In case of being caught, or changing the app's data, how to improve security, anti-XSS attacks, such as anti-SQL injection.
Reply content:
In case of being caught, or changing the app's data, how to improve security, anti-XSS attacks, such as anti-SQL injection.
This and your app embed not embed HTML5 no half wool relationship
You use the API interface like the love XSS and SQL injection
(a) If the server hands attack, how to analyze, and the solution?
1 First look at the Windows/linux system log to determine whether the hacker has already obtained the server permissions through the attack, because if the server has been Getshell this time you fix the flaw still useless.
Mysql Injection Analytics Solution
1 Analysis Lookup Vulnerability method
Parse the Apache/nginx/iis log file (write to log file at the program entry), which is all post and get requests, as well as parameters, to see if the commit parameter exists with the MySQL keyword
(the entire file is searched for the MySQL keyword union/select/and/from/sleep), if present, find the PHP file corresponding to the request address and the corresponding PHP code and MySQL execution statement. Then look for the entire Web directory folder and text creation and modification times to check if there is a backdoor.
2 precautions
1 adding Global SQL keyword filtering in the program
2 Open php single quote escape (Modify PHP.ini MAGIC_QUOTES_GPC).
3 Apache/nginx/iis Open Service log, MySQL slow query log, program entry record request log
4 Server installs Web application security software such as Security dog
5 database linking uses UTF-8 to prevent GBK double-byte injection
6 Enhance the complexity of MySQL password, prohibit MySQL outside the chain, change the default port number
7 to the program MySQL account to do the right to drop, only to the normal deletion and change permissions. Disable permissions for file operations
XSS Cross-site attack solution
1 where text is written, apply Htmlspecialchars escape
2 using SSL to prohibit loading reference external JS
3 Setting httponly Disable cookie Access
4 has been made to ensure that there is no injection in the case (if there is an injection, it is possible to use the 16 binary bypass Htmlspecialchars to achieve XSS attack effect)
5 Backstage and front desk best use 2 routines by different rules, background key operations (backup database) should be set level two password, and increase the complexity of request parameters, to prevent CSRF
PHP Security
1 upload the file where the suffix filter is added, do not make "logical non" judgment when filtering.
2 do not upload suffix php,htaccess file, do not use the data submitted by the client to obtain the filename suffix, you should use the program to add suffixes and random file names
3 Unified routing, restricting unauthorized access
4 PHP down-weight processing, web directory restrictions to create folders and text (except for the folder required by the program, generally there will be a cache directory to write permission)
5 to Iis/nginx file parsing exploit make filter
6 Recover password Use the phone verification code back, the mailbox back should be used additional server. (Prevents the ability to get a real IP by retrieving the password). The last link to the reset password sent to the user's mailbox requires a complex encryption parameter
7 User Login system should do single sign-on function, if the user is logged in, the other person login is should be given with hint.
8 Webroot Directory can only have one index.php (entry file), all other directories, prohibit external anti-Q, All resources (upload) files, in Nginx plus anti-theft chain function
1 Safety knowledge
1 Web Apps use station library separation to change the default path for the Environment web directory
2 When the integration environment is used, the PHP probe should be deleted after installation, and Phpmyadmin,phpinfo (probe can view your Web path, phpMyAdmin can be brute force)
2 User Password It is best to use the MD5 value after the password and salt
3 User login Places to increase the verification code, how to add the number of errors limit, to prevent violent cracking
4 using CDN to accelerate hidden real IP
5 When the user logs in, do not pass the clear text account password, prevent the C-end sniffer, through ARP spoofing to obtain the user and the administrator clear account password
6 Disable PHP system command line number Exec,system, etc.
7 Server with security protection software such as dog
8 web directories prohibit the storage of. rar,zip files