I. SQL injection (SQL injection)Riskdatabase data is stolen, deleted and, if not backed up, the company may be wasted.
The principle of so-called SQL injection, that is, by inserting SQL commands into the Web form to submit or input a domain name or page request query string, submit a database query code, manipulate the execution of the backend DB query, thereby bypassing the authentication mechanism, to obtain this is not user-known data technology, and even delete the server data.
Example statement = "SELECT * from Users WHERE id=" + variable + "; The above statement is a very common SQL that checks user information by ID. If the attacker enters the variable, enter the following ' 007 ';d ROP table table_name. Then the above SQL statement becomes the SELECT * from Users where value= ' 007 ';d ROP table table_name, which causes the table to be deleted. (Just one example, the DBA control authority can of course prevent this from happening) guard againstJava to prevent SQL injection is relatively simple, the following points need to do:1. Use the ORM framework to pass in parameters such as Hibernate, Mybatis, etc.2. Using PreparedStatement, precompiled SQL statements 3, do not use directly splicing SQL string (when using native SQL, parameters to Hibernate assembly or Mybatis parameters with #{} incoming )
two. Cross-site scripting attacks (XSS) prevention
Risk server compromised (page modified), user account stolen
PrincipleReflective Cross-site scripting attack, refers to the attacker issued a vulnerable page address to the user, after the user browsing, will execute the attacker-specified JavaScript statements, resulting in user cookie theft, technologically advanced attackers can directly control the user's browser. Storage-type cross-site scripting attack, which means that the attackerJavascriptcontent, through application functions (such as storing resumes) to the database, when the user browses the site, the application will display this malicious JavaScript, resulting in user cookies stolen, technologically advanced attackers can directly control the user's browser.
Example
<tr> <td><spring:message code= "Lable.field.user.company"/></td> <td>${ Username}</td> <td></td></tr>
The username variable assumes that the user's data is <script src=xxx></script> such that a malicious script will be executed. Prevention1, the text input or output filtering (HTML escape), strict control of input or output can achieve the goal, the whole station strategy should be consistent. 2. The Cookie setting that identifies the user login HttpOnly
Guard Code
private static final char[] Quote_encode = "". ToCharArray ();p rivate static final char[] Amp_encode = "&". ToCharArray ( );p rivate static final char[] Lt_encode = "<". ToCharArray ();p ublic static final String escapeforhtml (string string) { if (string = = null) {return null; } char ch; int i = 0; int last = 0; char[] input = String.tochararray (); int len = input.length; StringBuffer out = new StringBuffer ((int) (LEN * 1.3)); for (; i < Len; i++) {ch = input[i]; if (ch > ' > ') {continue; } else if (ch = = ' < ') {if (i > Last) {out.append (input, last, i-last); } last = i + 1; Out.append (Lt_encode); } else if (ch = = ' ") {if (i > Last) {out.append (input, last, i-last); } last = i + 1; Out.append (Quote_encode); }} if (last = = 0) {return string; } if (i > Last) {out.append (input, last, i-last); } return out.tostring ();}
three. Cross-site request forgery (CSRF) PreventionRisk
User profile is modified and the attacker performs arbitrary actions as a user
Principle
CSRF attacks are primarily caused by attackers embedding malicious code or connections in Web pages, and when the victim's browser executes malicious code or the victim clicks the connection, the attacker can access the network application after the victim's authentication. If the victim is using a multi-window browser, the attacker can control the web App in any window in the browser as a victim.
Example
- Log in to your own Web-based mailbox account.
- I decided to take a look around the internet before an important message was received, so I opened a new window in the Multi-window browser.
- The site I visited contains hidden code. My browsing behavior activates the hidden code and sends an HTML request to my e-mail Web server. The content of this request may be to delete all messages in my inbox. It's done.
Prevention
- Develop a set of CSRF validation frameworks that generate a random token when the user logs in and gives the user a cookie. When a user accesses a form page, the Csrftoken hidden field is automatically added to the form page and is submitted to the action with the form. Verify that the cookie is consistent with the token submitted in the form before processing the business logic in action.
- The developer wants to add the $csrfToken. HiddenField in the form form to generate the hidden csrftoken field.
four. Cross-site URL redirection (also known as free redirect Open Redirect) guard againstRisk
User is fishing, account password stolen
The principle of the destruction of the attacker can take your URL to protect, and then put a harmful site URL in the redirected parameters, and then sent to the victim, the victim saw the URL, found that can be trusted, then went in, then infected with the virus or forced to do other things. Example
Response.sendredirect (Request.getparameter ("Done"));
PreventionThe program framework intercepts all 302 jumps, verifies whether the goal of the jump is a whitelist (own) website, does not need to prompt the user in the whitelist, lets the user choose whether to continue to jump.
Guard Code
public boolean sendredirect (String URL) {if (! Stringutil.isempty (URL)) {try {url = Url.trim (); if (! White_domain_pattern.matcher (URL). Matches ()) {URL = "http://www.dxy.cn/redirect?url=" + urlencoder.encode (URL, "UTF-8"); } res.sendredirect (URL); return true; } catch (Throwable ex) {}} return false;} private static Pattern White_domain_pattern = null;static {StringBuilder buff = new StringBuilder (); For (String domain:new string[] {"abc\\. ( cn|com|net) "," aaa\\.cn "," bbb\\. " (cn|com) "," ccc\\.cn "}) {if (buff.length () > 0) {buff.append (" | "); } buff.append ("(^http[s]?:/ /[\\w-]+\\. "); Buff.append (domain); Buff.append ("(\\/.*)? $)"); } buff.append ("| ( ^(?! HTTP). +$) "); White_domain_pattern = Pattern.compile (buff.tostring (), pattern.case_insensitive);}
Five. File Upload preventionRisk
The server is under hacker control
Principle
The attacker can control the server by uploading an executable script via an attachment upload vulnerability.
Prevention
- Verify file extension, only allow upload of file types in whitelist (both front and back are verified)
- File upload and download using a different domain name
- The upload file path is randomly generated so that the attacker cannot guess the file path
- Compress the image to hide the original path
Everyone should know something about cyber security.