Common Web security and protection principles

1.0 SQL injection

SQL injection principle: by inserting SQL commands into a Web form to submit or entering a query string for a domain name or page request, the result is to spoof the server to execute a malicious SQL command.

SQL Injection Protection:

1. Never trust the user's input, to verify the user's input, you can use regular expressions, or limit the length, the single quotation mark and the double "-" to convert, and so on.

2. Never use dynamically assembled SQL, either using parameterized SQL or directly using stored procedures for data query access.

3. Never use a database connection with administrator rights, and use a separate limited database connection for each app.

4. Do not store confidential information in plaintext, please encrypt or hash out the password and sensitive information.

The principle and precaution of 2.0 XSS

XSS principle: XSS (Cross-site scripting) attack refers to an attacker inserting malicious HTML tags or JavaScript code into a Web page. For example, the attacker put a seemingly secure link in the forum, cheat the user to click, steal the user's private information in the cookie, or the attacker in the forum to add a malicious form, when the user submits the form, but the message to the attacker's server, rather than the user originally thought of the trust site.

How to prevent XSS:

First, the code in the user input places and variables need to carefully check the length and the "<", ">", ";", "" "and other characters to filter, and then any content written to the page must be encode, to avoid accidentally the HTML tag out. This level is well done, at least by blocking more than half of XSS attacks.

First, avoid disclosing user privacy directly in a cookie, such as email, password, and so on. Second, reduce the risk of cookie leaks by making cookies and system IP bindings. This way the attacker gets a cookie that has no real value and cannot be replayed.

If the website does not need to operate the cookie on the browser side, you can add httponly at the end of the Set-cookie to prevent JavaScript code from obtaining cookies directly.

Try to submit a form using post instead of get

3.0 CSRF cross-site request forgery

CSRF principle: In lieu of the user to complete the specified action, need to know the other user page code and data package. To complete a csrf attack, the victim must complete two steps in turn:

① logs on to trusted Web site A and generates cookies locally.

② Visit dangerous website B without logging out a.

CSRF's defenses:

There are many ways to csrf the ① server, but the general idea is consistent, which is to increase the pseudo-random number on the client page.

② Method of verifying code

Common Web security and protection principles