Security issues arising from the encryption and decryption of client data by web programs

 0 × 00 PrefaceFor a complete system, both desktop and web programs use the client to save data such as cookies and db files. To prevent external access or control, the system encrypts the data, such as qq passwords, chat records, and user information in web programs. For open-source programs, algorithms are open, and Data Encryption relies only on keys to protect data. Once the data is controllable, some security problems may occur, this article discusses the security of code for private data in open-source web applications.0 × 01: KeysWhen some encryption keys can be calculated or cracked, private data is fully controllable, and attacks such as SQL injection, xss, and unauthorized access are performed according to the actual environment. Example: espcms brute force injection http://www.bkjia.com/Article/201304/199559.html dedecms cookie injection http://www.wooyun.org/bugs/wooyun-2010-018567PHPCMS V9 sys_auth () design defects cause multiple SQL injection vulnerability http://www.bkjia.com/Article/201109/104004.html0 × 02 cool farming: key unknownFor the unification of data and code, the encryption and decryption keys of data in a set of systems are generally common. We can use some functions of the program to generate encrypted data, to control the private data of the program and launch attacks. Similar cases such as phpcms SQL Injection http://www.wooyun.org/bugs/wooyun-2010-024984espcms secondary injection http://www.bkjia.com/Article/201308/235764.html0 × 03 SummaryWhen variables can be controlled, everything is dangerous. In addition to strictly filtering input and output data, the program also needs to process internal private data.