Prevent SQL injection
SQL (Structured Query language) is based on the American National Standards Institute (ANSI) standard and communicates with the database as a common language. Each database system adds some proprietary functionality to the basic ANSI SQL.
SQL injection is a technique that makes good SQL injection into user input fields, which is part of a Web page--Used to bypass custom logins to the site. However, SQL injection can also be used to log in or take over a Web site, so it is important to ensure that it prevents attacks.
Developers and administrators can take many different steps to solve SQL injection problems. The following are solutions for developers:
· Filter all input fields single quotation marks (') to prevent unauthorized logons.
· Filter SQL commands for all input fields, such as INSERT, select, trade union, Delete, and exec to protect server operations. (Make sure the action is done after filtering single quotes)
· Limit the input field length (this will limit the attacker's choice) and verify the input length with the server-side script.
Use of stored procedures
xp_cmdshell external commands for performing database computer operating systems
xp_sendmail sending a message from the database computer
xp_regaddmultistring xp_regdeletekey xp_regdeletevalue xp_regenumkeys xp_regenumvalues xp_regread xp_ Regremovemultistring Xp_regwrite Control the factors of registration management
Xp_servicecontrol start, stop, and pause services. Can be used for attackers to stop critical services or activate services that can be exploited, such as the Telnet Server service.
· Use the option to filter the "escape character" (used to inject SQL code, such as single quotes) if the database provides that functionality.
· In addition to the Web server, place the database on a different computer's Web server. Once the database has been hacked, it is also difficult to attack the Web service period.
· Restrict user permissions on server-side scripts. The usual practice of logging from a server-side script to a database is to use an administrative user, but this may also allow an attacker to run database tasks (such as modifying tables or running stored procedures) that require administrative users. So the minimum user rights assignment is used to achieve this goal.
· Remove all unnecessary extended stored procedures to limit the likelihood of an attacker.
· Place the database in a separate space (behind the firewall), isolated from the Web container and the application server.
Unlike developers, administrators do not have control over the code and cannot represent changes on the programmer's behalf. However, administrators can mitigate risk by running some tests and ensuring code security:
· Make sure that the Web server returns a custom error page. As a result, the server will not return SQL errors, which will make it more difficult for attackers to obtain SQL data. (The custom error page should not contain any information that might help the attacker, unlike the general error page that will return some SQL.) )
· Deploy only Web applications that detach data from the Web server.
· Employ external agencies to perform penetration testing on the Web server and look for SQL injection attacks.
· Use a dedicated automatic scanning device to explore SQL injection vulnerabilities caused by programmer errors.
· Deploy security solutions to validate user input and filter SQL injection attempts.
Ii. prevention of forms and script leaks
Forms are used to allow user input, but they can also be used to manage sessions and transfer important data (such as user or session identifiers) within a session. An attacker could expose data embedded in a creation window and expose other user information through a Web application, or trade in e-commerce at a lower price. 3 forms of exposure are as follows:
· disabling client Script
· Passing parameters in URLs
· Passing parameters through hidden fields
1. Client-side scripting
Some developers use client-side scripting to validate various ways of entering fields:
· Limit the size of the input field
· Prohibit certain characters (such as single quotes)
· Perform other types of validation (these can be specific to each site)
This validation can be easily bypassed by disabling client script (JavaScript or VBScript). Developers should validate all fields on the server side. This may require additional resources on the server.
2. Passing parameters via URL
Windows has two methods for passing data: Post and get. Post command. Send data in the content stream and get command to send data in the URL. An attacker could use the GET command to send invalid or incorrect data, or to send malicious code.
For example, suppose we have this form:
...
<formaction= "Login.asp" method= "Get" >
<p>username:<inputtype=textname= "username"/></p>
<p>password:<inputtype=passwordname=password/></p>
<p><inputtype= "Submit" name= "submit" value= "Login"/></p>
</form>
...
Let's assume that the user enters Someusername as the user name and somepassword the password. The browser will be redirected to this URL
Http://thesite/login.asp?username=someusername?password=somepassword
An attacker could simply modify the URL's data (using this type of URL in the browser's address bar). This method can be used in e-commerce sites to change the price of the project. For example, take a look at the following URLs:
http://somesite/checkout.asp?totalprice=100
An attacker could simply change the value of "Totalprice" and perform a checkout with a lower price ratio. This can be done simply by changing the URL:
Http://somesite/checkout.asp?totalprice=50
The Web application performs the inspection, but the total price is $50 (in lieu of $2881064151).
In another case, after logging in, the user recognizes that a get is being sent, lets an attacker modify it, and performs an action on behalf of another user.
An attacker could change the user's value and obtain the user's data when the user was present.
3. Passing data through hidden fields
The post uses an HTTP command when sending data. Unlike get, this method does not display the data in the URL, but it is also more easily exploited. Consider the following table:
... <formaction= "checkout.asp" method= "post" ><inputtype= "hidden" name= "userid" value= "102"/><p> <inputtype= "Submit" name= "Submit" value= "Checkout"/></P></FORM>
Post is using an HTTP command when sending data