Shulou(Shulou.com)06/02 Report--

This article introduces the knowledge of "what are the common security vulnerabilities in web applications?". In the operation of actual cases, many people will encounter such a dilemma. Next, let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

1.SQL injection

SQL injection is to deceive the server into executing malicious SQL commands by passing some special characters into the web API.

SQL injection vulnerabilities belong to the backend, but the front end can also be optimized for experience.

Reason: when using external untrusted data as a parameter to add, delete, modify and query the database, if the external data is not filtered, there will be SQL injection vulnerabilities.

2.XSS attack

The full name of XSS attack is cross-site scripting attack (Cross-Site Scripting). To put it simply, an attacker injects malicious scripts into the target website and runs it to obtain users' sensitive information such as Cookie, SessionID, etc., which affects the security of the website and user data.

XSS attacks tend to be in the front end, but the back end also needs to filter the data securely when it saves the data.

Reason: when an attacker somehow injects malicious code into the browser page, and the browser executes the code.

3.CSRF attack

The full name of CSRF attack is cross-site request forgery (Cross-site Request Forgery). To put it simply, an attacker steals your identity and sends a malicious request in your name.

Solution: to prevent CSRF attacks, you need to start on the server side. The basic idea is to correctly identify whether the request is initiated by the user.

4.DDoS attack

The full name of the DoS attack is denial of Service (Denial of Service), which simply means making a public website inaccessible, while the DDoS attack (distributed denial of Service Distributed Denial of Service) is an upgraded version of DoS. This belongs entirely to the back-end category.

Reason: attackers keep making service requests, so that legitimate users' requests can not be processed in time, this is the DoS attack.

An attacker uses multiple computers or computer clusters to carry out a DoS attack, which is a DDoS attack.

5.XXE vulnerability

The full name of XXE vulnerability is XML external entity vulnerability (XML External Entity). When an application parses XML input, if it does not prohibit the loading of external entities, resulting in loading malicious external files and code, it will cause arbitrary file reading, command execution, intranet port scanning, attacks on intranet websites and other attacks.

This occurs only on interfaces that can receive XML format parameters.

6.JSON hijacking

JSON hijacking (JSON Hijacking) is an attack method used to obtain sensitive data, which belongs to the category of CSRF attacks.

Reason: some Web applications will return some sensitive data to the front end in the form of json. If only Cookie is used to determine whether the request is legitimate, then the CSRF-like means can be used to send requests to the target server to obtain sensitive data.

7. Brute force cracking

This is generally for passwords, weak passwords (Weak Password) are easy to be guessed by others (people who know you well, etc.) or violently cracked by cracking tools.

This is the end of the content of "what are the common security vulnerabilities in web applications". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.