Home > Developer > Web Develop

20145235 Li Tao "cyber Confrontation" EXP9 Web Security Foundation Practice

Source: Internet
Author: User
Tags sql injection attack csrf attack
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Basic questions
  • SQL injection attack principle, how to defend?
    • A SQL injection attack is the goal of tricking a server into executing a malicious SQL command by inserting a SQL command into a Web form to submit or entering a query string for a domain name or page request.
    • For the prevention of SQL injection attacks, I think the main point is to start with the code:
      • With precompiled statement set PreparedStatement, it has the ability to handle SQL injection, as long as it uses its Setxxx method to pass values. Its principle is that SQL injection only to the SQL statement Preparation (compilation) process has a destructive effect, and PreparedStatement is ready, the execution phase just take the input string as data processing, and no longer parse the SQL statement preparation, so also avoids the SQL injection problem ; Use regular expressions to filter incoming parameters, filter for some keywords that contain SQL injections, use string filtering methods, call this function in JSP to check for illegal characters, and prevent SQL from being injected from the URL.
  • What is the principle of XSS attack and how to defend it?
      • XSS is a code injection that allows a malicious user to inject code into a Web page and be successfully executed by the browser, and other users will be affected when they view the page. Such attacks typically include HTML and client-side scripting languages. The main purpose of XSS attack is to find a way to obtain the cookie of the target attack website, because the cookie is equivalent to the seesion, and with this information can log on to the website in any PC that can connect to the Internet, and do some damage in the identity of others. The defense of XSS can be done in two ways: one is to filter the required parameters before the form commits or the URL parameters are passed, and to check the contents of the user input for illegal content, such as angle brackets, quotation marks, etc., to strictly control the output.
  • CSRF attack principle, how to defend?
    • We know that XSS is a cross-site scripting attack that executes an attacker's script in the user's browser to obtain information such as its cookie. Instead, CSRF is borrowing the user's identity to send a request to Web server because the request is not intended by the user, so it is called "cross-site request forgery".
    • For the defense of CSRF can also start from the following aspects: through the Referer, token or verification code to detect user submissions; Try not to expose the user's privacy information in the link of the page, for the user to modify the deletion and other operations preferably use the post operation; The domain in which the cookie is set strictly.
Practice Process

20145235 Li Tao "cyber Confrontation" EXP9 Web security Fundamentals practices

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
cyber security threat vectors edr cyber security centurylink cyber security cia cyber security salary cmu cyber security cyber security agency cyber security colleges

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More