How to enhance security of h5 pages embedded in apps

Source: Internet
Author: User
Tags mysql injection
How to improve security, prevent xss attacks, prevent SQL injection, and so on in case of captured packets or changing the data transmitted by the app. How to improve security, prevent xss attacks, prevent SQL injection, and so on in case of captured packets or changing the data transmitted by the app.

Reply content:

How to improve security, prevent xss attacks, prevent SQL injection, and so on in case of captured packets or changing the data transmitted by the app.

This has nothing to do with embedding html5 in your app.
You love xss and SQL injection just like using api interfaces.
(1) how to analyze and solve a server attack?
1. First, check the windows/linux system logs to determine whether hackers have obtained server permissions through attacks. if the server has been getshell, fixing the vulnerability will not help.

Mysql injection analysis solution
1. vulnerability search methods
(Write a log file in the program Portal) analyze the apache/nginx/iis log file, that is, all POST and GET requests and parameters, and check whether mysql keywords exist in the submit parameters.
(The mysql keyword "union/select/and/from/sleep" is searched for the entire file.) If yes, search for the php file corresponding to the request address and the corresponding php code and mysql execution statement. Then, find the creation and modification time of the entire web directory folder and text, and check whether there is a backdoor.

2 Defense
1. add global SQL keyword filtering to the program
2. enable PHP single quotes (modify php. ini magic_quotes_gpc ).
3 apache/nginx/iis enable service logs, mysql slow query logs, and program entry records request logs
4. install web application security software such as dongle on the server
5 Database Connection methods use UTF-8 to prevent gbk dual-byte injection
6. enhance the complexity of mysql Passwords. disable mysql external links and change the default port number.
7. downgrade the mysql account of the program, and only add, query, modify, and delete common permissions. Prohibit file operation permissions

XSS cross-site attack solution
1 Use htmlspecialchars to escape text writing
2. use SSL to disable external js references
3. set httponly to disable cookie retrieval.
4. if there is no injection (if there is an injection, you can use a hexadecimal system to bypass htmlspecialchars to achieve the xss attack effect)
5 it is best to use two programs with different routing rules on the backend and the front end. the second-level password should be set for key operations in the backend (backup database), and the complexity of request parameters should be increased to prevent CSRF

PHP Security
1. suffix filtering is added to the place where files are uploaded. during filtering, do not make "logical non-" judgments.
2. do not upload files with the suffix php or htaccess. do not use the data submitted by the client to obtain the suffix of the file name. you should use a program to add the suffix and random file name.
3. unified routing to restrict unauthorized access
4. PHP downgrading. the web Directory restricts the creation of folders and text (except for the folders required by the program, there is usually a cache directory that requires write permission)
5. filter IIS/nginx file parsing vulnerabilities
6. use the mobile phone verification code to retrieve the password, and use an additional server to retrieve the mailbox. (To prevent real ip addresses from being obtained through the password retrieval function ). The password reset link sent to the user's mailbox requires a complex encryption parameter.
7. a single logon function should be provided for a user to log on to the system. if the user has logged on, a prompt should be given for others to log on again.
8. the webroot directory can only contain one index. php (entry file), all other directories, and all resources (upload) files. add anti-Leech in nginx.

1. security knowledge
1. the web application uses the site Library separation to change the default path of the Environment web directory.
2. when using the integrated environment, delete the php probe, phpmyadmin, and phpinfo after the installation is complete (the probe can view your web path, and phpmyadmin can be cracked)
2. the user password should preferably use the md5 value after the password is salt-added.
3. add a verification code to the user's logon location. how can I limit the number of errors to prevent brute force cracking?
4. hide real ip addresses with cdn acceleration
5 when a user logs on, do not pass the plaintext account password to prevent the C-end sniffing and obtain the user and administrator's plaintext account password through ARP spoofing.
6. disable the php system Command Line exec and system.
7. install dongle and other security protection software on the server
8. the web Directory cannot be saved. rar or zip files.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.