Protection against web scripting attacks

Today, WEB security problems have affected the entire security field, such as SQL injection and cross-site scripting attacks. Network security issues are becoming more and more important. There are still many hosts in China that are threatened by such security issues. So today we will talk about how to reduce the loss by writing secure WEB programs. looking at the security threats to WEB hosts, most of them are caused by WEB scripts. Next we will discuss how to prevent attacks.

1. nowadays, many websites use third-party programs in part or whole to reduce the development time. This is undoubtedly a good way to save time, but it also increases the security risk of the site. If you use a third-party open program, you should pay attention to it, because the source code of such programs is public and can be found on the Internet at will, it is easy for hackers to download and study the vulnerabilities, so that you are more likely to be attacked. Let's just give a simple example. The famous mobile Internet cafes in China have a good style and practicality, and many forums in China use mobile networks, however, there are also a lot of major vulnerabilities in the mobile network. Let's just talk about the serious UPFILE vulnerability in the last few days. It's terrible to directly upload the ASP Trojan! In this way, every time a major vulnerability occurs on the mobile network, the website that involves the use of the mobile network program also has a vulnerability. These two days I have nothing to do, so I am hanging out on the Internet, I found that forums on many sites still use the 6.0 version of the mobile network. The official version is DVBBS7.0 + SP2. There must be N more vulnerabilities.
Solution: Use less or no third-party programs as much as possible, or use third-party programs after evaluation. The other administrator should not be lazy and often go to the official site to download updates.

2. if you are using a self-developed program, you should note that strict filtering is required in the input of the program, which is also the most vulnerable to attacks, such as SQL injection, most cross-site scripting attacks are performed by constructing malformed statements with less strict filtering. This is a so-called input verification attack. You should understand that each GET or POST request can be used for input verification attacks. However, the most vulnerable part is the input field. Generally, these fields are the login name, password, address, phone number, personal homepage, and other places to search. The COOKIE filtering is easy to ignore. Let's take a look at the source code of BBSXP + SP1. below is part of upface. asp code:

...........
<%
Top
If Request. Cookies ("username") = empty then error ("

You have not logged on to the Community ")

If Request ("menu") = "up" then
Id = Conn. Execute ("Select id From [user] where username =" & Request. Cookies ("username") & ") (0)

...........

We can clearly see that the Request. Cookies ("username") variable is not filtered at all, and there are many unfiltered places in BBSXP. This allows us to commit constructed packages for injection attacks. To say that COOKIES are easy to ignore, User-Agent injection is unexpected. In HTTP1.1, a "User-Agent" header is defined. Let's take a look at the packet:

GET/bbsxp/images/skins/1/T_bg.gif HTTP/1.1
Accept :*/*
Referer: http: // localhost/bbsxp/Default. asp
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;. net clr 1.1.4322)
Host: localhost
Connection: Keep-Alive
Cookie: eremite = 0; member_id = 1; pass_hash = 5140c3b61780e904b05d44f8d3193564; skins = 1;
ASPSESSIONIDQADBTQQA = AGIPJKACPGNICLMHAFEOBHKA; username = lanker;
Userpass = E10ADC3949BA59ABBE56E057F20F883E; onlinetime = 2003% 2D7% 2D9 + 22% 3A20% 3A13; addmin = 10

"User-Agent" is used to identify the browser. You can often see some forms of "Mozilla" in this string. The application uses the "User-Agent" string to adapt to the special nature of the browser. You can specify a special string, which gives us the opportunity to inject. User-Agent Injection for the Internet is the best description and example. If you do not understand, you can refer to the following two articles: "online forum DVBBS vulnerability and intrusion" and "in-depth analysis of DVBBS7 User-Agent Injection. This may belong to what they call package injection. The following lists the general conditions for filtering out characters, such:

However, it is better to filter some pure numbers than to use the functions of the script language itself:

For example, asp scripts can be filtered using cint, clong, and isNumeric. Intval can be used in PHP scripts.

The defense method for Cross-Site scripts that cannot filter "<" and ">" is to convert all the sharp extensions into the corresponding HTML code. For "<" to "<" to ">" to ">", note that all the above input filtering must be performed on the server, all client verification will be useless and can be easily bypassed. Well, the above filter is almost done. Is it all right now? The answer is no. In fact, there are many potential Error Methods for some numeric fields. Even if we limit that the data must be numeric values, it will still cause some errors. So what we need to do below is the border check. Do not underestimate the border check, in some cases, he will expose your absolute path to D. Generally, we need to check the Boolean value, number, and string length.

The last note in programming is to have an appropriate error capture mechanism. No matter what language is used for programming, there should be a Try in C #, JAVA, catch wit to capture error information. If the program encounters an exception or error, it can be terminated normally. Do not include system information on the error prompt page.

Summary: I have summarized some of my experiences in my studies. I have referenced some books and articles to help programmers write secure and robust code, if any error occurs, please advise.