Basic Web Development Guidelines

Original link: http://www.cnblogs.com/zhengyun_ustc/p/rule1.html

Web Development Engineers read the guidelines for front-end development below, which is the first part, highlighting the Web Access security infrastructure that we have noticed in the last few years that Web engineers have to deal with. In particular, some engineers from traditional software development to the Internet development, please read carefully, do not neglect these basic points to create one after another loophole or unexpected events.

Basic principles of Web development-55 record-web access security

Zheng was created in February 2013

Zheng last updated on October 14, 2013

Outline: Web Access security Cache policy storage media Connection pool Service demotion concurrent request processing

Keywords:

Session HIJACKING,XSS (Cross Site Scripting), SQLi (SQL injection), CSRF (Cross-site Request forgery), Formhash,rate Limits , parallel permission One, Web Access security 1.1. Use Formhash anti-CSRF and form auto-submit

Formhash refers to the construction of a hidden INPUT element in a form form, such as:

<input type= "hidden" name= "Formhash" id= "Formhash" value= "{Formhash}"/>

It is difficult for a third party to forge the value of this input, thereby preventing the site from arbitrarily constructing form submissions, that is, anti-csrf. Suitable business scenarios include registration, login, order, second Kill, sweepstakes, points redemption vouchers and so on.

1.1.1. Hong Sing's approach

Hong Sing products such as Discuz in order to prevent the machine post, formhash value is so calculated:

Its calculation function is Formhash ():

function Formhash ($specialadd = ") {

Global $_g;

$hashadd = defined (' IN_ADMINCP ')? ' Only for discuz! Admin Control Panel ': ';

Return substr (MD5 (substr ($_g[' timestamp '), 0,-7)

. $_g[' username '].$_g[' uid '].$_g[' Authkey ']

. $hashadd. $specialadd), 8, 8);

}

First, substr ($_sglobal[' timestamp '), 0,-7), intercept the first 3 bits of the timestamp (note that this practice of Hong Sing allows the Formhash to take effect and remain unchanged for a certain period of time, since the first 3 bits of the timestamp are intercepted, then the validity range is 115 days).

Then connect with the user name, user uid, Authke y, custom key, and so on. The Authkey here is based on the server-side configuration file in the Authkey and client cookies in the Saltkey key value of the connection, MD5, so it is not necessarily a fixed value, depending on how you grow to the client Saltkey cookies (Hong Sing selected is a kind of A random value of 8).

Finally do another MD5, intercept the string 8 bits.

When the server side uses the Submitcheck function to verify, it will calculate again formhash to be compared with the client submission: $_post[' formhash '] = = Formhash ().

Hong Sing's Formhash imitation is very small, but it is not necessarily "different form different random values", so you can log in from the Kang Sheng product page to get a formhash string, and the Saltkey key value in the cookie, and then construct the form and construct HttpRequest , can be submitted, valid within 115 days.

It can only be said that Hong Sing's practice is simple and has some effect, suitable as you start Plan A to withstand a while.

1.2. Detecting or filtering Xss/sqli/shell injection via global filter

Through the Cloud Network Vulnerability list, we can find that XSS injection [injection 1]/sql injection everywhere, the major manufacturers wave upon wave to make mistakes. If the framework itself is not effectively intercepted or detected, only by virtue of the Iron battalion of the Soldiers of the engineers own consciousness, I am afraid of precarious.

The common misconception is that XSS is no big deal, because XSS vulnerabilities are common.

A weak vulnerability may be fine, but attackers tend to be persistent, if they find a series of weak loopholes, coupled with social engineering means (see 2013, using social workers to capture the security cases in the background), dikes will be destroyed in the nest. For example, a front-end storage-type XSS vulnerability, with management background login account Session hijacking, you can easily rush into the management of the background.

Zheng recommends that you read the following security cases to enhance your understanding (there is a picture of the Truth): 2013, Douban Storage-type XSS vulnerability to user cookies, and, Douban initiate the same city activities insert XSS code waiting for administrator to audit the administrator cookies; 2013 Tianya CSRF Series IV: Using Storage xss+ pseudo-csrf for worm attacks, "since we cannot trigger csrf through external links, we can use stored XSS to trigger this csrf." In this domain under the contract, the source domain is Tianya, naturally will not intercept. Just in the end of the Tianya blog page found an instance of storing XSS, then we will combine this instance to do a worm attack. "; 2010, Youku Sub-station SQL injection vulnerability; 2013, the Sqlmap capture of the Youku sub-station; 2013, discuz! Background third-party plugin upload any suffix file take the shell.

So, first of all, it is better to add a global filter at the framework level and string filter the $_get/$_post/$_cookie in the HTTP Request, which is a mandatory filter. (for the avoidance of CSRF (Cross-site request forgery, cross-site solicitation forgery) considerations [Note 4], engineers try not to use $_request. ）

For PHP, it is also possible to introduce Laruence's Xss/sql/shell injected PHP extension module into the development environment: phptaint[NOTE 2].

Second, eliminate the bare write SQL.

Ensure that all of the SQL parameters are compiled with pre-compilation links for verifying parameters, such as using Java.sql.PreparedStatement.

1.2.1. The big principle is: do not trust the data submitted by the client

To deeply understand the principle of XSS, the attack code is not necessarily (not) in <script></script>.

Therefore, when dealing with XSS injections, not only to escape or remove special HTML tags and symbols, such as angle brackets <>, such as script, such as IFRAME, you also need to filter the many attributes involved in JavaScript events, as shown in the following table:

Property	This event occurs when the following conditions occur
Onabort	Image load is interrupted
Onblur	Element loses focus
OnChange	User changes the contents of a domain
OnClick	Mouse click on an object
OnDblClick	Mouse double-click an object
OnError	An error occurred while loading a document or image
onfocus	Element gets focus
OnKeyDown	The key of a keyboard is pressed
onkeypress	Key of a keyboard is pressed or pressed
OnKeyUp	The key of a keyboard is loosened
OnLoad	A page or image is finished loading
OnMouseDown	A mouse button is pressed
OnMouseMove	Mouse is moved
onmouseout	The mouse moves away from an element
onmouseover	The mouse is moved above an element
OnMouseUp	A mouse button is released
OnReset	Reset button is clicked
OnResize	The window or frame is resized
Onselect	Text is selected
OnSubmit	Submit button is clicked
OnUnload	User Exit Page

Table 1 JavaScript event property sheet

Otherwise, there are two possible instances of XSS vulnerabilities: