Interface in the eyes of the big talk program, interface in the eyes of the big talk program

Interface in the eyes of the big talk program, interface in the eyes of the big talk program
Opening

Child (Interface)As a back-end program.InterfaceJust like your ownChildSimilarly, if it is created, it is necessary to take responsibility for his future life;
As the business grows, more and more business interfaces need to be supported, and the number of users used increases. As hackers in the tiger's eye, they are always looking for access points in the business that can steal the interests of others, therefore, we should consider security issues to prevent them.

Scenario

The server program develops business-related interfaces as needed to meet the needs of the user and server interaction functions, provided to the front-end or client (PC-side software, APP-side applications, most programmers only consider how to implement logical business functions when developing interfaces, but seldom consider interface security issues, generally, the interfaces provided by the server are http/https protocols. Through packet capture tools such as Fiddler, Wireshark, and Charles, you can capture requests, analyze them, simulate requests, and make concurrent requests, or an attack that modifies information.

Example: Question 1. The exposure of user privacy information through the interface is equivalent to a bare-handed deployment in the sky.

Description: programmers often do not have the awareness to protect user privacy when doing business interfaces. They expose user privacy information to the outside. Once exploited, this will cause users trouble, at the same time, it will reduce the platform's trust;

Defense: Problem 2. The interface exposes sensitive information, just like inserting the key into the key port without unplugging it. As long as you open the door, you can go in.

Do not include decisive data about the activity-related business logic in the JSON collection of the user's participation data. For example, if a bid is made, the only person with the lowest bid will take the prize, result The bid Acquisition Interface exposes the Price Statistics of all BITs.

Defense: Problem 3. Data is easily taken away (JSON data related to the main business interface, for example, home page product list data)

Description: JSON data in the interface will be used by others for related functions; this will cause additional server expenditure.

Defense: Problem 4. Modify request information (modify parameters, cookies, and request header information)

Description: A request initiated by modifying the parameters in the request. For example, the login interface modifies the username and user password and performs Password Database collision.

Tip:
Modifying request parameters may cause many security problems, such as SQL injection and XSS cross-site scripting attacks, introduction and solutions to [WEB security in the eyes of Dahua programmers]
The following solutions are not recommended for clients, such as PC software and APP, and WEB-side JS encryption. JS code is exposed, therefore, if Javascript is used for encryption, JavaScript code must be obfuscated.

Defense: Problem 5: Shadow separation, simulating requests, and initiating concurrent requests

Description: A packet capture tool is used to simulate a request after capturing a request, for example, a daily sign-In request or a concurrent request for daily sign-in.
Tip: how to ensure data integrity and consistency after request concurrency is a problem that needs to be paid attention to during normal development, the [High concurrency in the eyes of big talk programmers] of the portal has related introductions and solutions.

Defense: Summary

We need to improve our security awareness to prevent them from happening. We need to look at our interfaces from the attacker's perspective. (this gives us a sense of delusion, you are one step closer to mental illness. <(~~ ~~) do not develop robots that require development. We are thoughtful and creative developers;

Additional Personal Development Process

When reviewing requirements, you should put forward business logic issues and provide solutions;
After determining the requirements, sort out the entire business logic clearly and draw a flowchart for the complicated ones;
Design the implementation scheme based on requirements. Consider the [database pressure, server pressure] and Security Issues. Record your design scheme in the form of a document. (How to implement it at the code level );
Lists the functional points in the requirement, evaluates the time, and obtains the total working hours;
Start development and start work;