Shulou(Shulou.com)06/01 Report--

We have been engaged in penetration testing service for more than ten years. Many loopholes have been found in the vulnerability detection and security penetration of customer websites, especially in the login function of website users. I would like to summarize the hidden dangers of website security in the login function of the website in the process of penetration testing. Below, we would like to invite Lao Chen, an engineer of SINE security, to sum up for you so that we all have a better understanding of the website. In the process of developing their own website, especially the user login function to do a good job of website security protection to prevent the website from being attacked.

Website login has security authentication and validation, and other code functions can be divided from the branch, including user registration, forgetting password, user login box, modifying password, verification code (picture and SMS verification code, mailbox verification code, etc.). User login information security prompt, password error or incorrect account, and account frequent login security mechanism function Large and small functions make up the login function of the website. So what are the fatal loopholes found in the login function of our SINE security when we conduct penetration testing services on customer websites? Let's give a detailed example:

First of all, from the simplest user login box, many customer websites do not safely filter the parameter values entered by the user at the front end, resulting in malicious parameter values can be inserted into account names and passwords, resulting in SQL injection vulnerabilities. Another is to log in with an omnipotent password, which can bypass the database and log in directly. How does SINE security help users fix this SQL injection vulnerability? The fix for SQL injection is to precompile the parameter values of the password field of the user's login account, disallow the input and transmission of special characters, write the security interception of get,post,cookies submission in the code, find that malicious characters include,\, /, select,update,@, etc., and return an error prompt to precompile specific sql statements in the code. Extra parameters are prohibited from being inserted into the account and password fields.

Users'ID and passwords are violently cracked, and many customer websites do not judge the security of the login of the website. As a result, attackers can attempt to log in with arbitrary accounts and passwords at will, and some even have password dictionaries, which can constantly guess users'ID and passwords, resulting in malicious login of website users, malicious tampering of data and so on. The SINE security fix for the loopholes found in this penetration is to add the CAPTCHA function (picture CAPTCHA, or SMS CAPTCHA), each login must enter the correct CAPTCHA, if the CAPTCHA is not correct, then login is not allowed, you can also limit the CAPTCHA time to 30 seconds to re-obtain. Another incorrectly typed prompt for the user's ID can confuse the attacker's line of sight, indicating that the password is incorrect. Directly lock the login of the account after the user has logged in more than 6 times.

XSS cross-site attack vulnerabilities also occur in the user login box. It is more common that in the parameter values of the user name, some customer websites do not perform security validation on the XSS malicious code, resulting in the ability to enter the wrong account to log in. When logging in wrongly, there may be incorrect user login records in the background, including XSS attack codes inserted by the website source in the post packet. Causes the administrator to trigger the XSS vulnerability when viewing the log of user login errors. The XSS cross-site vulnerability can obtain the cookies value of the user and the address of the backend of the website, and can open the browser to the background to take screenshots and other functions. How to fix the XSS cross-site vulnerability? The submission method of get,post,cookies is securely filtered and intercepted, img, "", and other characters.

Arbitrary user registration vulnerabilities can also occur in the website login function, which can be used to guess whether the user name has been registered on the site and to carry out batch violent enumerations. Bypass the verification code used for registration, and use the correct SMS verification code to submit registration to bypass the registration. The verification code of mobile phones and mailboxes is too short, resulting in violent cracking. For such website vulnerabilities, our SINE security repair proposal is to synchronize the verification code and registration information, verify whether the verification code is correct, and then determine whether the registration information is integrated with the verification code.

There are also many loopholes in the penetration testing process of many website functions. What is summarized here is the previous part, and the next part we will reveal to you in the next article. I also hope that the sharing of these penetration tests can give you an understanding of the security of the website. only when you really understand your own website, can you do a good job in security and know each other and know yourself without defeat. After the launch of the website and the occurrence of security problems, we must do penetration testing services to detect loopholes in the website in advance, as well as simulate the methods of attackers to find the root causes of loopholes and take precautions. Domestic professional website penetration testing companies recommend Sinesafe, Green Alliance, Qiming Star and other professional security companies are quite good.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.