Web security protection database policy should be taken first

Source: Internet
Author: User
Tags access database security

1. Database Security

1, ms SQL Server database security

Sa-level users are not allowed to connect to the database on the Web.

Solution:

Delete the sa user and create a new user with the sa permission. the user name and password are as complex as they are. To prevent brute-force cracking.

Create a web connection user, remove all server roles, and add the database and db_public identity to the user ing.

If you want to add additional permissions for other operations, for example, add insert/delete/select/update only ).

No one can guarantee that the code they write is free of vulnerabilities. You only need to process it at the database layer to prevent intrusion. If you have the same SQL Injection db_public identity, you can add/modify/delete permissions to the database. Therefore, you must not have the SQL injection vulnerability.

If it can defend against SQL injection and permission restrictions, it is very difficult to create a storm Library/cross-database image.

2. Access Database Security

Solution:

Anti-Riot Database: add error handling code when connecting to the database. If the database connection fails, an error message or redirection is prompted. The system itself cannot prompt an error message,

Download prevention.

Step 1: Create a new table.

Step 2: create a field in the table with a random name and an OLE object of the type. Then, use ASP code to add a record to the field and write the "<%" Code as follows: insert into tablename (fieldname) value (chrB (asc ("<") & chrB (asc ("% "))).

Step 3: Rename the database *. ASP

The safest way is to use an ODBC data source for connection.

2. web code security

1. Small vulnerabilities in file backup.

Some ASP editors will automatically back up asp files and change their names *. in this way, the vulnerability will be downloaded. Do not change the name of the asp file *. txt /. bak/, etc. Be sure to keep the extension unchanged *. asp), do not upload backup files when uploading to the site.

2. Prevents SQL injection.

SQL injection is mainly used to generate a threatening SQL statement without filtering single quotes.

Such as: http://www.livexy.com/view.asp? Id = 100 if there is SQL Injection we can write this: http://www.livexy.com/view.asp? Id = 100; delete * from tablename; select * from aaa where when running in the background; delete * from tablename

Here, we would like to remind you not to think that. net is safe and there will be no SQL injection. If the SQL injection vulnerability exists in all database operations. Both software and websites exist.

Solution:

Filter illegal characters received at the beginning of the page, such as exec/delete/insert into/update/'. Here, filtering does not mean to filter invalid characters into empty strings, it filters out similar characters. Or, if an invalid character exists, go to the error handling page. Here is an example of what will happen if exec is filtered as an empty string. If exexecec exexexexexexexec exists in the string, What is it after filtering or exec. I will not talk about it here. Everyone understands it.

If the receiving parameter is numeric, you must first determine the data type to prevent other errors. Often, the source of hacker information is the page error information.

If the parameter is character type, you must filter the single quotation marks in the string as double quotation marks or other characters.

Here is an example: Our code is usually written in this way. select * from aaa where bbb = '"+ sVal +"' "seems to be correct on the surface, however, this sentence contains SQL injection. Why? See: The sVal value is the data submitted externally. If the sVal value is aaa'; delect * from bbb; -- it is written together: select * from aaa where bbb = 'aaa'; delect * from bbb; -- 'where --' is the comment.

Using DbParameter is much more than splicing SQL statements.

3. logon vulnerability.

Solution:

Filter invalid strings

SQL statement

 
 
  1. select password from user where username=’” + sqlstr(sUser) + “’”  

Sqlstr () is a function used to filter invalid strings. sUser is the character entered in the User Name text box. Then, determine whether the password in the database is consistent with the password entered.

Principle: The user name finds the user's record in the database and compares it with the password. Do not use "select * from user where username = '" + sqlstr (sUser) + "and password ='" + sqlstr (sPass) + '', and then judge whether it is null." This method.

4. Save the file as a protection File

Solution:

 
 
  1. <NOSCRIPT><IFRAME SRC="*.html"></IFRAME></NOSCRIPT>  

It is not perfect to prevent others from downloading the website's HTML code.

5. Anti-embed

Solution:

 
 
  1. <script>if (self != top) { top.location = self.location; }</script>  

Prevent others from Embedding our website, and then do some work. For example, record the keyboard and monitor the input data.

6. prevents local data submission

Solution:

When saving data, the first step is to determine the source. If data is not submitted from the specified source, an error message is displayed.

Step 2: Filter invalid characters for submitted data.

Step 3: Save the data to the database. Make sure to handle errors when saving the data.

7. Unlimited refresh Protection

Solution:

This is hard to do. Of course there are also many methods.

1. Create a badge on the server

2. Add access log information to the code and analyze the log information to determine the access frequency of the same person.

3. Use js to operate cookies to record access log information and determine the access frequency. This method does not occupy server resources.

8. Unlimited data submission/ajax automatic data submission

Solution:

Add the verification code and submission time, for example, sending messages in one type.

9. Defense Against js Code

Solution:

It is difficult to filter all js Code. js attack vulnerabilities account for the majority. Javascript is also a strange way to write. Here I am sending some offensive html code. These are common, and each of them is written differently. Single quotation marks and double quotation marks are different/case-insensitive/sorted in different order, tab and space are different, Html tags are different, events are different, and styles are different.

 
 
  1. <P style="BACKGROUND:url(JAVA   SCRIPT:alert('11111'))">test</P>   
  2. <body>   
  3.    
  4.    
  5. <STYLE>div{behavior: url("htc.js");};<style>   
  6. <STYLE>body{oMouseOut: eXpreSsIon(onclick = function(){alert('33333');})} <style>   
  7. <STYLE>body{background:url(JAVASCRIPT:alert('22222'));} <style>   
  8. <STYLE>@import "JAVASCRIPT:alert('444444')"; <style>   
  9. <link href="JAVASCRIPT:alert('777777')" rel="stylesheet" />   
  10. <script src= hk.js></script>   
  11. <P style="BACKGROUND:url(JAVASCRIPT:document.write('<script src=hk.js></script>'))">test</P>   
  12. <iframe src='hk1.html'></iframe>  

10. Prevent Cookie counterfeiting

Solution:

Do not store password information in cookies

When using data in cookies, you must re-read the data from the database. Then compare. Prevent Cookie tampering.

Cookie data needs to be encrypted

11. Buffer Overflow

Solution:

Do not open useless software on the server.

In the code running on the server, a pair must be released.

In the js/vbs/activex/flash code running on the client, the dom object used must be released at the end.

12. Others

Browser protection plug-in

Modify the security options of IE to disable or prompt the running of "active script" and ActiveX.

Or set the security level to high in IE security settings. The privacy option is also set to high.

Iii. Server Security

Disable useless ports

Download patches/update operating systems

Install anti-virus software

Install firewall

If there are multiple sites on the server and each site is assigned permissions, each site cannot operate other files and directories or affect other sites.

Note: As we all know above, why are there so many vulnerabilities. Sometimes my colleagues and I often talk about some difficult things. Do I often say that single quotes are filtered out? The answer is filtered out. I also said that I should reply to me again, all the answers are still filtered out. This reflects a problem that everyone understands. It is a habit to write code using select * from aaa where bbb = '"+ sVal +. In fact, I often make this mistake, so it is especially mentioned here. This is a heavy lifting.

Original article title: web security question Summary

Link: http://www.cnblogs.com/livexy/archive/2010/07/07/1773199.html

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.