Network security and common cyber-attacks

SQL injection

By inserting a SQL command into a Web form to submit or entering a query string for a domain name or page request, you end up with a malicious SQL command that deceives the server.

To prevent SQL injection, we should note:

1. Never trust the user's input, to verify the user's input, you can use regular expressions, or limit the length, the single quotation mark and the double "-" to convert, and so on.

2. Never use dynamically assembled SQL, either using parameterized SQL or directly using stored procedures for data query access.

3. Never use a database connection with administrator rights, and use a separate limited database connection for each app.

4. Do not store confidential information in plaintext, please encrypt or hash out the password and sensitive information.

5. The exception information applied should give as few hints as possible, preferably using a custom error message to wrap the original error message and store the exception information in a separate table.

Treatment methods:

1. Validate user input with regular expression to filter out possible SQL injection

2. Data query access via parameterized stored procedures

3. Parameterized SQL statements

......

XSS attacks : cross-site scripting attacks

It is a security vulnerability attack of a Web site application and is one of code injection. It allows malicious users to inject code into a Web page, and other users will be affected when they view the page. Such attacks typically include HTML and client-side scripting languages.

Common XSS attack methods and purposes are:

• Misuse of cookies to obtain sensitive information.
• Use embedded flash to further get higher permissions through Crossdomain permission settings, or use Java to get similar operations.
• Use the IFRAME, frame, xmlhttprequest or the above flash, and so on (attacked) the identity of the user to perform some management actions, or perform some general such as tweet, add friends, send private messages and other operations.
• Use the vulnerable domain to be trusted by other domains and request some operations that are not normally allowed, such as improper polling, as trusted sources.
• XSS on some of the most visited pages can attack some small web sites and achieve the effect of DDoS attacks.

Vulnerability Defense:

1. Filter Special characters: one of the ways to avoid XSS is to filter the content provided by the user, and many languages provide filtering of HTML: PHP's htmlentities()或是htmlspecialchars()

2. use the HTTP header to specify the type: avoid the content of the output being parsed as HTML.

<?php   header (' Content-type:text/javascript; Charset=utf-8 ');? >

CSRF attack : cross-site request forgery

Network security and common cyber-attacks