Shulou(Shulou.com)06/01 Report--

With the continuous upgrading of a series of new Internet products such as web and Social networks, Internet applications based on Web environment are becoming more and more extensive. In the process of enterprise informatization, various applications are installed on Web platforms. The rapid development of Web services has also attracted strong attention from hackers. What follows is the prominence of web security threats, and attacks on web servers can be said to be various.

Let's look back at the incidents that have occurred in previous years due to Internet security issues.

1. Vulnerability in user payment information of Ctrip. com: The information leaked by the vulnerability includes the user's name, ID card number, bank card number and CVV code of bank card.

2. Vulnerability of sensitive data leakage of UC browser users: As long as users search and log in to Renren, Sina Weibo and other websites through UC browser, their submitted user information and passwords may be intercepted by hackers.

3. Xiaomi Forum has user data leakage: leakage involves 8 million registered users of Xiaomi Forum

So what are the causes of these problems? Let me analyze it for you.

Top 10 security issues common to web apps

1. SQL injection

Stitched SQL strings change the designer's original intent, perform operations such as disclosure, change data, and even control database servers, including attacks such as SQL Injection and Command Injection

Cross-site scripting attacks (XSS or CSS)

Cross-site scripting refers to the html code of a remote WEB page that can insert data with malicious intent. When a browser downloads the page, the malicious script embedded in it will be interpreted and executed, thus causing harm to the client user. CSS or XSS

3. No restrictions on URL access

The system has restricted access to URLs, but this restriction does not actually take effect. Attackers can easily forge requests to directly access unauthorized pages

4. Unauthorized access

Users do not have permission to a module or function of the system, and access the module or function by splicing URLs or Cookie spoofing

5. Disclosure of configuration information

Server version information disclosure, program error disclosure of physical path, program query error return SQL statement, too detailed user verification return information appear in the prompt or error message returned by the server.

6. Unsecure encrypted storage

Common problems are insecure key generation and storage, non-rotation of keys, and use of weak algorithms. It is also common to use weak or salt-free hashing algorithms to protect passwords. This vulnerability is difficult for external attackers to detect due to limited access. They usually have to crack something else first to get the access they need.

7. Insufficient protection of the transmission layer

SSL / TLS is not used during authentication, thus exposing the transmitted data and session ID to interception by an attacker or enabling

Use expired or incorrectly configured certificates.

8. Login information prompt

The user login prompt message will give the attacker some useful information, as the developer of the program should do to the login prompt message

Obfuscation of information to prevent attackers from using logins to know whether users exist

9. Repeated submission of requests

Programmers in the code does not limit the repeated submission of requests, so that orders are placed many times, posts are repeated

Reissued. Malicious attackers may exploit this vulnerability to flood the site in batches, causing the site to crash

10. Web script error

Visitors use browsers that do not fully support the script on the page, resulting in "script errors," or feet in the site

Ben was not successfully executed. When you encounter "script error", you will usually pop up a very ugly script execution error warning window

In the OWASP (Open Web Application Security Project) Top 10 security issues, the following account for more than 50%:

sql injection:

dragging the library

Through technical means, all or part of the data in the server database is obtained by using website security loopholes; the larger the website, the more user information, the greater the impact of dragging the database, and the greater the harm.

collision library

Many users often like to use a unified user name and password for the convenience of remembering when logging in to different websites. Hackers match the user name and password obtained by dragging the library with valuable websites such as online banking, Alipay and Taobao. This is "library collision"

blasting

Commonly known as "brute force cracking" or "blasting," for known user names, use password dictionary to violently try to crack user passwords; if the website does not limit the number of password retries, the probability of successful blasting is high, here the drag library, which is what we usually call sql injection, using the negligence of the front end and the background, all the data in the background database will be dragged out.

Solution:

1. Do not trust user input, verify user input

Regular check, length limit, special character transcoding ('--)

2. Do not use dynamic concatenation SQL

Parameterized sql, type determination

3. Do not use database connections with administrator privileges

Open limited independent permissions for each app

4. Database confidential information do not store plaintext encryption, hash

5. Do not return abnormal information directly to the user

Wrapping with custom error messages

Cross Site Scripting

Here to explain, because the abbreviation of cross-site scripting attack is CSS, to distinguish it from CSS, it is abbreviated as XSS here.

Attackers insert malicious html code into web pages When users browse the page, the html code embedded in it will be executed, usually for the purpose of obtaining user cookies. The injected content is mainly javascript. Xss is divided into reflective type and storage type. The principle of the two is similar. Reflective type xss is characterized by request execution; and storage type xss is characterized by storage first and then execution;

The general process can be summarized in a diagram

Solution:

Content filtering: filter keywords "javascript... "

Transcoding: semicolon,...

Cookie properties:Secure, http-only

Failed authentication and session management

There are many kinds of problems in this kind of breakdown. Give me a few representative ones.

When web applications are developed, there may be customized authentication methods or session management methods to achieve requirements. For example, session id is stored in url, so if you directly copy someone else's url, you can directly use this person's account information; if the expiration time of information cookies such as username and password is not set, then when others log in to the same client, they may also directly use other people's accounts;

Solution:

Avoid unauthorized access to session state

Limiting session lifetime

Encrypt the contents of authentication cookies

Do not send passwords in plain text over the web

What causes security problems in web applications? There are usually several reasons

1. Complex application system has a large amount of code, many developers, and it is inevitable that negligence will occur.

2. Repeated system upgrades and frequent personnel changes lead to inconsistent codes.

3. Multiple Web systems such as historical legacy systems and trial run systems run together on the same server.

4. Developers are not trained in security coding or the company does not have a unified security coding specification

5. The tester is inexperienced or released online without professional safety assessment test.

6. Failure to verify user input:

1) Never trust user input, verify user input

2) Digital inputs must be legal numbers

3) Special treatment should be carried out for coding symbols in character type input

4) Verify all input points, including Get, Post, Cookies, and other HTTP headers

Summary:

Web security has always been the focus of our test group alongside performance testing. During the development process, we also need to pay attention to the escape of the escape, the shielding of the shielding, the filtering of the filtering, and so on. In the second half of the year, there are bound to be a large number of activities such as hair lottery development, online, in this process, safety issues are each of us should be nervous, for our testers, each activity needs to do manual safety testing plus automatic safety testing combined.

Welcome to join 51 software testing family, here you will get [latest industry information],[free testing tool installation kit],[software testing technology dry goods],[interview job skills]... 51 Learn and grow together with you! Looking forward to your joining: QQ 2173383349

Pay attention to 51Testing software testing network, improve it skills, from not to skilled only one step.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.