegal request. Such as: the interface http://www.test.com/go/?actid=1&userid=123 we can add a sign parameter = MD5 (actid = 1 & userid = 123 & secret [])] = [secret keys, own definition. Server ciphertext and the same sign signature comparison whether the same logic, it is not the same prompt illegal request.

  2. Encrypt the entire contents of the parameters reversible
  3. Limit range of parameters, such as: support for paging interfaces, many people will for convenience, plus the parameter is the (amount of data page) pagesize, when there is no limit to the maximum page is worth the time, if the table is large amount of data, then the attacker modifies pagesize parameter N million, or database and then Ben collapse, and related businesses hung up.

Question 5. shadow two places at once, simulation request, initiated concurrent requests

Description: Analog caught after a request by the request packet capture tool, such as: analog daily attendance request, or initiated directly sign of concurrent requests per day. 
Tips: When the request concurrent how to ensure data integrity, consistency, and this is usually the problem is to note the development, portal [my lying eyes programmer high concurrent ] introduction and relevant solutions.

Defense:

  1. Simulate concurrent requests, IP restrictions above 2 solutions to problems.
  2. Tape time request information (reversible encryption time), the server acquisition time, exceeds a defined time, returns the request timeout (object to make a request to fetch not always valid).
  3. Time user token, and other important information identifying the user data, saving COOKIE need to set the expiration time, in plain text or encrypted must be created, the server failed to do the corresponding time limit, so that even if someone else steal COOKIE, simulation also request fail over time;

to sum up

We need to improve their safety awareness, preventive measures, to be more stand attacker's perspective to see its own interface; (killed yourself there is a feeling of paranoia, you're a step closer from mental illness, <(¯)¯ ) ↗) do not do the development needs of the robots, we are thinking creative developer;

Additional personal development process

When the assessment needs to issue the move to business logic, and given a choice of solutions; 
OK, the needs of the entire business logic disentangled, can draw a flowchart complex; 
The implementation design requirements, performance issues need to be considered [ database pressure, pressure on the server], security issues, in the form of a document to record their own design. (How can drill down to the code level to achieve); 
lists the demand function point, assess their own time, to get the total work; 
begin development, open dry;

Guess you like

Origin www.cnblogs.com/871735097-/p/12070869.html
Recommended
Arc Browser for Windows 1.0 officially GA
A programmer born in the 1990s developed a video porting software and made over 7 million in less than a year. The ending was very punishing!
Ranking
1. Select Sort
Create a thread thread
3 press to play ball that reach 6
Programmation CUDA (4) : gestion de la mémoire
SpringBoot database connection pool Druid error
E Diudiu App redesign summary
4EVERLAND Hosting now supports SNS+IPFS
About HTTPS
[vue3+vite+ts+element-plu+sass] uses bug records in sass
Interpretation of HUAWEI CLOUD GaussDB (for Influx): Best Practice Data Modeling
Daily
More
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)

Code World

© 2018 codetd.com