"Notes" NetEase Micro professional-web safety Engineer -02.web Security Foundation

Course Overview:

Lofty high-rise floor, building can cover how tall, mainly to see the foundation dozen good. Learning any knowledge is the same, playing a good foundation is the key, through this lesson, you will learn some common web vulnerabilities, as well as the principle and harm of these vulnerabilities, lay a good foundation for the rear building of high-rise buildings ready.

Course Outline:

Chapter I. Ubiquitous security issues

The first section. Common Security Events

Chapter Two: Common Web vulnerability Resolution

The first section. Xss

The second section. Csrf

Section III. Click Hijack

Fourth section. URL Jump

Fifth section. SQL injection

Sixth section. Command injection

Section seventh. File Operation Vulnerability

NOTES: 1. Ubiquitous Security issues

"Fishing": the use of various means to counterfeit the URL of the real site and the content of the page, or the use of real site server programs in some Web pages to insert dangerous HTML code, so as to defraud the user bank or credit card account number, password and other private information.

"Tamper" webpage: Google search intitle:hacked by can search out once hacked site, search engine syntax also: intext/site, etc.

"Dark Chain": one is that you actively hide in other people's Web site links, perhaps you are doing the site, perhaps you have a site in the background, you can add (improve SEO); Another situation is that others steal your template, but there are a lot of your absolute address, which led to the dark chain.

"Webshell": a command execution environment in the form of ASP, PHP, JSP or CGI Web files, can also be called as a kind of web backdoor. Hackers in the invasion of a website, usually the ASP or PHP backdoor files with the Web site Server web directory normal Web page files mixed together, and then you can use the browser to access the ASP or PHP back door, a command execution environment to achieve the purpose of controlling the Web server. The Webshell can traverse the server firewall and is not blocked by a firewall because it is passed with a controlled server or remote over 80 ports. And using Webshell generally do not leave a record in the system log, will only leave some data submission records in the Web log of the Web site, inexperienced administrators are very difficult to see the traces of the invasion.

2. Common Web Vulnerability Resolution

Here is a brief introduction to some of these concepts, the specific principles, cases, defense methods, will be described in detail in the follow-up.

2.1 XSS

Cross Site script: Multi-site Scripting attack

An attacker enters (passes in) malicious HTML code into a Web site with an XSS vulnerability, and when other users browse the site, the HTML code executes automatically to achieve the purpose of the attack. For example, theft of user cookies, destruction of page structure, redirection to other websites, etc. In theory, there is an XSS vulnerability in which all input data is not processed.

	Storage Type	Reflective Type	DOM Type
Trigger Process	1. construct XSS (attacker) 2. Access (user)	access to carry links to XSS	Access URL
Data storage	Database	URL	URL
who's going to output	Back-end Web	back-end Web	Pre-section JS
Output position	HTTP Response	HTTP Response	dynamically constructed DOM nodes

Storage type: Persistent, the code is stored in the server, such as the hacker submitted a malicious script blog, filter is not strict when stored in the server, when other users access, will trigger the script, to perform malicious action. The victims were more widespread.

Reflective: Non-persistent, you need to deceive users to click the link to trigger the XSS code, for example, the website w user u, accidentally clicked a link, secretly sent his cookie to the attacker-built site. The victim is a few users;

Dom type: Depends on the output location, does not depend on the output environment, DOM XSS is due to the browser resolution mechanism caused by the vulnerability, the server does not participate, and both the storage and reflection type requires the server response to participate.

2.2 CSRF

Cross site request forgery across station requests forgery

Impersonating a request from a trusted user to take advantage of a trusted Web site, or to take advantage of a user's logged in identity (cookie), disguised as a user action.

For example: User A is in the XX bank's website to operate, suddenly received a temptation of the picture link, a a little bit, sure enough to see the temptation of a Japanese actress, but after a while to receive SMS reminders, has been transferred 1000 yuan to the B account, what happened? The possible method is: B Constructs a 0-width page, and sets the hidden, when a click on the image link, the picture is loaded to trigger the form submission Action (transfer 1000), because the current cookie is also in effect, so the submission is successful.

2.3 Click Hijack

A means of visual deception. There are probably two ways in which an attacker would use a transparent IFRAME to cover a Web page, and then persuade the user to do so on the page, where the user would unknowingly click on the transparent IFRAME page, and the attacker would use a picture to cover the Web page and obscure the meaning of the original location of the page;

Tip: Many of the small game is to use these methods, so that users in the process of playing the game, to induce users to click on an area, submit information.

2.4 URL Jump Vulnerability

Jump to a malicious website using a website that the user trusts.

For example, after a seemingly common URL link, add a malicious link

Http://mail.qq.com/......&url=http://black.com

Now many malicious links can be further disguised as short links in the form of t.cn/black, more confusing.

Check the page source code, find the Jump link url.php?url= ...

Several ways to jump:

Header: Header ("Location:". $target);

Js:<script>window.location.href=\ "$target \" </script>

META Tags: http-equiv= "Refresh" content= "5"; Url= ...

2.5 SQL Injection

Nature: Data and code are not separated, that is, data is executed as code

How do you understand it? For example, when we forget the password of a website, we may try to try the Universal Password Admin '-----Maybe you can log in without a password, why? This is because the server may have executed the following statement when validating the user:

SELECT * from users where user_name = ' $NAME ' and password = ' $PWD ';

This becomes the following:

SELECT * from users where user_name = ' admin '--and Password = ' $PWD ';

SQL injection has two conditions: one is to control the input data, and the other is the server splicing SQL execution;

2.6 Command Injection

Windows DOS and Linux Bash has a lot of system commands to take advantage of

such as: Ipconifg/net User/dir/find, etc.

Execution process:

A. Web invoke functions that execute system commands, such as System/exec/eval in PHP;

B. The parameters of the function or function can be controlled;

C. splicing injection command;

For example: The commonly used input URL to view the IP page, if the input www.baidu.com && net user, because of the role of &&, it is possible to return system user information;

2.7 File Vulnerabilities

Many websites provide users to upload avatars, attachments and other files, but also to provide download apps or EXE and other operations, attackers can use these operations to upload webshell and Trojan Horse, or download arbitrary files and code on the web, etc.;

File upload: Upload php file, in the browser address bar input execution;

File Download: Resolve download request address, modify and execute;

File inclusion: In the introduction of a file through PHP functions, because the incoming filename is not properly verified, so that the operation of the unintended files, it can lead to accidental file leaks and even malicious code injection. Use Include/require/fopen/allow_url_include and other operations.

"Notes" NetEase Micro professional-web safety Engineer -02.web Security Foundation