Web application refers to the use of B/s architecture, through the HTTP/HTTPS protocol to provide services. With the wide use of the Internet, Web applications have been integrated into every aspect of daily life: online shopping, internet banking applications, securities stock trading, government administrative approval and so on. In these web accesses, most applications are not static web browsing, but involve dynamic processing of the server side. At this point, if the Java, PHP, ASP and other programming language programmers lack of security awareness, the program parameter input, such as inspection is not strict, will lead to web application security problems emerge.
Based on the security of the current Web application, this article enumerates the common attack principles and hazards of web applications, and gives suggestions on how to avoid web attacks.
Web Application Vulnerability principle
A Web application attack is an attacker who, through a browser or attack tool, sends a special request to a Web server in a URL or other input region (such as a form), discovers a vulnerability to a Web application, and thereby further manipulates and controls the Web site, viewing, and modifying unauthorized information.
Vulnerability classification for 1.1 Web applications
1. Information Disclosure loophole
The Information disclosure vulnerability is due to the fact that the Web server or application does not properly handle some special requests, revealing some sensitive information about the Web server, such as user name, password, source code, server information, configuration information, and so on.
There are three main reasons for the disclosure of information:
--web server configuration problems, resulting in some system files or configuration files exposed to the Internet;
--web the server itself is vulnerable, enter some special characters in the browser, you can access the unauthorized file or dynamic script file source;
There are problems with the programming of the--web website, and the user submits the request without proper filtering, directly using the data submitted by the user.
2, Directory Traversal vulnerability
Directory traversal vulnerability is an attacker sending a request to a Web server by attaching "in a URL or in a directory that has a special meaning." /", or additional".. /"Some variants (such as" ...) \ "or". Even its encoding, which can lead to an attacker having access to an unauthorized directory and executing commands outside the root directory of the Web server.
3. Command execution vulnerability
The command execution vulnerability is to initiate a request through a URL, execute unauthorized commands on the Web server, obtain system information, tamper with the system configuration, control the entire system, and disable the system.
There are two main types of command execution vulnerabilities:
--Through directory traversal vulnerabilities, access to system folders, execution of specified system commands;
--The attacker submits a special character or command, the Web program does not detect or bypass the Web application filtering, and the user submits the request as an instruction to parse, resulting in the execution of arbitrary commands.
4. file contains vulnerability
A file contains a vulnerability when an attacker sends a request to a Web server, adds an illegal parameter to the URL, and the Web server-side program variable is filtered lax and the illegal filename is treated as a parameter. These illegal file names can be either a local file on the server or a malicious file on the remote side. Because this vulnerability is caused by lax filtering of PHP variables, it is possible for a Web application based on PHP to have a file-containing vulnerability.
5. SQL Injection Vulnerability
SQL injection vulnerability is due to the fact that the Web application does not judge the legality of user input data by inserting special characters and instructions with carefully constructed SQL statements through the input areas of Web pages (such as URLs, forms, etc.), and by interacting with the database to gain private information or tamper with database information. SQL injection attacks are very popular in web attacks, and attackers can use SQL injection vulnerabilities to gain administrator privileges, add trojans and various malicious programs to the Web page, and steal sensitive information from businesses and users.
6. Cross-Site Scripting vulnerabilities
A cross-site scripting vulnerability is because the Web application does not filter or restrict the statements and variables submitted by the user, and the attacker submits malicious code to the database or HTML page through the input area of the Web page, and when the user opens a link or page with malicious code, the malicious code executes automatically through the browser, So as to achieve the purpose of the attack. Cross-site scripting vulnerabilities are highly harmful, especially in the current widely used network banks, where attackers can impersonate a victim to visit a user's important account and steal important information from the enterprise.
According to the previous survey of each vulnerability research organization, SQL injection vulnerabilities and the prevalence of Cross-site scripting vulnerabilities ranked the top two, resulting in greater harm.
1.2 SQL injection Attack principle
SQL injection attacks are injected with the content submitted by the Web page by constructing ingenious SQL statements. More commonly used tools include annotation symbols, identity (such as 1=1), Union queries using union statements, inserting or modifying data by using INSERT or UPDATE statements, and some built-in functions to assist in attacks.
The steps for attacking a Web site via SQL injection are generally as follows:
Step one: Probe the web site for SQL injection vulnerabilities.
Step two: Probe the type of background database.
Step three: According to the type of background database, probe the information of system table.
Step fourth: Probe for existing table information.
Step Fifth: Probe the column information that exists in the table.
Sixth step: Probe the data information in the table.
1.3 Cross-site Scripting attack principle
The purpose of the Cross-site scripting attack is to steal client sensitive information and impersonate the victim to access the user's important account. Cross-site scripting attacks are mainly in the following three ways:
1. Local cross-site scripting attacks
b Send a maliciously constructed web Url,a to a click to view the URL and save the page to a local hard drive (or a Web page on the B construct). A to run the Web page locally, a malicious script embedded in the Web page can execute all commands under a hold on a computer.
2. Reflection cross-station script attack
A often browsing a website, which is owned by B. A use username/password to log on to the B website, b site to store a sensitive information (such as bank account information, etc.). C found that B site contains a reflection of Cross-site scripting vulnerabilities, write a vulnerability URL, domain name b Web site, after the URL embedded malicious script (such as get a cookie file), and through mail or social engineering, and other ways to deceive a access to a malicious URL. When a uses the URL provided by C to access the B Web site, a malicious script embedded in the URL is returned to a via the Web server and executed in browser A, and the sensitive information of a is sent to C without any knowledge at all, due to a reflection Cross-site scripting vulnerability in the B site.
3. Persistent cross-site scripting attacks
B has a Web site that allows users to publish and browse published information. C notes that B's site has a persistent cross-site scripting vulnerability, C publishes a hotspot information to attract users to read. A once browsing the information, its session cookies or other information will be stolen by C. Persistent Cross-site scripting attacks generally appear in forums, guest books and other Web pages, the attacker through the message, the attack data to the server database, the user browsing the message will be leaked.
The defense implementation of Web application vulnerabilities
For the above common Web application vulnerabilities, you can start with the following areas of defense:
1 for Web application developers
Most common vulnerabilities in Web applications are in Web application development where developers do not detect or detect user input parameters. Therefore, Web application developers should establish a strong sense of security, the development of writing security code, the user submitted URLs, query keywords, HTTP headers, post data, such as strict detection and restrictions, only to accept a certain length of the range, using the appropriate format and coding characters, blocking, Filter or ignore any other characters. By writing secure Web application code, you can eliminate most Web application security issues.
2 for Web site administrators
As the Web administrator responsible for the daily maintenance and management of the website, you should keep track of and install the latest security patches for the various software that support the Web site's operation to ensure that an attacker cannot attack the site through a software vulnerability.
In addition to vulnerabilities in the software itself, incorrect configuration of Web servers, databases, and so on can also cause Web application security issues. Web site administrators should carefully detect the various software configurations on the site, reducing the likelihood of security problems.
In addition, web administrators should periodically audit Web server logs to detect unusual access and identify potential security issues early.
3 Use Network anti-attack device
The first two forms of prevention are more idealistic. In reality, however, the vulnerabilities of Web application systems are inevitable: Some Web sites already have a large number of security vulnerabilities, and web developers and webmasters are unaware of or discovering these vulnerabilities. Because the Web application uses HTTP protocol, the common firewall device is unable to defend against the Web class attack, therefore can use IPs intrusion defense device to realize the security protection.
H3C IPS web Attack defense
The H3C IPs intrusion Prevention device has a complete web attack defense framework that can detect all kinds of exposed and potential web attacks in a timely fashion. The following figure is the overall defense framework for Web attacks.
Figure 1:web Attack Defense framework
H3C IPs identifies and blocks various attacks using a feature-based approach. IPS devices have a complete library of features and can be upgraded periodically, manually and automatically, to the feature library. When the network traffic into IPs, IPS first preprocessing the message, detection message is correct, that is, meet the protocol definition requirements, no error fields, if the message is correct, then enter the depth detection engine. The engine is the core module of IPs detection, through the deep analysis of the web traffic of IPs devices, and matching with the features in IPs attack Library, the paper detects whether there is any abnormal web traffic; If the traffic matches the attack feature, IPS blocks the network traffic and reports the log; otherwise, the network traffic passes smoothly.
This web attack defense framework has several features:
1 construct a complete web attack detection model to accurately identify various web attacks
In view of the characteristics of Web attack, considering the principle and form of various web attacks, a general and hierarchical web attack detection model is developed on the basis of different vulnerability models and integrated into the feature library. These models abstract the general form of Web attacks, the attack on the mainstream can be accurately identified, making the model universal.
2 detection mode is flexible, can accurately identify the deformation of the web attack
In the actual attack, in order to evade the detection of the attack device, the attacker often distorts the web attack, such as using URL coding technology, modifying parameters, etc. According to the principle, attack mode and target of Web application H3C, the attack feature is extended. Even if an attacker modifies an attack parameter, format, statement, and so on, the same vulnerability principle can be effectively blocked by various variants of the attack. This allows IPs to expand the scope of defense, defense flexibility is also significantly enhanced, greatly reducing the occurrence of under-reporting.
3 to ensure that the latest vulnerabilities and technology tracking, effectively prevent the latest attacks
With the increasing frequency of web attacks, the harm is gradually expanding. This puts a higher demand on the depth and breadth of defense for IPs devices, not only to be able to defend against existing Web attacks, but also to effectively block the latest and unpublished attacks. At present, H3C has established a complete set of attack and defense test environment, can discover potential web security vulnerabilities in time. It is also continuing to track the latest web attack technologies and tools, update the Web attack's signature database in a timely manner, and publish the latest Web vulnerability response to ensure that the user's network is not compromised.
4) To ensure the efficient operation of normal business
Detection engine is the key to the entire operation of IPs, the engine uses efficient, accurate detection algorithm, the flow through the device to carry out a deep analysis, and the attack characteristics of the match to detect whether there is abnormal flow. If the traffic does not match the attack characteristics, then allow traffic to pass, will not hinder the normal network business, in the accurate defense while ensuring the efficient operation of the normal business.
Conclusion
The widespread use of the Internet and Web technologies makes Web application security increasingly challenging, and web systems are constantly threatened by a variety of attacks, in which case a complete web attack defense solution is needed, through secure Web applications, Web server software, Web anti-attack devices work together to ensure the safety of the entire site. Any simple loophole, negligence will cause the entire site to be attacked, causing huge losses. In addition, Web attack defense is a long-term continuous work, with the development and update of Web technology, Web attack means also evolving, for these latest security threats, need to adjust the Web security protection strategy in time, to ensure the initiative of web Attack Defense, Enable Web sites to serve businesses and customers in a secure environment.