These days the school has run a information security contest, this game reminds me of years ago, inspirational to be able to black the United States CIA super hacker of the young naïve teenager, as well as the youth of the spring years, later, I have no longer fantasize about such things as the black CIA, but just comfortable life in the university campus, The message of any waves blows the edge of the world.
In the memory of my childhood, I took part in this competition and finally finished all the topics successfully. Topics include the use of XSS, SQL injection, cookie injection, blinds, upload vulnerabilities, brute force hacking, encryption and decryption, and more. These things at first glance from the small and medium-sized webmaster very far, but inside each is related to the health and safety of the site, the two days out of the need to do the problem, but also read a lot of related books and information, I found that in fact, many sites in the country, security is a big problem, small webmaster not like local tyrants station, You can roll a security team to do code review, do a daily scan (Ali's security system is said to scan Ali's 100,000 pages every 10 minutes, to ensure the health and safety of each page).
However, the security of small and medium-sized websites still have to do Ah, was attacked by the invasion of less is the search engine blocked traffic drops, many are rencailiangkong. Below I combine own experience to give some simple website protection strategy, hope can help to be affected by security problem, or want to strengthen website security construction Webmaster.
1. Password
Many of the simplest places are often the least valued place, a site administrator should have a background password, and if you are the site of the designer or builder, you should also have a database password, these two passwords must be complex, to eliminate weak passwords, and preferably not the same. Not to set the password of the website as your universal password, such as mailbox, QQ, other website account password, this is very important, people often pay attention to the technical seamless, but neglect the power of social engineering, experienced hackers for the use of information can only use the pinnacle to describe, Even if your own website has no loopholes in the program (although this is very difficult), the websites and services you have registered or used are not necessarily so difficult to break down, so never link the admin password of the website with the password used in your personal life.
2. Information hiding
Or the above point, the hacker for the use of information is very powerful, then as a protector, we should as far as possible to hide information, more sensitive information has, the site background path, personal mailbox (not the site mailbox), database structure-table and field names, webmaster personal information and so on.
Most sites will have contact us or the like page, but must note that this place to stay contact is business or customer service, rather than the developer or the first manager of the site, and mailbox and other information should also be working mailbox, rather than your usual use of personal mailbox, this can effectively prevent social workers.
and the database structure of the hidden, it is more technical, in this game, with SQL injection to guess the table took me a lot of time, and if the question to set the table name is more complicated, I am completely useless. Most sites will have the admin table, which will have the administrator's account password and other information, once the hacker found the injection vulnerability, you can easily get all the management information, but if we change the table name to, Adminhahaha, such a table is all scanning software in the dictionary does not have, Hackers will also cry over this kind of watch.
3. Use JS
Real-time Many do not know the technology webmaster, JS is also knows, JS is very convenient to use, and very powerful, most times, JS is safe, but some times, the use of JS is risky, because JS is running in the client, that all users can be arbitrarily modified, If you use JS to limit the uploading of files, it is not fun.
4. Treat uploads with care
If your site has a place to upload, be sure to treat it with caution. For example, PHP is used to determine whether the function of the picture is getimagesize, there is the famous gig89a loophole, you upload a php file, as long as the first add a gig89a, you can pretend to be a GIF file cheat PHP check, if your suffix judgment is to use JS to achieve, Then your site will be very easy to fall. In fact, there are a lot of uploaded funnel, although most (such as IIS6.0) are already very old, but there are still a lot of sites in use. In particular, the third-party editor's upload vulnerability should be more vigilant. If you provide users with rich text editor, be sure to do a good job in the protection of the editor.
5. Inject
Most of the world's Web site is still due to the injection of loopholes, including QQ, Sina, and even Baidu, its Web site will have injected loopholes, you can see a lot in the cloud, the essence of injection vulnerability is the use of database operations, ordinary injection, cookie injection, blind, methods, but the principle is the same, That is, malicious constructs the query statement to achieve the unspeakable purpose, the simple substitution may have the certain effect, but the high level hacker will constantly try to find your writing, thus to transform the ability to run the injected code. Ordinary webmaster can seek the help of third-party security plug-ins, 360 of anti-injection tools and security dogs are good choices.
6. Other (Xss,cookie)
XSS (Cross Site Script) is very easy to take advantage of the place, the specific explanation please Baidu, the defense method is to be wary of any user input place, XSS and injection is different, XSS is more constructs malicious JS, so that the user or administrator to run, and inject is to construct the query statement, Do the operation on the database. Similarly, the use of third-party security plug-ins is a good choice for webmasters with limited development capabilities.
As for cookies, administrators should be aware that their cookies do not have to be stolen, and also be cautious about the handling of cookies, and the parameters of the cookie should be treated as anti-injection 7. More Suggestions
Be sure to back up frequently.
Scan websites regularly to see if there are any anomalies.
Most of the time, the site used by the mature framework is relatively safe (Wordpress), but the inside of the plug-in is a lot of dangerous, before use to check the risk more.
6-point Security strategy for small and medium-sized websites