Shulou(Shulou.com)05/31 Report--

This article focuses on "what are the common security vulnerabilities in Web". Interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn what are the common security vulnerabilities in Web.

1. What is SQL injection?

SQL injection is to deceive the server into executing malicious SQL commands by inserting SQL commands into the Web form to submit or enter the query string requested by the domain name or page. Specifically, it is the use of existing applications, the ability to inject (malicious) SQL commands into the background database engine execution, it can be input in the Web form (malicious) SQL statements to get a security vulnerability on the site of the database, rather than in accordance with the intention of the designer to execute SQL statements.

2. How to inject it?

Example: http://test.com/info?id=1

This URL returns 1 piece of data from a table in the database. As it may be written in the program, ID is an incoming variable:

Select * from user where id=' "+ id+"'

As above, the query statement will be

Select * from user where id ='1'

If id= 1'or'1 is updated, then the query statement will be

Select * from user where id ='1' or'1'

3. Reasons for SQL injection

① does not filter the submitted data

② assembles SQL statements

Improper type handling of ③

4. SQL injection defense

(1) string length verification

Only variable values within the specified length range are accepted. The sql injection script is bound to greatly increase the length of the input variable, which is determined to be invalid if the length of the user name is between 8 and 20 characters.

(2) escape single quotation marks and sql annotation symbols such as double "-", underscore, percent sign, etc.

(3) do not use dynamic assembly SQL, but use parameterized SQL for data query and access

Code example:

String sql = "select id, no from user where id=?"

PreparedStatement ps

= conn.prepareStatement (sql)

Ps.setInt (1, id)

Ps.executeQuery ()

(4) Framework defense: mybatis

The function of the ① # symbol is to treat the incoming data as a string, adding a double quotation mark to the automatically passed data.

Such as: where user_id= # {id}

If the value passed in is 111, then the value when parsed to sql is where id = "111"

If the value passed in is 1'=or'1', the parsed sql is whereid '1'=or' 1'.

The ② $symbol generates the incoming data directly into the sql.

Such as: where user_id='${id}'

If the value passed in is 111, then the value when parsed to sql is where id = '111'

If the value passed in is 1'=or'1, then the parsed sql is where _ id = '1'or' 1'.

Conclusion: the # symbol can prevent SQL injection, the $symbol cannot prevent SQL injection, and the $symbol is generally used to pass in database objects, such as table names.

XSS

1. What is XSS?

Insert malicious html code into the Web page. When the user browses the page, the html code embedded in the Web will be executed, thus achieving the special purpose of maliciously attacking the user.

2. XSS classification

(1) persistent XSS (stored on the server side, the attack behavior will always exist with the attack data)

(2) non-persistent XSS (one-time, only affect the current page visit)

Example: pass parameters to page output

Parameter description: index?value=alert ([xss_clean])

Page and JS are written as follows: $('# xss') .html (value)

3. XSS harm

Execute arbitrary JS code. The most common practice is to obtain COOKIE authentication information; others are to jump to malicious URLs, etc., or cooperate with CSRF vulnerabilities to create form forms, submit, and force current user actions, such as posting, deleting posts, and even transferring money.

4. XSS protection

(1) to filter the content entered by the user, it is common to filter',

(2) when the user submits the data, the data is encoded.

(3) when outputting the page, the data is encoded.

CSRF

1. What is CSRF?

Falsify the request to impersonate the normal operation of the user in the station

2. The principle of CSRF attack

Please enter a picture description

3. CSRF harm

Attackers steal the user's identity and can use this identity to send e-mails, send messages, purchase goods, bank transfers, and other actions that users can perform.

4. How to protect CSRF

(1) verify the HTTP Referer field

This method is based on defense. At present, Referer can be rewritten and forged, and is not absolutely secure.

(2) add custom parameter verification to HTTP

The server generates a copy of token and stores it in session, and one copy is submitted with the request header in the front-end hidden domain. B does not visit the front end of the A website can not get token, the request can not be verified, to achieve defense purposes.

URL Jump vulnerability

1. What is the URL Jump vulnerability?

In the program, the page is often redirected, and in the login system, the director will redirect according to the parameters in URL, so that the user can redirect to the previous page after logging in.

2. URL example

For example: http://www.aa.com/account/login

? from= http://download.aa.com

There is no judgment as to whether the jump page is the page of the current site, or whether it is the allowed page address, when the malicious attacker changes the address to:

Http://www/aa.com/account/login

? from= http://www.bb.com/

Then the user will jump to www.bb.com after logging in, and if it is a malicious URL, then the user will become a victim.

3. Cooperate with the harm of session transmission in URL

In the page you jump to, it is easy to get the value of session in url from the HTTP request header. If the authentication information in session is not bound to the user's client information, the attacker can directly use it to become the identity of the previous user.

4. URL jump vulnerability protection

(1) URL that can be determined: configure the corresponding index file, find the corresponding url through the index, and then jump

(2) URL that cannot be determined: add rule check, pass the verification first and then jump

At this point, I believe you have a deeper understanding of "what are the common security vulnerabilities in Web?" you might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.