New "snow" (win32.troj. piaoxue. e.218112) directly deletes anti-virus software installer Protection

Web development applications (websites) are currently the most widely used programs. However, the levels of developers are uneven, leading to the emergence of various web vulnerabilities. This article analyzes how to find various vulnerabilities in java web programs from the perspective of layered architecture.

This article only discusses web vulnerabilities, which are relatively independent from other vulnerabilities. This sentence seems nonsense, but it actually shows the elements that are often ignored: "Many people think that as long as I develop web programs without vulnerabilities, web servers will be safe." In fact, this is not the case. A qualified web application developer should always be clear about the environment in which the developed program will be used, and what will happen if a program has a certain vulnerability. Simply put, a web program is installed on one or more (distributed) web servers. Once the installation is successful, it is equivalent to providing services to the majority of users, opens up one or N new ideas for intruders. If the server administrator is not familiar with security configuration (in fact, there are many administrators in China), then our program will have to guard the last line of defense at the last level.

After reading the topic of this article, some people will think, "isn't it about JSP vulnerabilities that can be used in such a thick package ?", To answer this question, let's first look at the differences between JSP and ASP development. In the ASP era (ASP, PHP, and other languages), developing a system is often more painful than modifying a system that has been written by others, because they put all the code (including the code that links to the database, the code that executes the SQL statement, and the code displayed on the control page) in <% ...... %>, we often see the following code blocks:

----------- The code is from an asp shell -----------
Function GetFileSize (size)
Dim FileSize
FileSize = size/1024
FileSize = FormatNumber (FileSize, 2)
If FileSize <1024 and FileSize> 1 then
GetFileSize = "<font color = red>" & FileSize & "</font> & nbsp; KB"
ElseIf FileSize & gt; 1024 then
GetFileSize = "<font color = red>" & FormatNumber (FileSize/1024,2) & "</font> & nbsp; MB"
Else
GetFileSize = "<font color = red>" & Size & "</font> & nbsp; Bytes"
End If
End Function
----------------------------------------

If the customer's requirements change, the "<font color = red>" and other labels must not be used on the page. Apply "CSS" to display all the labels. Let's call the programmer out and change it one by one... Note: It is emphasized that only requests from programmers can be changed. If you are an artist, you can only finish HTML, JS, and CSS. However, these are only simple page modifications. If the customer says today that the MYSQL server cannot handle the data volume, it should be linked to Oracle, poor programmers need to find the code for executing SQL statements in a sea of code, and every file may store SQL statements, which means that every file may be threatened by SQL injection.

JSP adopts the MVC layered architecture for development, so that all files can be separated and placed under different folders (layers) according to their purposes ), files in each folder are only responsible for their own tasks. For example, the data access layer code is placed in the folder of the data access layer, and the business logic layer code is also placed in its own folder, when the demand for the display layer (this layer is used to display the final calculation result to the user) changes, just like the customer requirements, we only need to modify the files at this layer, the Code of other layers does not need to be moved at all, and the modifier does not need to understand the code of other layers.

Code layering means that vulnerabilities are also being layered. The idea of looking for JSP vulnerabilities must also be layered to keep pace with the times.

The following describes how to search for vulnerabilities. This article uses a simple layered architecture example as a sample. The sample program is named "XX document system". The system uses the STRUTS framework and security-related layers are divided:

The "DB layer" stores the strings of the connected database and the JdbcTemplate class to directly access the database. In java, functions that execute SQL statements can be divided into three types according to the returned values. Therefore, the JDBC template class (JdbcTemplate) is defined at this layer ), each time you use a database, you must execute one of the three methods at this layer.

"DAO layer (Data Access Object layer)", from a security perspective, this layer stores SQL statements (SQL statements are not executed, and the statements are passed to the DB layer for execution ). This layer calls the "DB layer" to access the database. It only knows the existence of the "DB layer" and does not know the existence of the database.

"SERVICE layer" is the business logic layer. Because of the implementation of a business, it is not completed by a database access, therefore, this layer implements business logic by calling the "DAO Layer Method" N times. It only knows the existence of the "DAO layer" and does not know the existence of the "DB layer" and the database.
"ACTION layer": calls the business logic layer and controls the display of JSP pages based on the returned results. It only knows the existence of the business layer. This layer is an attack platform for intruders.

"Form layer" encapsulates the information submitted by the user POST into a Form object and submits it to the ACTION layer for processing after verification.

"JSP layer" (display layer), which is the page that is finally displayed to the user and an attack platform for intruders.

When you access the ACTION layer, the following occurs automatically: "ACTION calls SERVICE, SERVICE calls DAO, DAO calls DB, DB executes SQL statements, returns the result to DAO, and DAO returns the result to SERVICE, SERVICE returns to ACTION, and ACTION displays the data in JSP and returns it to the user ".

With the sample, we can analyze the various web vulnerabilities that may occur in this program.

1. SQL Injection Vulnerability

From the SQL injection vulnerability, in web vulnerabilities, SQL injection is the most vulnerable and harmful. How to quickly find it? First, analyze the process and take the process of viewing the article as an example: when a user accesses an action and tells the user to view the article with ID 7, the action will continue to complete the process described above.

If it is an ASP program, this is the most prone to problems, ASP is a weak type, after receiving the parameter does not need to convert the type, it is connected to the SQL statement. But JSP is different. JSP is a strong language. After receiving harmful parameters: For GET requests (directly accessing the page in the address bar), if int type is required, even if a programmer does not understand security, he will immediately convert it (the Article ID) into an int, because it will be easier to operate in the subsequent processing after conversion, in this case, the program has an error. For POST requests, if int type is required, the program will encapsulate it as a Form object because the type conversion is automatically required, the same error occurs. After these two errors occur, the subsequent process will not jump out. Maybe this is the inherent security of JSP. Therefore, when the submitted variable is int, no problem occurs. The problem may occur in the string parameter. To view the information of a user, the program may ask you to submit the following parameters: showuser. do? Username = kxlzx. The problem is that it is of the string type, so programmers who do not know the security will judge whether it is null at most, and then add it as an SQL statement. Programs with vulnerabilities may look like this:

ACTION Code: showuser. do
String username = null;
Username = request. getParameter ("username ");
Service service = new Service ();
Service. findByUsername (username );
After obtaining the parameters, call the service. The service layer is directly handed over to the Dao layer. The dao code:
Public Object findByUsername (String username)
{
JdbcTemplate jt = new JdbcTemplate ();
String SQL = "select * from Users where username = '" + username "'";
List list = jt. query (SQL );
...................
}

Dao calls the JdbcTemplate at the DB layer and passes the SQL statement to JdbcTemplate for execution. You don't need to look at the JdbcTemplate here to know that the code in uses the Statement executequery () method for execution, resulting in SQL injection.

After analyzing these questions for a long time, some readers will ask: "Do I have to make such effort to find the vulnerability ?". Indeed, the idea of injection in ASP programs is like this, but we are currently using JSP programs with Hierarchical architecture of development mode, you should find Vulnerabilities Based on the layered architecture. Before answering this question, we have to take a look at how to prevent SQL Injection here (java is always so beautiful that it won't tell you the answer directly, but a layer by layer to let you open the cloud ).

The analysis process just now is from positive analysis, from user input to vulnerability generation. When we are defending, we may look at it and start with the DB layer. JdbcTemplate can be used to call and execute SQL statements. One is Statement and the other is pre-processing Statement. The two have significant differences in efficiency and security. In terms of efficiency, as long as the database supports Preprocessing Technology (SQL Server, mysql, oracle, and so on, only a few access requests are not supported), the acceleration will increase when a large number of SQL statements are executed; in terms of security, preprocessing will also pre-process the accepted parameters, so that they will not be executed as part of the SQL statement, but will only be executed as part of the parameters in the SQL statement. Once the DB layer uses preprocessing, the SQL statements at the DAO layer also change:
Public Object findByUsername (String username)
{