Shulou(Shulou.com)06/02 Report--

This article mainly shows you "what are the common security loopholes in website construction". The content is simple and clear, and I hope it can help you solve your doubts. Let the editor lead you to study and learn the article "what are the common security loopholes in website construction?"

1. Plaintext transmission

Problem description: insufficient protection of system user passwords, * users can use * tools to steal legitimate user password data from the network.

Modification suggestion: the transmitted password must be encrypted.

Note: all passwords should be encrypted. Complex encryption. Do not use base64 or md5.

2. Sql injection

Problem description: * * users can obtain a variety of information in the database by taking advantage of the sql injection vulnerability, such as managing the password of the backend, thus removing the contents of the database (de-database).

Modification suggestion: filter and verify the input parameters. Use the black and white list method.

Note: filtering and checking should cover all the parameters in the system.

3. Cross-site scripting *

Problem description: without checking the input information, the user can inject malicious instruction code into the web page in an ingenious way. This code is usually JavaScript, but in fact, it can also include Java, VBScript, ActiveX, Flash, or plain HTML. After the * is successful, the * can get higher permissions.

Modification suggestion: filter and verify the user input. The output is encoded with HTML entities.

Note: filtering, checking, HTML entity coding. Override all parameters.

4. File upload loophole

Problem description: there are no restrictions on file upload, and executable files or script files may be uploaded. Further lead to the fall of the server.

Modification suggestion: strictly verify uploaded files to prevent uploading dangerous scripts such as asp, aspx, asa, php, jsp, etc. Colleagues had better add header verification to prevent users from uploading illegal files.

5. Disclosure of sensitive information

Problem description: the system exposes internal information, such as: absolute path of the website, web page source code, SQL statement, middleware version, program exception and so on.

Modification suggestion: filter the abnormal characters entered by the user. Block some error echoes, such as custom 404, 403, 500, etc.

6. Command execution loophole

Problem description: script calls such as php's system, exec, shell_exec, etc.

Modification suggestion: patch and strictly limit the commands that need to be executed in the system.

7. CSRF (cross-site request forgery)

Problem description: use a user who has logged in to perform an action without knowing it.

Modification suggestion: add token authentication. Time stamp or this picture verification code.

8. × × F loophole

Problem description: the server requests forgery.

Modification suggestion: patch or uninstall useless packages

9. Default password, weak password

Problem description: because the default password, weak password is easy to guess.

Modification suggestion: strengthening password strength does not apply weak password

Note: passwords do not appear in common words. Such as: root123456, admin1234, qwer1234, pssw0rd and so on.

Of course, these are not all possible loopholes, the enterprise website must be often tested and maintained in the process of operation, it is best to have a special person in charge of regular inspection and maintenance of the enterprise website to ensure the safety of the website.

The above is all the contents of the article "what are the common security loopholes in website construction?" Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.