Some common attack methods and simple defense methods in WEB Development
SQL Injection
The most common attack method, called SQL injection, is to insert SQL commands into Web forms to submit or enter query strings for domain names or page requests, and finally fool the server to execute malicious SQL commands, for example, most of the previous VIP member passwords leaked by many video websites are exposed by submitting query characters through WEB forms. Such forms are particularly vulnerable to SQL injection attacks.
XSS)
Cross-site scripting (XSS) refers to malicious information theft from users by exploiting website vulnerabilities.
File Inclusion
Because developers write source code, they are open to insert reusable code into a single file and include them in special function code files as needed, the Code contained in the file will be interpreted and executed. Because no function entry is filtered for files in the Code, the client can submit malicious constructor statements and submit them to the server for explanation and execution. In the file inclusion attack, the source code of the WEB server may contain inlcude () file containing operation functions. You can construct the file submission path through the client, which is the main cause of the successful attack.
Code Execution
The remote command execution vulnerability allows you to submit and execute commands through a browser. Because the server side does not filter the execution functions, You can execute the commands without specifying an absolute path, attackers may be allowed to execute a malicious constructed code by Changing $ PATH or other aspects of the program execution environment.
File Upload
Using the Upload Vulnerability, you can directly obtain WEBSHELL, which has a high severity level. The current upload vulnerability is also a common vulnerability.
The cause of this vulnerability is that the Code author does not check the data submitted by the visitor or does not strictly filter the data. You can directly submit the modified data to bypass the extension inspection.
Information Leakage
80% of security threats come from within the enterprise. Nearly 60% of resigned or dismissed people carry enterprise data when they leave. Many hackers steal important information through endless technical means, it has become a huge threat to information security.
Permission permission and Access Control
A technology that limits the user's access to certain information items or limits the use of certain control functions based on the user identity and the definition group of which the user belongs, for example, the principle of the UniNAC network access control system is based on this technology. Access control is usually used by the system administrator to control users' access to network resources such as servers, directories, and files.
Cross-Site Request Forgery (CSRF)
Cross-site request forgery (Cross-site request forgery), also known as one-click attack or session riding, usually abbreviated as CSRF or XSRF, it is an attack method that allows you to perform unauthorized operations on the currently logged-on Web application. Compared with cross-site scripting (XSS), XSS uses the user's trust in the specified website, and CSRF uses the website's trust in the user's web browser.
Path Traversal
Path Traversal is very common. In the Web application programming process, the passed parameters are consciously filtered or deleted directly, and risky filtering methods exist.
Design Error
Logical errors or business processes in development.
Configuration Error
Key Information Leakage due to configuration errors
File Reading
Command Execution
File Download
Weak Password
File Creation
Authorization Problems
Backdoor
Other types (sensitive file leakage, variable coverage, server/WEB environment, language vulnerabilities, etc)
Note:
1. Avoid weak passwords in System Management
2. Server SSH Security Configuration
# View the log of Successful Logon, flip the page with spaces, and exit q
Shell> last | less
# View logon Failure logs
Shell> lastb | less
(1) modify the SSH service port
Modify the SSH configuration file, change the listening port to a value greater than 10000, and use your imagination:
Shell> vi/etc/ssh/sshd_config
# Specify the port number
Port 22345
Modify the iptables software firewall to change the default port 22 to the specified port:
# You can also use setup to configure iptables Software Firewall
Shell> vi/etc/sysconfig/iptables
# Restart iptables or use service iptables restart
Shell>/etc/init. d/iptables restart
Note: For SSH and FTP port modification, you must test the connection immediately after the modification to prevent the host from being connected again after the current connection is disconnected due to misoperations.
(2) Remote logon to the root account is prohibited
By modifying the default port, you can basically block the 99% malicious scan information (according to personal observation). Next, you need to disable root remote direct login. By analyzing and scanning logs, you will find that the root account has always been at the top of the list:
Shell> vi/etc/ssh/sshd_config
# Prohibit root Account Logon
PermitRootLogin no
Create a normal account. When we need a remote connection, log on to the normal account first, and then su-to root. The username of an ordinary account requires you to work hard to create a wonderful one. Think of a username like admin first:
Shell> useradd yaoniming3000
Shell> passwd yaoniming3000
Log on to the server using a normal account and run su-switchover.
# Note that there is a minus sign after su, which means to switch environment variables at the same time
Shell> su-
Similarly, after the modification is completed, the connection test should be conducted immediately to prevent the host from being connected.
(3) restrict Server IP addresses or VPN Login
If conditions are met, we strongly recommend that you configure the server's remote logon permission to log on only through a specific IP segment or VPN.
3. Disable PHP sensitive functions
Many Trojans and server attacks use PHP's built-in sensitive functions. Therefore, you need to disable these functions in the configuration file. The following lists some functions and can be configured as needed:
Shell> vi/etc/php. ini
Disable_functions =
Exec, shell_exec, system, popen, escapeshellcmd, escapeshellarg, gzuncompress, proc_open, proc_get_status, show_source, gzinflate, phpinfo
Restart service to take effect
4. Restrict the execution directory of PHP scripts
If the website is unfortunately implanted with a Trojan, You can prohibit the trojan program from browsing the system file of the operating system by limiting the execution directory of the PHP script to cause greater damage. There are two steps:
Shell> vi/etc/php. ini
Open_basedir =/data/www/:/tmp/
Or use the NGINX configuration file to restrict directory execution of PHP
5. Enable access Logging
6. MySQL Security Configuration
(1) Security of Data Directories and data files
Set the MySQL data directory to 700, that is, only the user who starts the database can read and write the database files, ensuring the security of local data files.
Shell> chmod 700/www/mysql
Set the MySQL Log directory to 770, that is, only database users and group members can view
Shell> chmod 770/var/log/mysql
(2) security of local log files
Some users log on to or back up the database locally for convenience, and sometimes directly include the database password in the command line parameters, such:
Shell> mysql-uroot-ptest
Shell> mysqldump-uroot-ptest test> test. SQL
These commands are recorded by shell in history files. For example, bash will write the. bash_history file in the user directory. If these files are accidentally read, the database password will be leaked. Therefore, do not add a password after-p during shell login and backup. Instead, enter the database password after prompt.
In addition, the SQL commands that the user executes after logging on to the database locally are also recorded by MySQL IN THE. mysql_history file in the user directory. If the database user uses an SQL statement to modify the Database Password, The. mysql_history file will also leak. So we can do this if necessary:
Shell> rm ~ /. Bash_history ~ /. Mysql_history
Shell> ln-s/dev/null ~ /. Bash_history
Shell> ln-s/dev/null ~ /. Mysql_history
(3) database account Configuration
Do not directly use the Database root Account to manage the CmsTop database, and configure the Database root Account to allow only local connection to the database.
Set different user, password, and connection restriction permissions for each database. If you are not familiar with SQL, you can use the phpMyAdmin graphical web interface for configuration.
Mysql> select user, host from mysql. user;
+ -------------- + ------------------ +
| User | host |
+ -------------- + ------------------ +
| Root | localhost |
(4) Internet access to the database
Generally, databases do not need to be accessed through the Internet, so you do not need to configure an Internet IP address and open an Internet port. When the database is separated from the application, you should use an intranet IP address to connect.
(5) phpMyAdmin Access Control
Use phpMyAdmin for database management. Do not place the directory in the system directory of CmsTop for the convenience of diagrams.
You can configure a single domain name for access, and do not perform public network DNS resolution, so that the Internet can be accessed directly.
7. Trojan check
If the website is infiltrated or infected with Trojans for some reason, you can use the following simple methods to quickly solve the problem. In addition, please contact our technical support staff for troubleshooting.
(1) Check the Template File
Generally, the template file is embedded with Trojans, which are run by accessing dynamic scripts to load the template. Generally, you must receive external parameters and perform basic checks using the following three commands:
Shell> grep-rl "_ REQUEST" templates/
Shell> grep-rl "_ POST" templates/
Shell> grep-rl "preg_replace" templates/
(2) executable PHP Directory Check
The executable PHP Directory includes public/app, public/mobile, public/wap, and so on. The preceding command is used to check the trojan code. Given that there are too many Trojan variants, I will not give a detailed example:
Shell> grep-rl "feature" public/app
...
(3) regularly check access log files
The intrusion usually comes from the dynamic domain name at the front end. You can use the following command to sort and analyze the URL of the access log in groups:
# View the url with the most visits
Cat/var/log/httpd/app. domain-access_log | tail-10000 | awk '{print $7}' | sort | uniq-c | sort-nr | less
If you have multiple Web servers, you need to view them separately.
