20145237 "Network attack and Defense" Web Security Foundation Practice

Basic questions answer the principle of SQL injection attack, how to defend:

Some programmers in the writing code, the user does not judge the legality of input data, hackers use this bug in the data input area maliciously fill in the script, when the data is sent back to the background, the hacker fills in the script statement is run, so that the hacker can do the background cooked to operate;
When writing code, programmers must remember to judge the legality of user input data. Place the database with sensitive information inside the firewall;

The principle of XSS attack, how to defend:

The full name of XSS is: Cross-site scripting, which is called XSS in order to differentiate it from CSS cascading style sheets. is a Web application security vulnerability attack, is a code injection. It allows malicious users to inject code into a Web page, and other users will be affected when they view the page. Such attacks typically include HTML and client-side scripting languages. The main purpose of XSS attack is to find a way to obtain the target Attack website Cookie, because the cookie is equivalent to have seesion, with this information can be in any PC can access the Internet access to the website, and other people's health landing, do some damage;
Programmers should prevent the interface from displaying HTML tags and escaping symbols such as </>.

CSRF attack principle, how to defend:

Cross site Repuest forgery, which is a branch of XSS. Cross-site request forgery is a means of attacking a victim to load a picture containing a webpage. As shown in the following code: When the victim's browser tries to open the page, it uses the specified parameters to send the request to the Www.mybank.com transferfunds.do page. The browser thinks it will get a picture, but it is actually a money transfer function.

Practice Process

• (1) First open the Kali, enter the command systemctl start apache2 , open Apache. Then enter the nestat -aptn view port number, where I did not change the port number to my school number, with 80 port. If you want to modify the port to your own number, you can enter vi /etc/apache2/ports.conf the listening port number to change the apache2.
  

• (2) Enter 127.0.0.1:80 in the browser to see if Apache is functioning properly:
  

• (3) Enter cd /var/www/html into the Apache working directory, create a new .html file, I was named after my own school number.
  

• (4) A not found error occurs when we try to enter a username password
  

• (5) So we also need to create a new PHP file
  

• (6) Open the browser to access the localhost:80/file name. html, then enter the username password click Submit. Successfully jump to the page you just wrote:
  
  

• (7) We can then complete a web front-end JavaScript based on the previous success

• (8) Testing the results of the changes
  

Web back end: MySQL Basics

• (1) Input /etc/init.d/mysql start enable MySQL; input mysql -u root -p into MySQL; default password is:[email protected]
  

• (2) Enter CREATE SCHEMA TestLogin; Create a database Testlogin, and then enter the following command to create the database and the new table:
  1.use Fhn;
  2.create table FHN (username varchar), password varchar (+), telephone 3.VARCHAR (11));
  

• (3) then enter the following command to populate the data in the table
  Insert INTO table name
  VALUES (' value 1 ', ' Value 2 ', ' Value 3 ' ...);
  Use the SELECT * from table name; Query the data in the table:
  

• (4) next to the adaptation of PHP:
  

• (5) Use the front end to open the input password, because my previous password is 123, this modification has a length limit

• (6) Successful after modifying the compliant password

• （）

• （）

• （）

• （）

• （）

• （）

• （）

20145237 "Network attack and Defense" Web Security Foundation Practice