Introduction to Web security defense

To make a website safer, you can solve many things during development!
 
Take ASP. NET as an example!
 
ASP. NET is a compiled website, but if strict file name filtering is not completed, it is encapsulated with database operations! It still has a great security impact.
 
Here is an example of security work during the preparation of an enterprise website!
 
The functions of an enterprise website are clearly a news management system!
 
The security work that needs to be done is also very simple!
 
Anti-injection:
 
First, replace the single quotation marks (single quotes) to change all single quotes to two single quotes to prevent attackers from modifying the meaning of SQL commands. Let's take a look at the previous example, "SELECT * from Users WHERE login = '''' or ''1'' = ''1' AND password = '''' or ''1'' = ''1 '" obviously, different results will be obtained from "SELECT * from Users WHERE login ='' or '1' = '1' AND password = ''or '1' = '1.
 
2. delete all the characters in user input to prevent attackers from constructing queries such as "SELECT * from Users WHERE login = 'mas '-- AND password ='' "www.2cto.com, because the second half of this type of query has been commented out and is no longer valid, attackers only need to know a valid user logon name and do not need to know the user's password to obtain access permissions.
 
Third: restrict the permissions of the database account used to execute the query. Query, insert, update, and delete operations with different user accounts. The operations that can be performed by different accounts are isolated, which prevents the places where the SELECT command was originally used to execute the INSERT, UPDATE, or DELETE command.
 
The above are some of my opinions! My opinion is as follows!
 
Fourth: I personally think it is best to use the stored procedure to write all the most data-operated events or statements, which can effectively prevent MySql Data from explicit and violent databases! In addition, a page needs to be created to jump to this page when hacker injection triggers anti-injection and prompt for illegal operations!
 
Fifth: perform Url encoding on the content after the ID parameter following the URL to achieve encryption! Although it can be converted, but considering that the average person does not do this!
 
For file name Filtering:
 
First: Check the source code and find that many programmers still use Javascript For Local verification and filtering when filtering! In this case, I personally think it is very bad. The filtered code can be seen by attackers. After all, when people are negligent! This operation is risky! In my opinion, it is better to write source code filtering directly through C! Although troublesome, it won't be seen in the source code!
 
Second: for filtering uploaded file names, most enterprise website developers directly use the upload function of the editor for convenience! This is very risky! Although I have learned WEB security for more than a year, I still know that the editor is the easiest way to win a website!
 
Therefore, it is better to upload data by yourself! It is also important for filtering uploaded files! Many developers may judge the last filter. whether the suffix of the subsequent file is invalid is not impossible. But it is still being adjusted. When the suffix is correct, modify the file name based on the time!
 
Background:
 
First, we recommend that you use Session instead of Cookie to record user data when logging on as an administrator, because cookies are insecure!
 
Second, when working on the background, the editor is always a matter of consideration. It is best to delete some upload and Management pages, leaving only the editor! Be careful with the configuration file of the FCK editor. It is best to change the name of the configuration file if the TEST page is deleted here! After changing the file content, you need to modify the file content. Another way is to make the directory of the configuration file readable and not writable!
 
Third: it is best not to add or add the database backup function, but to force the backup to. mdb or. mdf! It is best not to display the successful backup path!
 
Fourth, we need to strictly prevent the database from downloading sensitive data!
 
Server:
 
To be honest, there may be a lot of negligence for my WEB security students who have been studying for a year! Sorry!
 
First, disable Wscipit. shell creation!
 
Second, strictly set the permissions for the website path, especially the path strength of the editor. It is best to read and not write!
 
Third, do not use the default account and password for MySql and MsSql!
 
4. Set permissions for drive C, especially temporary folders, recycle bin paths, windows paths, and program paths!
 
Fifth, anti-virus software is updated in real time. APR firewall!
 
Sixth: if conditions are met, a server can be used as a database server. If the conditions are not met, the database path permissions can be set to unreadable and unwritable!
 
7: server-u, these upload tools are not recommended, or other tools with the same functions!
 
Eighth: Modify the port number of the 3389 key value!
 
Ninth: Do a Good Job of route protection to prevent APR sniffing!
 
10: Do a Good Job of bypassing the server website. I heard that 360 of the security experts have recently issued a bypass security check. You can try it!
 
Okay, that's all we thought! Of course, permission settings are mainly for visitor permissions, anonymous permissions, and some iis permissions!
 
 
Author 90sec.org