Shulou(Shulou.com)06/01 Report--

Web security protection has already talked about some professional knowledge, the following again talk about the website security protection of login password transmission, more sensitive actual operation secondary verification, mobile client strong authentication, verification of incorrect information, avoid violently breaking jie password, system log and monitoring, and so on.

I. login password transmission

The login page and all the web pages that must be verified at the back end must be browsed with SSL, TSL or other secure transmission technologies. The original login page must be browsed with SSL or TSL, otherwise the network attack will change the action characteristics of the login form, resulting in the leakage of account login credentials. If SSL or TSL is not used to browse and verify the web page after login, the network attack will steal the unencrypted application ID. And then seriously harm the customer's current theme activity application, therefore, we should also try to carry out secondary data encryption of the login password, and then carry out transmission.

Second, it is sensitive to the secondary verification of practical operation.

In order to alleviate the harm of system vulnerabilities such as CSRF and hijacked applications, the credentials of the account must be authenticated before upgrading the contents of the more sensitive information of the account (such as customer login passwords, e-mails, detailed addresses, etc.). Without such countermeasures, network attacks can carry out sensitive practical operations according to CSRF and XSS attacks without knowing the customer's current credentials. Cyber attacks can also temporarily touch the client's machine device, browse the customer's computer browser, and then steal the application Id to interface with today's applications.

Third, strong authentication of mobile client

The operation of the program can apply the second element to check whether customers are able to carry out more sensitive practical operations. Typical examples are SSL and TSL mobile phone client authentication, also known as SSL and TSL double check, which is composed of mobile phone client and server. The qualification certificate is pushed in the whole process of SSL and TSL waving. Just as the application server-side qualification certificate wants to grant the qualification certificate to the organization (CA) to check the authenticity and validity of the network server, the network server can apply the third-party CS or its own CA to check the authenticity and validity of the client-side certificate. Therefore, the server must show the transformed qualification certificate for the client and assign a relative value to the qualification certificate, so that it is easy to use this value to determine the client whose qualification certificate matches.

IV. Errors in verification

Verification is not successful after the error, if not properly maintained, can be used to enumerate the type of customer ID and login password, the program should be run in a universal way to carry out relative, regardless of login name or password error, can not list the situation of today's customers. Incorrect relative instance: login failure, invalid login password; login failure, invalid customer; login failure, incorrect login name; login failure, incorrect password; appropriate relative instance: login failure, invalid login name or login password. Although some programs run back to the same error, but the return status code is not the same, such a situation will also reveal the basic information of the account.

Avoid violently breaking jie passwords

It is easy to violently break the jie password in the Web program. If the program is not easy to run and the account is banned due to several unsuccessful verifications, then the network attack will still have the opportunity to guess the login password and continue to violently break the jie password until the account is occupied. A wide range of processing methods include multi-element verification, SMS verification code, personal behavior check (Ali cloud server, extreme verification, etc. all show service items).

VI. System log and monitoring

The recording and monitoring of the contents of the verification information can easily check attacks and common faults, and ensure that the following three items are recorded:

1. Record the actual operations of all login failures

2. Record the actual operation of all password errors

3. Record all account locked logins; these are all ways to prevent the website from being attacked. If the loophole cannot be repaired, you can consult a professional website security company to deal with it. It is recommended to go to SINE security, Eagle Shield security, Netstone technology, Qiming Star and other professional security companies to deal with the solution.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.