Common web vulnerabilities and their precautions

Original address: http://blog.csdn.net/u013777676/article/details/52124298

one, SQL injection Vulnerability
SQL injection attacks (SQL injection), referred to as injection attacks, SQL injection, are widely used to illegally gain control of the site and are a security vulnerability that occurs at the application's database layer. In the design of the program, ignoring the input string in the entrainment of SQL instructions, run by the database is mistaken for a normal SQL command, so that the database is attacked, may lead to data theft, change, delete, and further cause the site to be embedded malicious code, the insertion of backdoor procedures and other hazards.
Typically, the location of SQL injection includes：
(1) Form submission, mainly POST request, also includes GET request;
(2) URL parameter submission, mainly for GET request parameters;
(3) cookie parameter submission;
(4) Some modifiable values of the HTTP request header, such as Referer, user_agent, etc.;
(5) Some edge input points, such as some file information for. mp3 files.
common methods of prevention
(1) All query statements use parameterized query interfaces provided by the database, and parameterized statements use parameters instead of embedding user input variables into SQL statements. Currently, almost all database systems provide a parameterized SQL statement execution interface, which can be used to prevent SQL injection attacks very effectively.
(2) Escape processing of special characters (' "<>&*;") entering the database, or transcoding.
(3) Confirm that each type of data, such as digital data must be a number, the storage field in the database must correspond to the int type.
(4) The length of the data should be strictly specified, to a certain extent, to prevent the longer SQL injection statements can not be executed correctly.
(5) The code of each data layer of the website is unified, it is recommended to use UTF-8 encoding, the upper and lower layer encoding inconsistency may cause some filtering models to be bypassed.
(6) Strictly restrict the user's database operation rights, give this user only can meet their work permissions, so as to minimize the risk of injection attacks on the database.
(7) Avoid the Web site to display SQL error messages, such as type errors, field mismatches, etc., to prevent attackers from using these error messages to make some judgments.
(8) Before the launch of the website, it is recommended to use some professional SQL injection detection tools to detect and timely repair these SQL injection vulnerabilities.

second, cross-site Scripting vulnerability
Cross-site scripting attacks (Cross-site scripting, often referred to as XSS) occur on the client side and can be used for attacks such as stealing privacy, phishing scams, stealing passwords, and spreading malicious code.
The techniques used by XSS attacks are mainly HTML and JavaScript, including VBScript and ActionScript. XSS attacks on the Web server, although there is no direct harm, but it through the Web site to spread, so that the use of the site users are attacked, resulting in the site user account is stolen, resulting in a more serious harm to the site.
The types of XSS include:
(1) Non-persistent cross-site: A reflective cross-site scripting vulnerability, is the most common cross-site type. Cross-site code usually exists in the link, when requesting such a link, the cross-site code is reflected back through the server, such cross-site code is not stored on the server (such as the database). The example given in the above section is such a situation.
(2) Persistent cross-site: This is the most straightforward cross-site type, and the cross-site code is stored on the server side (such as in a database). The common situation is that a user posts in the Forum, if the forum does not filter the user input JavaScript code data, it will cause other users to browse this paste browser will execute the user's embedded JavaScript code.
(3) Dom cross-site (Dom XSS): A cross-site vulnerability that occurs in the client-side DOM (Document Object model), due to the security issues caused by the client-side scripting logic.
Common anti-XSS techniques include:
(1) As with SQL injection prevention, it is assumed that all inputs are suspect and must be rigorously checked for script, IFrame, and so on in all inputs. The inputs here are not just input interfaces that the user can interact with directly, but also variables in the cookie in the HTTP request, variables in the HTTP request header, and so on.
(2) Not only to verify the type of data, but also to verify its format, length, scope and content.
(3) Do not just do data validation and filtering on the client, the key filtering steps are performed on the server.
(4) The output of the data also to check, the database value is likely to be in a large site in many places have output, even if the input has been encoded and other operations, at the output points in all areas also need to conduct security checks.
(5) Test all known threats before publishing the application.

Third, weak password vulnerability
Weak passwords (weak password) are not strictly and accurately defined, and are often considered weak passwords that are easily guessed or cracked by someone else (they might know you well). Setting a password usually follows these guidelines:
(1) Do not use the empty password or the system default password, these passwords all week, is a typical weak password.
(2) The password length is not less than 8 characters.
(3) The password should not be a sequential character (for example: AAAAAAAA) or a combination of certain characters (for example: Tzf.tzf.).
(4) The password should be a combination of the following four types of characters, uppercase (A-Z), lowercase (A-Z), Numbers (0-9), and special characters. Each type of character contains at least one. If a class of characters contains only one, then the character should not be the first character or the trailing character.
(5) The password should not include the name of the person, parents, children and spouse and the date of birth, anniversary, login, e-mail address and other information related to me, as well as the words in the dictionary.
(6) A password should not be a word that replaces certain letters with numbers or symbols.
(7) Password should be easy to remember and can be entered quickly, to prevent others from behind you easy to see your input.
(8) Change the password once in at least 90 days to prevent the intruder from being discovered from continuing to use the password.

Iv. HTTP Header Tracking Vulnerability
The http/1.1 (RFC2616) specification defines the HTTP trace method, primarily for the client to test or obtain diagnostic information by submitting a trace request to the Web server. When a Web server enables trace, the submitted request header is fully returned in the contents of the server response (Body), where the HTTP header is likely to include session tokens, cookies, or other authentication information. An attacker could exploit this vulnerability to spoof legitimate users and obtain their private information. This vulnerability is often used in conjunction with other methods to effectively attack, because HTTP trace requests can be initiated through client browser scripts (such as XMLHttpRequest) and can be accessed through the DOM interface, so it is easily exploited by attackers.
The HTTP trace method is typically disabled by the method that defends the HTTP header trace vulnerability.

v. STRUTS2 remote Command Execution vulnerability
Apachestruts is an open source architecture for building Java Web applications. Apache struts has an input filtering error that can be exploited to inject and execute arbitrary Java code if a conversion error is encountered.
Most of the remote Code execution vulnerability of Web sites is due to the fact that the Web site uses Apache Struts xwork as the Web application framework, because the software has a high-risk vulnerability to remote code, resulting in a security risk to the website. CNVD has disposed of a number of such vulnerabilities, such as the existence of a remote command execution Vulnerability (cnvd-2012-13934) on the "GPS vehicle satellite positioning System" website, ASPCMS message This Remote Code execution Vulnerability (cnvd-2012-11590), and so on.
To fix this type of vulnerability, simply upgrade Apache struts to the latest version of Apache official website: http://struts.apache.org

vi. File Upload Vulnerability
File upload vulnerability is usually caused by the file upload path variable filter in the webpage code, if the file Upload function implementation code does not strictly restrict the user to upload the file suffix and file type, the attacker can upload arbitrary files through the Web Access directory, including the site backdoor file (Webshell), The Web server is then remotely controlled.
Therefore, in the development of the Web site and application process, you need to strictly restrict and verify the uploaded files, prohibit uploading malicious code files. At the same time restricting the execution of the relevant directory permissions to prevent Webshell attacks.

VII. Private IP address Disclosure Vulnerability
An IP address is an important indicator of a network user, and is an attacker who needs to know before attacking. Get more methods, attackers will be different network conditions, such as: the use of ping in the LAN, ping the other side of the network name and obtain IP, on the Internet using the IP version of QQ direct display. The most effective way is to intercept and analyze each other's network packets. Attackers can find and directly through the software to resolve intercepted packets of the IP header information, and then based on this information to understand the specific IP.
For the most efficient "packet analysis method", it is possible to install some software that automatically removes the IP information sent from the packet header. However, the use of these software has some drawbacks, such as: expensive resources, reduce computer performance, access to some forums or websites will be affected, not suitable for Internet cafes users and so on. Today's personal users adopt the most common method of hiding IP is to use a proxy, since the use of proxy server, the "forwarding service" will be sent out of the packet has been modified, resulting in "packet Analysis" method invalidation. Some easy to leak user IP network software (QQ, MSN, ie, etc.) support the use of proxy way to connect the Internet, especially QQ using "ezProxy" and other agent software connection, IP version of QQ can not display the IP address. Although the agent can effectively hide the user IP, but the attacker can also bypass the proxy to find the other person's real IP address, under what circumstances users use how to hide the IP, also depends on the situation.

Eight, unencrypted login requests
Because the Web configuration is insecure, the login request transmits sensitive fields such as usernames and passwords unencrypted, and attackers can eavesdrop on the network to rob the sensitive information. It is recommended that you encrypt and then transfer such as SSH.

ix. Sensitive Information Disclosure Vulnerability
SQL injection, XSS, directory traversal, weak passwords can lead to the disclosure of sensitive information, and attackers can obtain sensitive information through vulnerabilities. Different defense methods for different causes

10, CSRF
Http://www.cnblogs.com/hyddd/archive/2009/04/09/1432744.html

Common web vulnerabilities and their precautions