Common security vulnerabilities for Web application security

Three key elements of information security: confidentiality, integrity, usability

(1) Confidentiality (confidentiality)
The information is guaranteed to be enjoyed by the authorized person without leaking to the unauthorized person.
(2) integrity (Integrity)
That is to ensure that the information from the real sender to the real recipient of the hands of the transfer process has not been illegal users to add, delete, replace and so on.
(3) Availability (availability)
That is to ensure that information and information systems are ready to provide services to the authorized persons, and that the use of information and resources by legitimate users will not be unreasonably rejected.
(4) controllability (controllability)
That is, the interests of the State and institutions and the needs of social management, to ensure that managers can implement the necessary control of information management, to combat social crime and foreign aggression.
(5) non-repudiation (non-repudiation)
That is, people should be responsible for their own information, and provide evidence of notarization and arbitration information to ensure the administration of the society according to law.

Vulnerabilities: Hardware, software, protocols, and other information system components in the lifecycle of the various stages (design, implementation, operation, etc.) in the security flaws, these defects will be the security of the system (confidentiality, integrity, availability) impact. such as: Tampering with the data, control and so on.

Penetration test

Black box test: In the case of authorization, simulate hacker's attack method and thinking mode, to evaluate the security risk of computer network system.

White box test: Relatively black box testing, white box testing is basically initiated from the inside, mainly the code audit

SQL injection

Because the user input in the program is not strict, users can submit a database query code, according to the results returned by the program to obtain some of the data he wants to know, this is called SQL injection

SQL Injection Repair method

Binding variables Use precompiled statements (parameterized queries), and SQL Server, MySQL, and Oracle support parameterized queries.

Special cases can use data type checking, shaping is cast, character type is filtering illegal characters, for example, "' = Space, etc. (PHP can use mysql_real_escape_string)

Xss

A malicious user injects code into a Web page, and other users are affected when they view the page (such as fishing, stealing cookies). Such attacks typically contain HTML and client-side scripting languages.

Hardware, software, protocols and other information system components in the life cycle of the various stages (design, implementation, operation, etc.) in the security flaws, these defects will be the security of the system (confidentiality, integrity, availability) has an impact. such as, to tamper with the data, control and so on.

Hardware, software, protocols and other information system components in the life cycle of the various stages (design, implementation, operation, etc.) in the security flaws, these defects will be the security of the system (confidentiality, integrity, availability) has an impact. such as, to tamper with the data, control and so on.

Hardware, software, protocols and other information system components in the life cycle of the various stages (design, implementation, operation, etc.) in the security flaws, these defects will be the security of the system (confidentiality, integrity, availability) has an impact. such as, to tamper with the data, control and so on.