Basic Web Development Guidelines

Source: Internet
Author: User
Tags html tags http request md5 sql injection
Original link: http://www.cnblogs.com/zhengyun_ustc/p/rule1.html

Web Development Engineers read the guidelines for front-end development below, which is the first part, highlighting the Web Access security infrastructure that we have noticed in the last few years that Web engineers have to deal with. In particular, some engineers from traditional software development to the Internet development, please read carefully, do not neglect these basic points to create one after another loophole or unexpected events.

Basic principles of Web development-55 record-web access security

Zheng was created in February 2013

Zheng last updated on October 14, 2013

Outline: Web Access security Cache policy storage media Connection pool Service demotion concurrent request processing

Keywords:

Session HIJACKING,XSS (Cross Site Scripting), SQLi (SQL injection), CSRF (Cross-site Request forgery), Formhash,rate Limits , parallel permission One, Web Access security 1.1. Use Formhash anti-CSRF and form auto-submit

Formhash refers to the construction of a hidden INPUT element in a form form, such as:

<input type= "hidden" name= "Formhash" id= "Formhash" value= "{Formhash}"/>

It is difficult for a third party to forge the value of this input, thereby preventing the site from arbitrarily constructing form submissions, that is, anti-csrf. Suitable business scenarios include registration, login, order, second Kill, sweepstakes, points redemption vouchers and so on.

1.1.1. Hong Sing's approach

Hong Sing products such as Discuz in order to prevent the machine post, formhash value is so calculated:

Its calculation function is Formhash ():

function Formhash ($specialadd = ") {

Global $_g;

$hashadd = defined (' IN_ADMINCP ')? ' Only for discuz! Admin Control Panel ': ';

Return substr (MD5 (substr ($_g[' timestamp '), 0,-7)

. $_g[' username '].$_g[' uid '].$_g[' Authkey ']

. $hashadd. $specialadd), 8, 8);

}

First, substr ($_sglobal[' timestamp '), 0,-7), intercept the first 3 bits of the timestamp (note that this practice of Hong Sing allows the Formhash to take effect and remain unchanged for a certain period of time, since the first 3 bits of the timestamp are intercepted, then the validity range is 115 days).

Then connect with the user name, user uid, Authke y, custom key, and so on. The Authkey here is based on the server-side configuration file in the Authkey and client cookies in the Saltkey key value of the connection, MD5, so it is not necessarily a fixed value, depending on how you grow to the client Saltkey cookies (Hong Sing selected is a kind of A random value of 8).

Finally do another MD5, intercept the string 8 bits.

When the server side uses the Submitcheck function to verify, it will calculate again formhash to be compared with the client submission: $_post[' formhash '] = = Formhash ().

Hong Sing's Formhash imitation is very small, but it is not necessarily "different form different random values", so you can log in from the Kang Sheng product page to get a formhash string, and the Saltkey key value in the cookie, and then construct the form and construct HttpRequest , can be submitted, valid within 115 days.

It can only be said that Hong Sing's practice is simple and has some effect, suitable as you start Plan A to withstand a while.

1.2. Detecting or filtering Xss/sqli/shell injection via global filter

Through the Cloud Network Vulnerability list, we can find that XSS injection [injection 1]/sql injection everywhere, the major manufacturers wave upon wave to make mistakes. If the framework itself is not effectively intercepted or detected, only by virtue of the Iron battalion of the Soldiers of the engineers own consciousness, I am afraid of precarious.

The common misconception is that XSS is no big deal, because XSS vulnerabilities are common.

A weak vulnerability may be fine, but attackers tend to be persistent, if they find a series of weak loopholes, coupled with social engineering means (see 2013, using social workers to capture the security cases in the background), dikes will be destroyed in the nest. For example, a front-end storage-type XSS vulnerability, with management background login account Session hijacking, you can easily rush into the management of the background.

Zheng recommends that you read the following security cases to enhance your understanding (there is a picture of the Truth): 2013, Douban Storage-type XSS vulnerability to user cookies, and, Douban initiate the same city activities insert XSS code waiting for administrator to audit the administrator cookies; 2013 Tianya CSRF Series IV: Using Storage xss+ pseudo-csrf for worm attacks, "since we cannot trigger csrf through external links, we can use stored XSS to trigger this csrf." In this domain under the contract, the source domain is Tianya, naturally will not intercept. Just in the end of the Tianya blog page found an instance of storing XSS, then we will combine this instance to do a worm attack. "; 2010, Youku Sub-station SQL injection vulnerability; 2013, the Sqlmap capture of the Youku sub-station; 2013, discuz! Background third-party plugin upload any suffix file take the shell.

So, first of all, it is better to add a global filter at the framework level and string filter the $_get/$_post/$_cookie in the HTTP Request, which is a mandatory filter. (for the avoidance of CSRF (Cross-site request forgery, cross-site solicitation forgery) considerations [Note 4], engineers try not to use $_request. )

For PHP, it is also possible to introduce Laruence's Xss/sql/shell injected PHP extension module into the development environment: phptaint[NOTE 2].

Second, eliminate the bare write SQL.

Ensure that all of the SQL parameters are compiled with pre-compilation links for verifying parameters, such as using Java.sql.PreparedStatement.

1.2.1. The big principle is: do not trust the data submitted by the client

To deeply understand the principle of XSS, the attack code is not necessarily (not) in <script></script>.

Therefore, when dealing with XSS injections, not only to escape or remove special HTML tags and symbols, such as angle brackets <>, such as script, such as IFRAME, you also need to filter the many attributes involved in JavaScript events, as shown in the following table:

Property

This event occurs when the following conditions occur

Onabort

Image load is interrupted

Onblur

Element loses focus

OnChange

User changes the contents of a domain

OnClick

Mouse click on an object

OnDblClick

Mouse double-click an object

OnError

An error occurred while loading a document or image

onfocus

Element gets focus

OnKeyDown

The key of a keyboard is pressed

onkeypress

Key of a keyboard is pressed or pressed

OnKeyUp

The key of a keyboard is loosened

OnLoad

A page or image is finished loading

OnMouseDown

A mouse button is pressed

OnMouseMove

Mouse is moved

onmouseout

The mouse moves away from an element

onmouseover

The mouse is moved above an element

OnMouseUp

A mouse button is released

OnReset

Reset button is clicked

OnResize

The window or frame is resized

Onselect

Text is selected

OnSubmit

Submit button is clicked

OnUnload

User Exit Page

Table 1 JavaScript event property sheet

Otherwise, there are two possible instances of XSS vulnerabilities:

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.