Original link: http://www.cnblogs.com/zhengyun_ustc/p/rule1.html
Web Development Engineers read the guidelines for front-end development below, which is the first part, highlighting the Web Access security infrastructure that we have noticed in the last few years that Web engineers have to deal with. In particular, some engineers from traditional software development to the Internet development, please read carefully, do not neglect these basic points to create one after another loophole or unexpected events.
Basic principles of Web development-55 record-web access security
Zheng was created in February 2013
Zheng last updated on October 14, 2013
Outline: Web Access security Cache policy storage media Connection pool Service demotion concurrent request processing
Keywords:
Session HIJACKING,XSS (Cross Site Scripting), SQLi (SQL injection), CSRF (Cross-site Request forgery), Formhash,rate Limits , parallel permission One, Web Access security 1.1. Use Formhash anti-CSRF and form auto-submit
Formhash refers to the construction of a hidden INPUT element in a form form, such as:
<input type= "hidden" name= "Formhash" id= "Formhash" value= "{Formhash}"/>
It is difficult for a third party to forge the value of this input, thereby preventing the site from arbitrarily constructing form submissions, that is, anti-csrf. Suitable business scenarios include registration, login, order, second Kill, sweepstakes, points redemption vouchers and so on.
1.1.1. Hong Sing's approach
Hong Sing products such as Discuz in order to prevent the machine post, formhash value is so calculated:
Its calculation function is Formhash ():
function Formhash ($specialadd = ") {
Global $_g;
$hashadd = defined (' IN_ADMINCP ')? ' Only for discuz! Admin Control Panel ': ';
Return substr (MD5 (substr ($_g[' timestamp '), 0,-7)
. $_g[' username '].$_g[' uid '].$_g[' Authkey ']
. $hashadd. $specialadd), 8, 8);
}
First, substr ($_sglobal[' timestamp '), 0,-7), intercept the first 3 bits of the timestamp (note that this practice of Hong Sing allows the Formhash to take effect and remain unchanged for a certain period of time, since the first 3 bits of the timestamp are intercepted, then the validity range is 115 days).
Then connect with the user name, user uid, Authke y, custom key, and so on. The Authkey here is based on the server-side configuration file in the Authkey and client cookies in the Saltkey key value of the connection, MD5, so it is not necessarily a fixed value, depending on how you grow to the client Saltkey cookies (Hong Sing selected is a kind of A random value of 8).
Finally do another MD5, intercept the string 8 bits.
When the server side uses the Submitcheck function to verify, it will calculate again formhash to be compared with the client submission: $_post[' formhash '] = = Formhash ().
Hong Sing's Formhash imitation is very small, but it is not necessarily "different form different random values", so you can log in from the Kang Sheng product page to get a formhash string, and the Saltkey key value in the cookie, and then construct the form and construct HttpRequest , can be submitted, valid within 115 days.
It can only be said that Hong Sing's practice is simple and has some effect, suitable as you start Plan A to withstand a while.
1.2. Detecting or filtering Xss/sqli/shell injection via global filter
Through the Cloud Network Vulnerability list, we can find that XSS injection [injection 1]/sql injection everywhere, the major manufacturers wave upon wave to make mistakes. If the framework itself is not effectively intercepted or detected, only by virtue of the Iron battalion of the Soldiers of the engineers own consciousness, I am afraid of precarious.
The common misconception is that XSS is no big deal, because XSS vulnerabilities are common.
A weak vulnerability may be fine, but attackers tend to be persistent, if they find a series of weak loopholes, coupled with social engineering means (see 2013, using social workers to capture the security cases in the background), dikes will be destroyed in the nest. For example, a front-end storage-type XSS vulnerability, with management background login account Session hijacking, you can easily rush into the management of the background.
Zheng recommends that you read the following security cases to enhance your understanding (there is a picture of the Truth): 2013, Douban Storage-type XSS vulnerability to user cookies, and, Douban initiate the same city activities insert XSS code waiting for administrator to audit the administrator cookies; 2013 Tianya CSRF Series IV: Using Storage xss+ pseudo-csrf for worm attacks, "since we cannot trigger csrf through external links, we can use stored XSS to trigger this csrf." In this domain under the contract, the source domain is Tianya, naturally will not intercept. Just in the end of the Tianya blog page found an instance of storing XSS, then we will combine this instance to do a worm attack. "; 2010, Youku Sub-station SQL injection vulnerability; 2013, the Sqlmap capture of the Youku sub-station; 2013, discuz! Background third-party plugin upload any suffix file take the shell.
So, first of all, it is better to add a global filter at the framework level and string filter the $_get/$_post/$_cookie in the HTTP Request, which is a mandatory filter. (for the avoidance of CSRF (Cross-site request forgery, cross-site solicitation forgery) considerations [Note 4], engineers try not to use $_request. )
For PHP, it is also possible to introduce Laruence's Xss/sql/shell injected PHP extension module into the development environment: phptaint[NOTE 2].
Second, eliminate the bare write SQL.
Ensure that all of the SQL parameters are compiled with pre-compilation links for verifying parameters, such as using Java.sql.PreparedStatement.
1.2.1. The big principle is: do not trust the data submitted by the client
To deeply understand the principle of XSS, the attack code is not necessarily (not) in <script></script>.
Therefore, when dealing with XSS injections, not only to escape or remove special HTML tags and symbols, such as angle brackets <>, such as script, such as IFRAME, you also need to filter the many attributes involved in JavaScript events, as shown in the following table:
Property |
This event occurs when the following conditions occur |
Onabort |
Image load is interrupted |
Onblur |
Element loses focus |
OnChange |
User changes the contents of a domain |
OnClick |
Mouse click on an object |
OnDblClick |
Mouse double-click an object |
OnError |
An error occurred while loading a document or image |
onfocus |
Element gets focus |
OnKeyDown |
The key of a keyboard is pressed |
onkeypress |
Key of a keyboard is pressed or pressed |
OnKeyUp |
The key of a keyboard is loosened |
OnLoad |
A page or image is finished loading |
OnMouseDown |
A mouse button is pressed |
OnMouseMove |
Mouse is moved |
onmouseout |
The mouse moves away from an element |
onmouseover |
The mouse is moved above an element |
OnMouseUp |
A mouse button is released |
OnReset |
Reset button is clicked |
OnResize |
The window or frame is resized |
Onselect |
Text is selected |
OnSubmit |
Submit button is clicked |
OnUnload |
User Exit Page |
Table 1 JavaScript event property sheet
Otherwise, there are two possible instances of XSS vulnerabilities: