Basic decryption of Web Application Security Issues

I believe you have heard more or less about various Web application security vulnerabilities, such as cross-site scripting (XSS), SQL injection, and upload vulnerabilities ...... Diverse.

Here, I do not deny the naming and classification methods, nor comment on the rationality of the naming. What I want to tell you is that among the various security vulnerabilities, in fact, there are only a few security issues. I personally attribute the security nature of Web applications to the following three parts:

1. Input/output validation)

2. Role authentication)

3. Ownership authentication)

Speaking of this, readers must want to know the relationship between these three categories and various security issues? I will give you a rough answer one by one:

Input/output verification

The input and output here are actually at the User Interface level. For example, if you submit a registration information on a site, you will often receive many prompts: "invalid user name", "name cannot use English"... In fact, this is an instance of input verification. What is output? For example, after you successfully submit a registration information, the system will return a Confirmation page (Registerred Confirmation), which will usually display part or all of the information you submitted during registration, the information displayed here is one of my output instances. What verification is required for the input?

If you enter the following in the Address field during submission:

<Script> alert ("iwebsecurity"); </script>

What happens when you arrive at the registration confirmation page? If no output verification is performed on the confirmation page, a prompt box in Javascript appears when the confirmation page is reached. In fact, this is a small instance of cross-site scripting attacks. Of course, you can write a small book for the input/output verification, and try to explain it in subsequent articles.

Role verification or authentication

Let's take CSDN as an example. Users have these roles: visitors are not logged on to the website, and free users are registered. In the future, CSDN may develop in depth, if your business is updated, you will also be charged for registered users. The above is only a user role, so there will be an administrator role in the CSDN company. It is also possible that the administrator can be divided into different roles according to the Section. As you can see, how many roles can you access CSDN every day? The next question is the permission problem. Why is there a role? This is to control permissions. Each role has its own specific and public permissions. The logical relationship between these permissions is quite complex. If a Web application does not have a detailed and reasonable design for the role, it will bring unlimited pain and trouble to developers. Now I want to ask a few questions: can you ensure that each role can only do its part? How do you ensure it? Is the method reliable? Are there any vulnerabilities ?...... This is the role verification or authentication I want to talk about. BTW: Why does it mean verification or authentication? As you can understand, the role nature exists in two stages. One is entering the stage. For example, when you log on to the console, you enter a specific role. The other is the maintenance stage, how do you ensure that you are always operating as a logon user? The former can be said to be: authentication, and the latter is verification.

A virtual case for role authentication/verification, such as an online movie service provider, will give you a free trial role. If this trial role is not properly verified, this may lead to a user privilege escalation and become a legal paying user, but you will not be able to pay for this paying user.

Ownership verification

This problem is also based on roles, but it is concerned with permissions between roles at the same level. Take CSDN for example. I am a free CSDN user, and you are also.

Now the question is: Can I operate for you? Can I post an article for you? Can I modify your personalized settings? If not, how does CSDN implement it? Although you and I are both common users, but you have your privacy and I have my privacy, how to ensure strict ownership verification is particularly critical. This is what I call ownership verification.

I can tell you with confidence that as long as it is a Web application security problem, it cannot escape from these three parts, you may not be able to properly explain all kinds of Web application security issues to these three parts, but there are only a few simple ones.