Original: https://www.cnblogs.com/yzloo/p/10391078.html
Ten common web vulnerabilities
A, SQL injection vulnerabilities
SQL injection attacks (SQL Injection), referred to as injection attacks, SQL injection, is widely used to illegally obtain control over the site, it took place on the database layer of an application security vulnerabilities. In the design process, ignoring the inspection of the input string entrained SQL command, the database is mistaken and normal operation of the SQL command, so that the database is attacked, can lead to data theft, change, delete, and further lead to the site embedded malicious code, it is implanted backdoors and other hazards.
Typically, SQL injection position comprises:
(a) submit the form, mainly POST request, including GET request;
(2) the URL parameters submitted, mainly GET request parameter;
(. 3) cookies submitted parameters;
(. 4) the HTTP Some value may be modified request header, such Referer, User_Agent the like;
(5) the edge of the input point number, file information such as some .mp3 files, and the like.
Common prevention methods
(1) All queries are using a parameterized query interface provided by the database, parameterized statements use parameters instead of the user input variables embedded SQL statements. Almost all of the current database systems provide a parameterized SQL statement execution interfaces, this interface can be very effective in preventing SQL injection attacks.
(2) special characters entered in the database ( ' "<> & *; like) escaping, or code conversion.
(3) acknowledgment for each data type, such as numeric data must be a number in the database storage field must correspond to an int.
(4) data length should be strict regulations to prevent a long SQL statement can not be executed properly inject some extent.
coding (5) site for each data layer of uniform, it is recommended to use UTF all -8 coding, the lower layer encoding may result in inconsistent models some filtering is bypassed.
(6) strictly limit the user's authority to operate the site's database, to provide users with this privilege only to meet their work and thus minimize the harm to the database injection attack.
(7) avoid site shows SQL error information such as the type of error, fields do not match and so on, to prevent an attacker using these error messages to make some judgments.
(8) is recommended before using the website published a number of professional SQL injection detection tools for testing, timely repair of these SQL injection vulnerability.
Second, cross-site scripting vulnerability
XSS (Cross-site scripting, commonly referred to as XSS) occurs on the client, can be used to steal privacy, phishing, stealing passwords, the spread of malicious code attacks.
XSS attacks to use technology primarily for HTML and Javascript, VBScript and ActionScript, etc. are also included. XSS attacks on the WEB server Although there is no direct harm, but it is spread by means of the website, the user of the site under attack, causing the site to steal user account is thus the site also had a more serious harm.
XSS types include:
(1) a non-persistent cross-site type: the reflective XSS, is the most common type of cross-site. Cross-station code is generally present in the link, such a link request, the code is reflected back through the cross station server, such inter-station code is not stored in the server (such as a database). The above example is cited sections such cases.
(2) Durable Cross Station: This is the most direct harm to the type of cross-site, cross site code is stored in the server (such as databases). Common scenario is a user posting in the forum, if the forum is not Javascript code data input by the user filter, it will lead to other browsers glue the user's browser will execute people posting the embedded Javascript code.
(3) DOM Cross Site (DOM XSS): is a place in the client DOM (Document Object Model Document Object Model) in a cross-site vulnerabilities, a large reason is because the client-side scripting security problem caused by processing logic.
Commonly used to prevent XSS techniques include:
(1) SQL injection protection and advice, like assuming that all inputs are suspect and must be strict checks on all input words in the script, iframe and so on. Here the user can input not only interact directly input interface, including the HTTP request Cookie variables, the HTTP request header variables.
(2) only to verify the type of data, but also verify its format, length, scope and content.
(3) Do not just do the client data validation and filtering, the key filtration steps on the server.
(4) data output should also check the database values are likely to have a large output in many websites, even when the input made a coding operation, the output point should carry out safety checks throughout the .
(5) Test all known threats before publishing application.
Third, the weak password vulnerability
Weak password (weak password) is not strict and precise definition, generally considered easy for someone else (they likely to know much about you) to guess passwords or cracking tools to crack passwords are weak. Set Password generally following principles:
(1) without or null password system default password, which password All week, typical weak password.
(2) the length of the password is not less than 8 characters.
(3) for a password should not consecutive characters (e.g.: AAAAAAAA) or some combination of repeating characters (for example: tzf.tzf.).
(4) the password should be a combination of the following four categories of characters, uppercase letters (AZ), lowercase letters (az), numbers (0-9) and special characters. Each class contains at least one character. If a certain character contains only one, then the character should not be led by a character or last character.
(5) the password should not contain myself, with my information about parents, children and spouse's name and date of birth, to commemorate the date, login name, E-mail address, etc., as well as a dictionary of words.
(6) the password should not place of some of the letters or symbols of the digital words.
(7) password should be easy to remember and can quickly enter, it is easy to prevent others from seeing your input behind you.
(8) to replace at least 90 days, one-time password, to prevent intruders continue undetected the password.
Four, HTTP headers to track vulnerabilities
HTTP / 1.1 (RFC2616) specification defines HTTP TRACE method is mainly used for the client to submit a request to the Web server TRACE test or to obtain diagnostic information. When the Web server to enable TRACE, content (Body) request header in the server response will be submitted in a complete return, which is likely to include HTTP headers Session Token, Cookies or other authentication information. An attacker could exploit this vulnerability to spoof legitimate users and get their private information. The vulnerability is often in conjunction with other effective ways to attack, because the HTTP TRACE requests can be initiated by the client browser scripts (such as XMLHttpRequest), and can be accessed via DOM interfaces, it can easily be exploited by attackers.
Defense HTTP header vulnerability tracking method usually disable HTTP TRACE method.
Five, Struts2 Remote Command Execution Vulnerability
ApacheStruts is a Java web application to establish an open-source architecture. Apache Struts presence of a filter error input, the conversion error may be encountered if the use of injection and execute arbitrary Java code.
Mostly because there is a remote code execution vulnerability site because the site is using the Apache Struts Xwork as a web application framework, due to the presence of high-risk remote code execution vulnerability the software, leading website security risks. CNVD disposal too many of these vulnerabilities, such as: A remote command execution vulnerability (CNVD-2012-13934) "GPS vehicle satellite positioning system" website; Aspcms message of this remote code execution vulnerability (CNVD-2012-11590) and so on.
Fix this loophole, just go to the official website of Apache Apache Struts upgrade to the latest version: http://struts.apache.org
Sixth, file upload vulnerability
File upload vulnerability is usually because the code page of the file upload path variable filter due to lax, if the file upload function implementation code is not strictly limited users to upload a file extension and the file type, an attacker can upload arbitrary files via directory of Web access, including website backdoor file (webshell), and then the remote control web server.
Therefore, in the development of the site and the application process, the need to strictly limit and check uploaded files, prohibit the uploading of malicious code files. While limiting the implementation of the relevant directory permissions to prevent webshell attack.
Seven private IP addresses Disclosure Vulnerability
IP address is an important mark of Internet users, is the need to understand the attacker before the attack. Method to get more, the attacker will take a different approach due to different network conditions, such as: use the Ping command in the LAN, Ping each other in the name of the network to obtain IP; use IP version is displayed directly on the Internet QQ . The most effective way is to intercept and analyze each other's network packets. An attacker can find and parse the data packets intercepted IP packet header information directly through the software, and then for specific IP based on the information.
For the most efficient "packet analysis" is concerned, it can be installed to automatically remove the sending IP packet header information of some software. Affected when access to some forums or websites;; spend serious resources and reduce computer performance is not suitable for Internet cafe users and so on: but the use of these software some disadvantages, such as. Now individual users hide IP using the most popular method would be to use a proxy, since the use of a proxy server, "URL forwarding" will send out a packet has been modified, resulting method "packet analysis" failure. Some easy to leak user IP network software (QQ, MSN, IE, etc.) support the use of proxy connect Internet, in particular, QQ use the "ezProxy" such as proxy software to connect, IP version of QQ can not show the IP address. Although the agent can effectively hide the users IP, but the attack Zheyi can bypass the proxy, find each other's true IP address, what method to hide IP users under what circumstances, but also because the situation is concerned.
Eight, unencrypted login request
As the Web configuration of insecurity, such as log-in request to the user names and passwords and other sensitive fields unencrypted transmission, an attacker can eavesdrop on the network in order to rob obtain sensitive information. Recommended such as encryption before transmission such as SSH.
Nine, sensitive information disclosure vulnerability
SQL injection, XSS, directory traversal, weak passwords and other sensitive information can lead to leaks, the attacker can obtain sensitive information via the vulnerability. For different causes, different ways of defense
Ten, CSRF
http://www.cnblogs.com/hyddd/archive/2009/04/09/1432744.html
Web application refers collectively using B / S structure, serves the HTTP / HTTPS protocol. With the widespread use of the Internet, Web applications have been integrated into all aspects of daily life: online shopping, online banking applications, stock trading securities, government administrative examination and approval, and so on. In these Web access, most applications are not static Web browsing, but to the dynamic processing server side. At this point, if the lack of safety awareness programmers Java, PHP, ASP and other programming languages, and other input parameters for the program is not strict inspection and so on, will lead to Web application security issues abound.
Based on the current security situation Web applications, Web applications listed common attack and harm principle, and gives recommendations on how to avoid suffering Web attacks.
Web application vulnerability principles of
the Web application is when the attacker browser or attack tool, URL, or other input area (e.g., forms, etc.), transmits to the Web server a specific request, and found the Web application loopholes to further manipulate and control the website, view, modify unauthorized information.
1.1 Web application vulnerabilities classification
1. Information Disclosure Vulnerability
Information disclosure vulnerability is due to a Web server or application does not correctly handle some special request, disclose sensitive information Web server, such as user name, password, source code, server information, configuration information, and so on.
Cause information leakage mainly in the following three reasons:
-Web server configuration problems, causing some system files or configuration files exposed to the Internet;
-Web server itself there are loopholes, enter some special characters in the browser, files can be accessed by unauthorized or dynamic script source code;
Problems programming -Web site, submit a request to the user without proper filtering, user-submitted data directly up.
2, directory traversal vulnerability
Directory traversal vulnerability an attacker sends a request to the Web server, or attached via directory has special significance in the URL "../" or additional "../" in some variations (such as ".." or. " . // "or even encoding), that an attacker could access unauthorized directory, and execute commands other than the root directory of your Web server.
3, command execution vulnerability
Command execution vulnerability is initiated via a URL request, perform unauthorized commands at the Web server, obtain system information, tampering with the system configuration, control the entire system, the system paralysis.
Command execution vulnerability in two main contexts:
- through directory traversal vulnerability, access to the system folder and execute the specified system command;
- attacker submitted special character or command, Web program is not detected or to bypass filtering Web application, the request submitted by the user as a command parse, execute arbitrary order.
4, the file contains loopholes
File contains the vulnerability is sending a request to the Web server by the attacker, the illegal add URL parameters, Web server program variable filter lax, the illegal file name as an argument processing. These illegal file name can be a local file server, it can be a remote malicious files. Because of this vulnerability is filtered by the PHP variable due to lax, so the only possible existence of a Web-based application developed in PHP file include vulnerabilities.
5, SQL injection vulnerability
SQL injection vulnerability is due to the Web application does not have the legitimacy of user input data to judge the attacker entered the region through the Web page (such as URL, forms, etc.), with a carefully constructed SQL statement to insert special characters and commands, and databases through interactive obtain private information or tampering with database information. SQL injection attacks are very popular in Web attack, the attacker could exploit SQL injection vulnerabilities to gain administrative privileges to add a horse and a variety of malicious programs on a Web page, and users to steal sensitive corporate information.
6, cross-site scripting vulnerability
Cross-site scripting vulnerability because no statements and variables submitted by the user to filter or restrict a Web application, an attacker by entering the area of the Web page to submit malicious code into the database or HTML page, when a user opens a malicious code that links or when the page, the malicious code is automatically executed by the browser, so as to achieve the purpose of the attack. Cross-site scripting vulnerabilities great harm, especially now that Internet banking is widely used by cross-site scripting vulnerability an attacker can impersonate the victim user to access important account, stealing business critical information.
According to the survey of the various pre-show vulnerability research institutions, SQL injection vulnerability and prevalence of the top two cross-site scripting vulnerability, the harm caused is also greater.
1.2 SQL injection attacks principle
SQL injection attacks is by cleverly constructed SQL statements, submissions were combined with web injection attacks. There are more commonly used means of comment symbols, identity (e.g., 1 = 1), use the union joint query statement, insert or update statement used to insert or modify data, in addition to built-in functions can also use secondary attack.
Step injection vulnerability to attack websites via SQL is generally as follows:
The first step: detecting whether a website contains SQL injection vulnerability.
Step two: the type of probe background database.
The third step: The type of the background database, table information detection system.
Step four: detecting the presence of table information.
Step five: probe table column information exists.
Step Six: detecting the information data table.
1.3 Cross-Site Scripting Attacks
The purpose of cross-site scripting attack that stole sensitive client information, access to the user posing as the victim of important accounts. Cross-site scripting attacks mainly in the following three forms:
1, the local cross-site scripting attacks
B to A to send a maliciously constructed Web URL, A Click this URL, and save the page to your local hard disk (or page B structure in the presence of such a feature). A locally run the page, all under the command authority held by A malicious scripts embedded in web pages can be executed on a computer A.
2, reflected cross-site scripting attacks
A frequently visit a Web site, this site is owned by B. A user name / password B sites, sensitive information under B A storage sites (such as bank account information, etc.). C B found the site contains reflective XSS vulnerabilities, exploit loopholes to write a URL, domain name for the site B, behind the URL embedded malicious scripts (such as access to cookie file A), and deceit by mail or social engineering, etc. a visit there is a malicious URL. When A uses C provides a URL to access the B site, due to the reflection cross-site scripting vulnerabilities B site, embedded in the URL of the malicious script is returned by the Web server to A, and executed in the A browser, sensitive information A completely unknowingly will be sent to the C.
3, persistent cross-site scripting attacks
B has a Web site that allows users to post and browse information published. C B site noticed persistent cross-site scripting vulnerabilities, C released a hot message to attract users to read. A Once browse the information, which session cookies or other information will be stolen C. Persistent cross-site scripting attacks generally appear in forums, guestbooks and other web page, an attacker through the message, attack the data written to the server database, the user's browser will be the message of the information leak.
Defense Web application vulnerabilities implement
for more than common Web application vulnerabilities vulnerability, defense can start from the following aspects:
1) for Web application developers,
Most common Web application vulnerabilities were in Web application development, developers no user input parameters were tested or not strictly caused. So, Web application developers should establish a strong security awareness, writing secure code development; URL for users to submit, query keywords, HTTP headers, POST data, rigorous testing and restrictions, to accept only a certain length, in the appropriate form and character encoding, blocking, filtering, or ignore any other characters. Secure Web applications by writing code, you can eliminate the vast majority of Web application security issues.
2) on the Web site administrators
As the site is responsible for the daily management and maintenance of Web administrators, should be timely tracking and install the latest support a variety of software security patches Web site is running, make sure that an attacker can not attack the site through software vulnerabilities.
In addition to the vulnerabilities of the software itself, improper configuration Web server, database, etc. may also lead to Web application security issues. Web site administrators should configure the software for a variety of sites were carefully monitored, reducing possible security problems.
In addition, Web administrators should regularly audit Web server logs, detect the presence of abnormal access, early detection of potential security issues.
3) using a network attack prevention device
The first two ways to advance the prevention, the situation is relatively idealized. In reality, however, is unavoidable vulnerability of Web applications exist: Some Web sites have a large number of security vulnerabilities, and Web developers and webmasters do not realize or find these vulnerabilities. Because Web applications is the use of HTTP protocol, the ordinary firewalls can not defend against attacks like Web, so you can use IPS intrusion prevention devices to achieve security.
H3C IPS Web attack defense
H3C IPS intrusion prevention devices have a comprehensive Web attack defense framework that has been exposed to a variety of timely discovery and potential of Web attacks. The figure below shows for Web attacks overall defense framework.
Figure 1: Web attack prevention framework, see: http://blog.csdn.net/moshenglv/article/details/53439579
H3C IPS employed to identify and block a variety of attacks based on feature identification. IPS device has a full feature library, and periodic manual and automatic way to upgrade the signature database. When the network traffic entering the IPS, IPS pretreatment on the packets, detecting whether the packet is correct, i.e. to meet the requirements of the protocol definition, no error field; if the message is correct, the penetration depth of the detection engine. The engine is the IPS detection of the core module of Web traffic through the IPS device to analyze deeper, and matched with IPS attack library feature, detects Web traffic is abnormal; if you find traffic that matches the attack signature, IPS is blocking network traffic and report logs; otherwise, network traffic pass.
This Web attack prevention framework has the following characteristics:
1) Complete construction of Web attack detection model accurately identify a variety of Web attacks
Web attacks against the characteristics, taking into account the principles of Web attacks and morphology, development of a universal, hierarchical Web attack detection model on different vulnerabilities model and features integrated into the library. These models generally abstract form Web attack, the attack can accurately identify the mainstream, so that the universal model.
2) detecting a flexible manner, can accurately identify the deformable Web Attack
In actual attack, an attacker in order to evade anti-attack detection device, often modified Web attacks, such as the URL encoded technology, modifying parameters. H3C accordance with the principles of Web application vulnerabilities occur, attack and attack targets on the attack signature has been extended. Even if the attacker attacks the content parameters, the format, sentence, etc., under the same principle vulnerability attack various modification can likewise be effectively blocked. This allows the IPS to expand the scope of defense, defense of flexibility is also significantly enhanced, greatly reducing the appearance of false negative cases.
3) ensure that the latest vulnerabilities and tracking technology, effectively prevent the latest attacks
With the frequency of Web attacks appear increasingly higher, the harm has gradually extended trend. This is the depth and breadth of the defense put forward higher requirements on the IPS device, not only can the defense of existing Web attacks, but also to effectively prevent the emergence of new, unpublished attack. Currently, H3C has established a complete set of offensive and defensive test environment, you can discover potential Web security vulnerabilities. At the same time we continue to track the latest Web attack techniques and tools, to update Web attack signature database, the first time released the latest Web vulnerabilities to deal with measures to ensure that the user's network from attacks.
4) ensure the efficient operation of the normal course of business
Detection engine is the key equipment running IPS whole, the engine uses the efficient and accurate detection algorithms to analyze the flow through deep device and by matching and attack signatures to detect presence or absence of abnormal flow. If there is no match to the flow characteristics of the attack, it is allowed to flow through, will not interfere with normal network traffic, while accurate defense to ensure the efficient operation of normal business.
Conclusion
Internet and Web technology is widely used to make Web application security challenges facing the increasingly serious, Web system all the time threatened by various attacks, in which case, the need to develop a complete Web attack defense solutions, through secure Web applications, Web server software, Web anti-attack together with the equipment, ensure the security of the entire site. Any simple loophole, negligence will cause the entire site under attack, resulting in huge losses. In addition, Web attack defense is a long-lasting work, along with the development of Web technology and updates, Web attacks continues to evolve, for these latest security threats, the need for timely adjustment of Web security policies, ensure that the Web attack defense initiative the Web site in a secure environment for the business and customer service.