In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-03 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Development >
Share
Shulou(Shulou.com)06/02 Report--
This article mainly shows you "what are the common security loopholes in website construction". The content is simple and clear, and I hope it can help you solve your doubts. Let the editor lead you to study and learn the article "what are the common security loopholes in website construction?"
1. Plaintext transmission
Problem description: insufficient protection of system user passwords, * users can use * tools to steal legitimate user password data from the network.
Modification suggestion: the transmitted password must be encrypted.
Note: all passwords should be encrypted. Complex encryption. Do not use base64 or md5.
2. Sql injection
Problem description: * * users can obtain a variety of information in the database by taking advantage of the sql injection vulnerability, such as managing the password of the backend, thus removing the contents of the database (de-database).
Modification suggestion: filter and verify the input parameters. Use the black and white list method.
Note: filtering and checking should cover all the parameters in the system.
3. Cross-site scripting *
Problem description: without checking the input information, the user can inject malicious instruction code into the web page in an ingenious way. This code is usually JavaScript, but in fact, it can also include Java, VBScript, ActiveX, Flash, or plain HTML. After the * is successful, the * can get higher permissions.
Modification suggestion: filter and verify the user input. The output is encoded with HTML entities.
Note: filtering, checking, HTML entity coding. Override all parameters.
4. File upload loophole
Problem description: there are no restrictions on file upload, and executable files or script files may be uploaded. Further lead to the fall of the server.
Modification suggestion: strictly verify uploaded files to prevent uploading dangerous scripts such as asp, aspx, asa, php, jsp, etc. Colleagues had better add header verification to prevent users from uploading illegal files.
5. Disclosure of sensitive information
Problem description: the system exposes internal information, such as: absolute path of the website, web page source code, SQL statement, middleware version, program exception and so on.
Modification suggestion: filter the abnormal characters entered by the user. Block some error echoes, such as custom 404, 403, 500, etc.
6. Command execution loophole
Problem description: script calls such as php's system, exec, shell_exec, etc.
Modification suggestion: patch and strictly limit the commands that need to be executed in the system.
7. CSRF (cross-site request forgery)
Problem description: use a user who has logged in to perform an action without knowing it.
Modification suggestion: add token authentication. Time stamp or this picture verification code.
8. × × F loophole
Problem description: the server requests forgery.
Modification suggestion: patch or uninstall useless packages
9. Default password, weak password
Problem description: because the default password, weak password is easy to guess.
Modification suggestion: strengthening password strength does not apply weak password
Note: passwords do not appear in common words. Such as: root123456, admin1234, qwer1234, pssw0rd and so on.
Of course, these are not all possible loopholes, the enterprise website must be often tested and maintained in the process of operation, it is best to have a special person in charge of regular inspection and maintenance of the enterprise website to ensure the safety of the website.
The above is all the contents of the article "what are the common security loopholes in website construction?" Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.