Design and detection of Software Website Security and Solutions

Source: Internet
Author: User

Design and detection of Software Website Security and Solutions

Security Testing mainly involves the following aspects:

1. SQL injection (SQL injection)

See the article "preventing SQL Injection solutions ".

2. Cross-Site scritping (XSS): (Cross-Site Scripting)

See "XSS cross-site scripting solution"

3. csrf: (cross-site forgery request)
4. email header injection (mail header injection)
5. Directory Traversal (directory traversal)
6. Exposed error messages (error message)

7. Search for the Management Portal;

8. Authentication Bypass

A. When you view sensitive data, you only need to determine the permissions.

B. When submitting changes to sensitive data, you must also confirm the permission. It is your own

C. You must set the one-time use and validity period when activating the service. The connection string is encrypted with 3DES, and no plaintext string is allowed.

D. Enter the original password for verification when changing the password.

9. File Upload Vulnerability

10. program architecture security

A. Use the CS architecture whenever possible

B. The website's front-end cannot be in the web form, but the backend management can be made into CS.

C. Use. NET and Java in programming languages

11. Security of configuration files

Most of the time, our database passwords are stored in the configuration file, which is in plaintext. It is easy to use. The solution is to use ciphertext storage and 3DES encryption ...... The key is directly written in the Code and cannot be placed in plain text files ......

12. Have you used HTTPS?

13. Cookie Security

See "" improve cookie security-related solutions "", mainly using 3DES encryption cookie = 3DES ("value, time, IP stamp ");

14. Questions about price modification of E-commerce forms

Use the MD5 Signature for verification.

14. Session Security

The permission cannot be determined by null session. A clear value must be set.

15. Verify the server

You cannot rely only on the client for verification.

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.