Home > Developer > Java

[Java] system vulnerabilities: Precautions for user logon operations, java User Logon

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

[Java] system vulnerabilities: Precautions for user logon operations, java User Logon

Project Background:

SpringMVC + Mybatis + MySql database (Java Web project development)

Related modules: logon, personal details modification, order details Query

Related vulnerabilities:

1. login verification code: the login verification code must be verified in the background. If the verification code is not verified in the background only after the verification code is verified in the foreground, the first verification code may occur, attackers can use a tool to bypass the verification code for brute-force cracking;

2. Interceptor: You must use/user or/admin to intercept the names of interfaces operated upon personal information. If the user is not logged on, the interceptor will automatically jump to the logon page;

3. modify personal details: the user information must be stored in the session, such as the user id, if the password-free interface is used (that is, the password is not required to modify the information), do not directly upload the user id as a unique identifier when modifying the account information. When using the user's key information, you can obtain information about the currently logged-on user from the session to prevent users with an account of 3000001 from modifying their personal information after logon;

4. order details interface: If you query the Order details of a user and only query the order id, even if the interface name is added with/user, the user not logged on is blocked, it is also possible that other users can query the details of non-personal orders after logging on. In this case, you must verify that the order is the personal order of the current login user before querying the Order details, that is, verify that the id in the session is consistent with the id of the created person of the order; prevent information leakage;

(Note: The above vulnerabilities have actually occurred. I hope other new users can take the initiative and communicate with more people about problems encountered in development)

 

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
ad user logon name attribute powershell last logon user computer track user logon logoff active directory active directory user last logon time active directory last logon user computer logon failure unknown user name or bad password user profile service service failed logon windows 7
Related Article
Java's garbage collection mechanism
The difference between fail-fast and fail-safe in Java

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More