1, Why the application handling mechanism is that all user access mechanism weakest mechanism?
A typical application uses a triple mechanism (authentication, session management and access control) to handle access. High degree of interdependence between these components, will reduce the flawed access control and access to his entire mechanism of any one component efficiency. For example, an attacker could exploit a vulnerability in the authentication mechanism to log in as any user, and therefore authorized to access. If you can predict the token, the attacker can fake any user who is logged into their data. If the access control is not perfect, any user can directly use should be protected functions.
2, the session with the session token What's the difference?
A session is a set of data structure stored on the server to track the state of user interaction with the application. Session token is a special string application assigned for the session, the user needs to submit the request string during connection in order to re-identify themselves.
3, why not always use the input confirmation method based whitelist?
In many cases, the application may be forced to accept the data to be processed with a list or mode known as "benign" entered do not match. For example, many user name contains characters that can be used in a variety of cock. If the application you want to allow users real name registration, it is necessary to accept the possibility of malicious input and to ensure the safe handling of these inputs.
4, attackers are attacking an executive management function of the application, and does not have any valid certificate to use this feature. Why he should still pay close attention to this function?
An attacker could exploit any defects in the core access control mechanisms unauthorized access to administrative functions. Moreover, the data submitted by the attacker to low-rights user who ultimately will be displayed to the administrator user, so an attacker can submit malicious data, for breach of their session to view these data in the user management, user management so as to carry out attacks .
5, is designed to prevent cross-site scripting attacks, input validation mechanism to process an input in the following order:
(1) remove any occurrence of <script> expression; (2) the input truncated to 50 characters; (3) Remove input quotation marks; (4) for decoding the input URL; (5) If any of the entries is deleted, return to step (1).
It is able to avoid the confirmation mechanism, so that the data confirm?
“><script>alert(“foo”)</script>
Yes. If there is no first 4 steps, this mechanism will be reliable, able to filter their specific project aims to prevent. However, since the input to the decoder, the attacker only needs to be selected for the payload after the step of filtering character performing URL encoding, can avoid such a filter:
">
if performed first of four steps, or not to execute the step, the attacker will not be possible to avoid the filter.