Network security has become one of the hottest topics on the internet. In contrast to the reality, the subordinates and implementations of network security have become a matter of special concern to enterprises. Therefore, we can now easily see that each enterprise has a generous investment in network security when designing its own network and building its own websites, in particular, some websites with a large amount of sensitive information, such as banks and securities, have spared no efforts in network security, and have vigorously promoted various security products through various advertisements and advertisements on the market, such as firewalls, intrusion detection, and enterprise anti-virus. However, is the network, especially the website, truly secure when these products are used? Not necessarily, even if these security devices are the most advanced and reasonably configured, the website may still be attacked or even completely controlled. We know that today's websites, especially websites with a relatively large size, generally use ASP, PHP, JSP, and other scripting languages to connect to the database and obtain data in the database to generate dynamic web pages. In this way, when a website is fully established, there will be a lot of programs, especially the particularity of webpage design. There are a lot of interaction programs between servers and users, if the programmer is not very experienced or has no strong security awareness, there will be many program vulnerabilities, bringing immeasurable security risks to the website. To some extent, these program vulnerabilities may be more serious than those on the website server, because these vulnerabilities cannot be prevented by the firewall or intrusion detection system.
I. Programming vulnerability Formation
How are programming vulnerabilities created? We need to have a comprehensive understanding of web programming to understand. First, let's look at the features of web programming.
1. Strong interactive web programming
The purpose of designing websites in various languages rather than using HTML is to better manage website resources and increase interaction between websites and viewers. Therefore, during website design, some common interactive programming is indispensable, such as message board, BBS forum, and chat room. The biggest common feature of these programs is that users enter a lot of information, use these materials to communicate with other visitors or website administrators. The main reason for the formation of formal vulnerabilities is that user input information is unpredictable. If the program does not take into account or consider incomplete security issues, user input may be an attack event, either intentionally or unintentionally.
2. Many web programming characters
As we mentioned above, interaction is actually the flow of information. Therefore, the processing of such information is a big problem. How to strictly control the content, format, and length of user input information is a matter of consideration for programming.
3. Web programming involves the security innermost layer
We know that web programming directly deals with servers. These programs are directly related to website directories, website database settings, and system settings. Through these programs, you can access website directories, settings, and other content on almost all servers. Think carefully, these programs are actually very potential security problems, because they are too sensitive. Therefore, if a program is designed with vulnerabilities, it is almost the same as a website with vulnerabilities, or even completely open.
4. Poor overall staff base for Web programming
The technical quality of web programmers may be of little concern to us. In the eyes of some traditional programmers, web page programming cannot be called a programmer. They think that web page programming only requires good art. There is no skill at all, not real programming. There are several reasons for this idea. First, web page programming is relatively simple, with few changes. Basically, web page programming can be very simple to summarize several types: message Board, Forum, chat room, email list, news release, software download, etc. Most of these types of programming have patterns to follow. Compared with traditional programming, it is indeed relatively simple and can be mastered at will; second, most web programmers leave their homes, with fewer professional programmers, fewer programming system training, and a weak programming Foundation, programming can still have some defects. Third, some websites directly download free online programs to build websites. The robustness and security of these programs are not strictly considered, if the website publisher directly copies these programs without modifying them, there may be serious security problems.
II. Types of programming vulnerabilities
Web programming is relatively simple. Although there are many examples of vulnerability formation, there are some inherent commonalities that can be found, so as to sum up some common characteristics for our reference.
1. Incomplete user input verification
In terms of website programming, there is a rule that we may need to remember, that is, the input of both users and users must be skeptical and cannot be fully trusted. Therefore, user input cannot be simply used directly, but must be strictly verified to determine whether the user input meets the input rules. Summary user input verification should include the following aspects.
(1) verification of input information length
We may pay less attention to this point, because we often think that the average user will not deliberately lengthen the input, a slight number of users may be confused, but this may not cause harm. In fact, as long as we carefully consider it, if we do not perform input verification, the potential harm will be considerable. Why? If the information entered by the user reaches several megabytes, and our program does not have a verification length, think about the dangers of a: a, program verification error; B, variables occupy a large amount of memory, memory overflow occurs until the server service is stopped or shut down. How dangerous is this?
(2) sensitive characters in input information
We may pay attention to this point when designing programs. We mainly focus on some JavaScript sensitive characters, such as when designing the message board, we will remove the "<" and other symbols to prevent users from leaving a page bomb. But is that enough? It is far from enough. We still need to pay special attention to the following aspects.
A. Filter message content
As mentioned above, it is usually used more often.
B. User name information filtering
In fact, we often verify this, but we often only verify the length of the user name, without verifying the JavaScript or HTML tag, so it is easy to form a vulnerability. For example, if you enter "