The customer company evaluated our project with the evaluation software and found several security vulnerabilities,SQL injectionAndXssUnder attack, I saw the server program code with security vulnerabilities,It is found that the vulnerability occurs in places where the page sends get or post data to the server.The backend receives data using the input class provided by the CI framework, which can filter user input information andcsrfThe configuration item is also enabled.
Test tool:
Vulnerability overview:
There are several headaches:
Previously receivedgetAndpostThe data code is written in this way.$this->input->get('section_id)In other parts of the project, this is the case. it is said that filtering and security measures have been implemented. why are such vulnerabilities still occurring?
If the server receivesget、postIf there is a problem with the data, it should be that all the places in the project that adopt this method should have vulnerabilities. why is such a vulnerability only available in a few places?
The customer only looks at the detection data. how can I explain and communicate with them??
Please advise ~
Reply content:The customer company evaluated our project with the evaluation software and found several security vulnerabilities,SQL injectionAndXssUnder attack, I saw the server program code with security vulnerabilities,It is found that the vulnerability occurs in places where the page sends get or post data to the server.The backend receives data using the input class provided by the CI framework, which can filter user input information andcsrfThe configuration item is also enabled.
Test tool:
Vulnerability overview:
There are several headaches:
Previously receivedgetAndpostThe data code is written in this way.$this->input->get('section_id)In other parts of the project, this is the case. it is said that filtering and security measures have been implemented. why are such vulnerabilities still occurring?
If the server receivesget、postIf there is a problem with the data, it should be that all the places in the project that adopt this method should have vulnerabilities. why is such a vulnerability only available in a few places?
The customer only looks at the detection data. how can I explain and communicate with them??
Please advise ~
1. the test software is not necessarily accurate. generally, it only determines whether injection exists by judging whether the character lengths of the results returned by different split statements are the same
2. do not trust any framework or framework. you must perform global filtering for security.
3. the xss detected here are not stored, and the risk is not that high. Most of these are used as springboards.
4. the customer only needs to be comforted by reporting that there are no vulnerabilities.
5. if you just want him to scan for vulnerabilities. Write log files in the program Portal, record all requests and parameters, and analyze how the scan software determines whether a vulnerability exists.
6. modify the vulnerability reported by the scan software. in my personal experience, this should be because the parameter you passed does not have intval.
7. disable the mysql error prompt to prevent error injection.
Prevention
1. add global SQL keyword filtering to the program
2. enable PHP single quotes (modify php. ini magic_quotes_gpc ).
3 apache/nginx/iis enable service logs, mysql slow query logs, and program entry records request logs
4. install web application security software such as dongle on the server
5 Database Connection methods use UTF-8 to prevent gbk dual-byte injection
6. enhance the complexity of mysql Passwords. disable mysql external links and change the default port number.
7. downgrade the mysql account of the program, and only add, query, modify, and delete common permissions. Prohibit file operation permissions
XSS cross-site attack solution
1 Use htmlspecialchars to escape text writing
2. use SSL to disable external js references
3. set httponly to disable cookie retrieval.
4. if there is no injection (if there is an injection, you can use a hexadecimal system to bypass htmlspecialchars to achieve the xss attack effect)
5 it is best to use two programs with different routing rules on the backend and the front end. the second-level password should be set for key operations in the backend (backup database), and the complexity of request parameters should be increased to prevent CSRF
PHP Security
1. suffix filtering is added to the place where files are uploaded. during filtering, do not make "logical non-" judgments.
2. do not upload files with the suffix php or htaccess. do not use the data submitted by the client to obtain the suffix of the file name. you should use a program to add the suffix and random file name.
3. unified routing to restrict unauthorized access. The webroot directory can only contain one index. php (entry file), all other directories, and all resources (upload) files. The anti-Leech function is added to nginx.
4. PHP downgrading. the web Directory restricts the creation of folders and text (except for the folders required by the program, there is usually a cache directory that requires write permission)
5. filter IIS/nginx file parsing vulnerabilities
6. use the mobile phone verification code to retrieve the password, and use an additional server to retrieve the mailbox. (To prevent real ip addresses from being obtained through the password retrieval function ). The password reset link sent to the user's mailbox requires a complex encryption parameter.
7. a single logon function should be provided for a user to log on to the system. if the user has logged on, a prompt should be given for others to log on again.
8
1. security knowledge
1. the web application uses the site Library separation to change the default path of the Environment web directory.
2. when using the integrated environment, delete the php probe, phpmyadmin, and phpinfo after the installation is complete (the probe can view your web path, and phpmyadmin can be cracked)
2. the user password should preferably use the md5 value after the password is salt-added.
3. add a verification code to the user's logon location. how can I limit the number of errors to prevent brute force cracking?
4. hide real ip addresses with cdn acceleration
5 when a user logs on, do not pass the plaintext account password to prevent the C-end sniffing and obtain the user and administrator's plaintext account password through ARP spoofing.
6. disable the php system Command Line exec and system.
7. install dongle and other security protection software on the server
8. the web Directory cannot be saved. rar or zip files.
For my understanding of RSAS and BVS, you will always scan this issue without fixing it. the most fundamental solution is to solve these problems and discover the vulnerabilities by yourself, the customer is worried that it may not be someone else attacking him, but that insiders use the vulnerability as a backdoor program. some customers have little room for explanation.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
