"Upload vulnerability" and "login page brute force" defense

Upload vulnerability, landing page violence is more harmful, because once successful, it is equal to obtain the right to write files or change the site configuration, so as to facilitate further rights,

Here are some ways to protect against both threats:

Upload Vulnerability =========================================================================================================== ===* "File Upload vulnerability", including but not limited to-http request Header MIME spoofing,-file name or directory name%00 truncation upload,-dual file upload,-browser path parsing vulnerability,-picture one word Trojan + file contains,-unauthorized direct self-configuration form upload * File Upload Defense scheme:-1. Client detection, using JS to upload image detection, including file size, file type, etc.-2. Server-side detection, file size, file path, file extension, file type, file content detection, Renaming files-3. Other restrictions, server-side upload directory settings non-executable permissions prevent login page brute force hack ======================================================================== =======================================* Verification Code or token verification (before checking the user name, password prior to checking the verification code, the service side limit verification code is not empty, each verification will empty session verification code information). * Limit of number of login failures. The number of times the login failed in a certain period of time, even if the next guess the password also prompts the user name or password failed. *ip or proxy blacklist. * Prompt information, whether the user name is correct or not, always prompt the user name or password error.

　　

"Upload vulnerability" and "login page brute force" defense