Common security vulnerabilities for Web application security

Source: Internet
Author: User

Three key elements of information security: confidentiality, integrity, usability

(1) Confidentiality (confidentiality)
The information is guaranteed to be enjoyed by the authorized person without leaking to the unauthorized person.
(2) integrity (Integrity)
That is to ensure that the information from the real sender to the real recipient of the hands of the transfer process has not been illegal users to add, delete, replace and so on.
(3) Availability (availability)
That is to ensure that information and information systems are ready to provide services to the authorized persons, and that the use of information and resources by legitimate users will not be unreasonably rejected.
(4) controllability (controllability)
That is, the interests of the State and institutions and the needs of social management, to ensure that managers can implement the necessary control of information management, to combat social crime and foreign aggression.
(5) non-repudiation (non-repudiation)
That is, people should be responsible for their own information, and provide evidence of notarization and arbitration information to ensure the administration of the society according to law.
Vulnerabilities: Hardware, software, protocols, and other information system components in the lifecycle of the various stages (design, implementation, operation, etc.) in the security flaws, these defects will be the security of the system (confidentiality, integrity, availability) impact. such as: Tampering with the data, control and so on.
Penetration test
Black box test: In the case of authorization, simulate hacker's attack method and thinking mode, to evaluate the security risk of computer network system.
White box test: Relatively black box testing, white box testing is basically initiated from the inside, mainly the code audit
SQL injection
Because the user input in the program is not strict, users can submit a database query code, according to the results returned by the program to obtain some of the data he wants to know, this is called SQL injection
SQL Injection Repair method
Binding variables Use precompiled statements (parameterized queries), and SQL Server, MySQL, and Oracle support parameterized queries.
Special cases can use data type checking, shaping is cast, character type is filtering illegal characters, for example, "' = Space, etc. (PHP can use mysql_real_escape_string)
Xss
A malicious user injects code into a Web page, and other users are affected when they view the page (such as fishing, stealing cookies). Such attacks typically contain HTML and client-side scripting languages.

Hardware, software, protocols and other information system components in the life cycle of the various stages (design, implementation, operation, etc.) in the security flaws, these defects will be the security of the system (confidentiality, integrity, availability) has an impact. such as, to tamper with the data, control and so on.

Hardware, software, protocols and other information system components in the life cycle of the various stages (design, implementation, operation, etc.) in the security flaws, these defects will be the security of the system (confidentiality, integrity, availability) has an impact. such as, to tamper with the data, control and so on.

Hardware, software, protocols and other information system components in the life cycle of the various stages (design, implementation, operation, etc.) in the security flaws, these defects will be the security of the system (confidentiality, integrity, availability) has an impact. such as, to tamper with the data, control and so on.


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.