Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about what is the security solution for the JSON website. The article is rich in content and analyzes and describes it from a professional point of view. I hope you can get something after reading this article.

There are more and more websites and APP, and the security problems are also facing serious challenges. While we provide security services to customer websites, we find that many customer websites use JSON for data transmission, including JSON calls, security problems that occur at the same time when using JSON, and how to do a good job in JSON website security protection. Let's share it with you.

First of all, we need to understand what JSON is.

Simple and popular, JSON is a class of JS objects, is a very simple, quick and quick way of data exchange, basically consistent in the writing rules of JS, using a separate format to store data and display data, data interaction process is very clear, very clear, a strong sense of hierarchy, so that many website developers to use, to promote the site more convenient to interact with customers.

Well, in the actual website security deployment, we SINE security are good at telling you about a homologous strategy. That is why we always mention this strategy because the website security he involves is very important. Some customer websites use jsonp, what is the homologous policy, that is, server IP, access port, and URL. It must be the same. To put it simply, www.baidu.com and his homologous can only be www.baidu.com. That's why jsonp is so different from json that it's easy to tell.

What is JSON? JSONP is a data transmission protocol and an evolution mode based on JSON. Most browsers have security restrictions on the same origin policy. For example, there is no way for 1.baidu.com and 2.baidu.com to communicate, but one advantage is that the same JS file can be called without the restriction of the same origin security policy.

Here we explain in detail what JSON is and how to distinguish JSONP. So what are the website security problems with the use of these JS transmissions? At present, our SINE security monitoring center and the actual penetration test have found that there are CSRF hijacking vulnerabilities. When some financial websites and APP use the JSONP protocol, we find that we can take advantage of JSONP vulnerabilities to obtain confidential data, including some user information that can only be seen by ultra vires and administrator privileges. The main reason for this vulnerability is that there is no security detection for the source referer. Attackers can forge any website address to visit and request JSONP data, which leads to the occurrence of the vulnerability. Security example: the access address of personal user data is yonghu.php, and the PHP file does not intercept requests in GET or POST mode, so that you can write to other referer URLs at will to obtain users' personal data, names, mobile phone numbers and other private information.

Then how to do a good job of JSON website security protection? First of all, the vulnerability of the json website should be fixed, and the URL of referer should be restricted. if the domain name of the website is not on the whitelist, then the user's request will be blocked and the intercepted error will be returned. In addition, the token dynamic value can be used to strengthen the security of the website, and token comparison and security validation can be performed for every data request of the user, so that the website can be prevented from being affected by JSON vulnerability attacks. This is only part of the website security deployment. If you want the website to be more secure and avoid being attacked, you have to set up and deploy security from many aspects. If you do not know how to do your own website security, you can find a professional website security company to protect it. Domestic SINESAFE, Qiming Star, Green Alliance, are all good network security companies. The website is secure, and it also brings customer recognition and reputation. Pay attention to website security, from a little bit of detail And start from your own website.

This is what the editor shares with you about the security solution for the JSON website. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.