Shulou(Shulou.com)06/03 Report--

Common security problems in Web projects

1.XSS (CrossSite Script) cross-site script

XSS (CrossSite Script) cross-site scripting. It refers to the malicious insertion of malicious html code into the Web page, when the user browses the page, the html code embedded in the Web will be executed, thus achieving the special purpose of the malicious user.

Test method: in the data input interface, add record input: if the dialog box pops up successfully, it indicates that there is a XSS vulnerability here. Or change the parameter in the url request to, if a dialog box pops up on the page, it indicates that there is a XSS vulnerability here.

Modification suggestion: filter out dangerous characters in user input. Client-side and program-level validation of input data (such as through regular expressions, etc.). Eg: whether the places and variables entered by the user are long and whether the characters such as ","'"are filtered.

2.CSRF and cross-site scripting (XSS)

CSRF and cross-site scripting (XSS) are requests that force a logged-in browser to send a request to a vulnerable Web application, and then take the chosen action for the benefit of the victim.

Test method: the same browser opens two pages, one page permission expires, whether the other page can be operated successfully, use the tool to send the request, do not add the referer field in the http request header, check the response of the returned message, and should be relocated to the error interface or login interface.

Modification suggestion: send the same request twice in different sessions and receive the same response. This shows that no parameters are dynamic (session identity is sent only in cookie), so the application is vulnerable to this problem. Therefore, the solution is:

(1) Cookie Hashing (all forms contain the same pseudo-random value):

(2) Verification code

(3) One-Time Tokens (different forms contain a different pseudo-random value) client protection measures, the application of tools or plug-ins to prevent CSRF.

3. Injection test

SQL injection is to deceive the server into executing malicious SQL commands by inserting SQL commands into the Web form to submit or enter the query string of the domain name or page request.

Test method: on the page that needs to be queried, enter simple sql statements such as the correct query condition and 1 query 1, and view the response result. If the result is consistent with entering the correct query condition, it indicates that the application has not filtered the user input, and it can be preliminarily judged that there is a SQL injection vulnerability here.

Modification suggestions: check the user's input, you can use regular expressions, or limit the length; convert the following keywords, etc.

| | alert | and | exec | execute | select | delete | update | update | count | chr | mid | master | truncate | declare | sitename | netuser | xp_cmdshell | or | + |, like' | and | exec | execute | insert | drop | table | from | grant | group_concat | column_name | information_schema.columns | table_schema | union | where | select | delete | update | order |-| + |, | update | / / |

Instead of using dynamic assembly sql, you can use parameterized sql or directly use stored procedures for data query and access

Do not use database connections with administrator privileges, use separate database connections with limited permissions for each application

The applied exception information should give as few hints as possible, and it is best to wrap the original error message with custom error messages.

4. Login authentication test

4.1 brute force cracking

Brute force cracking is the most direct and effective way at present, especially for financial business, in many cases, passwords are 6-digit pure numbers, which is easy to be used. This test item is to check the protection of the authentication system against cracking.

Test method:

Start the package capture tool, and at the same time open the browser to enter the user login page, enter the user name, password and verification code to log in. If there is a clear user name and password in the grab package, it means there is a weakness.

Modification suggestion: change the request mode from HTTP mode to HTTPS mode or encrypt the user name and password entered, and verify the password on the server side.

4.2 Code comments

The comments contained in the development version of the Web program were not removed in the release version, which led to the disclosure of some sensitive information. We need to look at the source code of the page that the client can see and find such security risks.

Test method: open the landing page (or the page to be tested), click on the browser email, view the source code, and check whether the source code notes have any sensitive information leaked. The sensitive information includes the following: field text description, intranet IP address, SQL statement and physical path, and so on.

Modification suggestion: do not leave any important information (such as file name or file path) in the HTML comments.

Remove tracking information for previous (or future) site links from production site comments. Avoid placing sensitive information in HTML comments. Make sure that the HTML comments do not include source code fragments.

4.3 user name cracking

In order to perform brute force cracking, the user needs to know the user name that already exists, and then carry out the user name.

Test method: enter a user name and any password that does not exist in the login interface, if you prompt that the user name does not exist, it means that there is a loophole; log in with the correct user name and the wrong password, and if the password or password is wrong, it means there is a loophole.

Modification suggestion: the server will respond uniformly to all the causes of login errors and will not prompt accurate error messages.

4.4 default account name settings

General systems are equipped with default login users, as well as super administrator accounts, if the login account is too simple, it will be easy to crack, resulting in super rights disclosure.

Modification suggestion: the online system clears the Super Admin users, or increases the complexity of the Super Admin login name, and do not set it to admin, superadmin and other names that are easy to guess.

4.5 incorrect page information

Errors or warning messages such as 404, 500, etc., may disclose sensitive information.

Modification suggestion: catch an exception and jump to the unified error page to avoid revealing detailed error information.

5. Session management test not updated

5.1 session Identification Test

Check to see if the session identity changes after a successful login. If there is no change, then the person can determine a session ID for the victim by some means (such as constructing URL). When the victim logs in successfully, the person can also use this session ID to access the system pretending to be the victim.

Test method: start the package grab tool or the browser comes with developer mode to open the login page, enter the correct user name, password and verification code, log in, and carry out any business operation after logging in. If there is no change in the SessionId logged in and the SessionId in which the business is conducted, a vulnerability exists.

Modification suggestion: get a token from the last request for each request, and the server validates each interaction.

Check to see if there is a mechanism to log back in after the browser window is idle and timed out

5.2 session cleanup Test

The session information needs to be cleared after the user logs out, otherwise it will cause the user to continue to access the page that can only be accessed before the logout after clicking the logout button.

Test method: enter the login page, enter the correct user name and password, after the login is successful, do some business operations, click the logout button, enter the address in the browser, enter the address for business operations above, and if you can return to the business page normally, it means there is a loophole.

Modification suggestion: after the user logs out, the user's Session information and cache information must be emptied.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.