How to prevent Web sites from being securely deployed by SQL injection attacks on Java sites

SQL injection attack (SQL injection) is the most offensive, highly hazardous, and exploited by hackers in the current Web site security and server security level, and is basically targeted at site code, including Java JSP PHP ASP Apache Tomcat There is a SQL injection vulnerability in language development code.

With the growing market share of the Java JSP Architecture, many platforms use Java development, this article through the detailed analysis of SQL injection, from the code level and the server level, fundamentally to prevent SQL injection attacks.

The principle of SQL injection vulnerability is very simple, popular: is the programmer in writing the site code, some code to execute the database command, the programmer did not seriously write and carefully filter, resulting in the external malicious parameters can be stitched into the SQL statement, directly into the database to execute, Cause hackers can perform some query user account password, modify information, execute the System command security operation.

Website Security Services

Let's build a Java environment website, design an API service interface that can query user information, we use Springboot + jersey to build our Web Services query framework.

The database is a MySQL schema, build a new database table: admin, then create the Administrator account and password (using MD5 encryption), so that our user information, we can provide the query. We set up the Springboot + Jersey Framework service and then write the query code into the framework. Sine security Company is a focus on: Server security, website security, website security detection, site vulnerability remediation, penetration testing, security services in one of the network security service providers.

Let us test the interface of the query, whether the output can be normal:

Get request submission via web site, the Web service interface returns 200 and outputs the administrator account and password for the user named Admin. This output is normal, but we send a comma-sent GET request on the website, we will find an error.

You have a error in your SQL syntax; Check the manual-corresponds to your MySQL server version for the right syntax-use-near ' xxxx ' in line 1.

That is, the above query is wrong, because we added a comma inside, causing the error prompt to be returned to the database and executed while the database was being passed.

Site Security Deployment

SQL Injection Details parsing:

Get the site time parameter, passed in a string type of the name parameter value, and through the stringTogether, the query statements of the database are constructed. In normal operation, the user will pass in a valid name parameter value for the database query, but the attacker will fabricate some malicious arguments, as long as the parameters through the string concatenation is still a legitimate SQL query, the SQL injection occurs at this time. As we entered above, name=xxxx ' or ' a ' = ' A is spliced with the query statement in our interface to make the following SQL statement

When the interface executes name=xxxx ' or ' a ' = ' A This SQL statement, the system background is equivalent to free to hackers, hackers see the administrator password this hash, do not have to cmd5 decryption, the attacker will directly use 123456 this password to log on to the site's backend management system. Why? Because 123456 of the MD5 hash is too common, this is the reality of many Java Web sites, in terms of site security and weak passwords simply do not bear to look directly.

Well, now we should understand that the reason for SQL injection is because the incoming parameters and the system's SQL splicing into a legitimate SQL, and its essence is the user input data as code execution. In the system as long as there is a SQL injection point is discovered by hackers, then the hacker can basically execute arbitrary execution of SQL statements, such as adding an administrator, query all tables, modify user passwords and so on.

The above is the details of the SQL injection attack, the following will be described in detail, how to prevent SQL injection attacks, TSE to Baizhanbudai. Understand the principle of SQL attack, in order to better protect against SQL injection attacks.

Web site security needs to be carefully crafted, server security is 100-1 = 0 of the business, even if you defend against 99% of the attack, it is not a victory, as long as one site was invaded, it could bring serious losses and consequences for the company. If you do not understand the site anti-SQL attacks, you can also find a professional security company to deploy anti-SQL injection attack deployment, domestic security companies like the Green League, Sinesafe, in the security of the relatively good.

Other ways to prevent SQL injection

Many companies will have a large number of SQL injection risk code in the old system, but because it has been stable to support the company's business for a long time, it is not appropriate to use large-area code update to eliminate the injection of hidden trouble, it is necessary to consider the way he used to prevent SQL injection. In addition to preventing SQL injection in SQL execution, there are many times when SQL injection can be prevented by architecture or by other filtering methods.

All inputs are unsafe: for the invocation parameters of the interface, to format match, for example, the admin of the interface through the name query, the matching path should use a regular match (because there should be no special characters in the user name), so that the incoming parameter is controlled by the parameters of the range, This means that only known good input values are accepted and bad input is rejected. Note: Validation parameters should be used in conjunction with the output encoding technique.

Use layered design to avoid danger: the front end is as static as possible, minimal exposure can access to the DAO layer interface to the public network environment, if the existing project, it is difficult to modify the presence of injected code, you can consider adding a WAF before the Web service traffic filtering, Of course, the code does not give hacker to leave the vulnerability of attack is the best solution. It is also possible to use Openrestry to do traffic filtering and to escape some special characters in the structure with Nginx.

Use precompiled SQL statements as much as possible: Because dynamic SQL statements are the root cause of SQL injection. You should use precompiled statements to assemble SQL queries.

Normalization: the input and installation rules are encoded and decoded before input parameter filtering and output encoding processing; reject all non-canonical format encoding.

How to prevent Web sites from being securely deployed by SQL injection attacks on Java sites