Summary of web code security issues

Last Update:2013-11-20 Source: Internet

Author: User

Tags access database security

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

1. Database Security

1. MSSQL database security

L sa-level users are not allowed to connect to the database on the web.

Solution:

Delete the sa user and create a new user with the sa permission. the user name and password are as complex as they are. To prevent brute-force cracking.
Create a web connection user, remove all server roles, and add the database and db_public identity to the user ing.
If you need other operations, add additional permissions (for example, add insert/delete/select/update only ).
No one can guarantee that the code they write is free of vulnerabilities. You only need to process it at the database layer to prevent intrusion. If you have the same SQL Injection db_public identity, you can add/modify/delete permissions to the database. Therefore, you must not have the SQL injection vulnerability.
If it can defend against SQL injection and permission restrictions, it is very difficult to create a storm Library/cross-database image.

2. Access Database Security

Solution:

Anti-Riot Database: add error handling code when connecting to the database. If the database connection fails, an error message or redirection is prompted. The system itself cannot prompt an error message,
Download prevention.

U Step 1: Create a new table.

U Step 2: create a field in the table with a random name and an OLE object of the type. Then, use ASP code to add a record to the field and write the single-byte "<%" code: insert into tablename (fieldname) value (chrB (asc ("<") & chrB (asc ("% "))).

U Step 3: Change the database name to *. ASP

The safest way is to use an ODBC data source for connection.

2. web code security

1. Small vulnerabilities in file backup.

Some ASP editors will automatically back up asp files and change their names *. in this way, the vulnerability will be downloaded. Do not change the name of the asp file *. txt /. bak/, etc. Be sure to keep the extension unchanged (*. asp), do not upload backup files when uploading to the site.

2. Prevents SQL injection.

SQL injection is mainly used to generate a threatening SQL statement without filtering single quotes.

Such as: http://www.livexy.com/view.asp? Id = 100 if there is SQL Injection we can write this: http://www.livexy.com/view.asp? Id = 100; delete * from tablename; select * from aaa where when running in the background; delete * from tablename

Here, we would like to remind you not to think that. net is safe and there will be no SQL injection. If the SQL injection vulnerability exists in all database operations. Both software and websites exist.

Solution:

Filter illegal characters received at the beginning of the page, such as exec/delete/insert into/update/'. Here, filtering does not mean to filter invalid characters into empty strings, it filters out similar characters. Or, if an invalid character exists, go to the error handling page. Here is an example of what will happen if exec is filtered as an empty string. If exexecec exexexexexexexec exists in the string, What is it after filtering or exec. I will not talk about it here. Everyone understands it.
If the receiving parameter is numeric, you must first determine the data type to prevent other errors. Often, the source of hacker information is the page error information.
If the parameter is character type, you must filter the single quotation marks in the string as double quotation marks or other characters.

Here is an example: Our code is usually written in this way. select * fromaaa where bbb = '"+ sVal +"' "seems to be correct on the surface, however, this sentence contains SQL injection. Why? See: The sVal value is the data submitted externally. If the sVal value is aaa'; delect * from bbb; -- it is written together: select * from aaa where bbb = 'aaa'; delect * from bbb; -- 'where --' is the comment.

Using DbParameter is much more than splicing SQL statements.

3. logon vulnerability.

Solution:

Filter invalid strings
SQL statement select passwordfrom user where username = '"+ sqlstr (sUser) +"' "where sqlstr () is used to filter invalid string functions, and sUser is the character entered in the user Name text box. Then, determine whether the password in the database is consistent with the password entered.
Principle: The user name finds the user's record in the database and compares it with the password. Do not use "select * from user where username = '" + sqlstr (sUser) + "and password ='" + sqlstr (sPass) + '', and then judge whether it is null." This method.

4. Save the file as a protection File

Solution:

<NOSCRIPT> <IFRAMESRC = "*. html"> </IFRAME> </NOSCRIPT>

It is not perfect to prevent others from downloading the website's HTML code.

5. Anti-embed

Solution:

<Script> if (self! = Top) {top. location = self. location ;}</script>

Prevent others from Embedding our website, and then do some work. For example, record the keyboard and monitor the input data.

6. prevents local data submission

Solution:

When saving data, the first step is to determine the source. If data is not submitted from the specified source, an error message is displayed.
Step 2: Filter invalid characters for submitted data.
Step 3: Save the data to the database. Make sure to handle errors when saving the data.

7. Unlimited refresh Protection

Solution:

This is hard to do. Of course there are also many methods.
1. Create a badge on the server
2. Add access log information to the code and analyze the log information to determine the access frequency of the same person.
3. Use js to operate cookies to record access log information and determine the access frequency. This method does not occupy server resources.

8. Unlimited data submission/ajax automatic data submission

Solution:

The verification code and submission time (for example, sending messages in different types) are added.

9. Defense Against js Code

Solution:

It is difficult to filter all js Code. js attack vulnerabilities account for the majority. Javascript is also a strange way to write. Here I am sending some offensive html code. These are common, and each of them is written differently. Single quotation marks and double quotation marks are different/case-insensitive/sorted in different order, tab and space are different, Html tags are different, events are different, and styles are different.
<P style = "BACKGROUND: url (java script: alert ('000000')"> test </P>
<Body>
<STYLE> div {behavior: url ("htc. js") ;}; <style>
<STYLE> body {oMouseOut: eXpreSsIon (onclick = function () {alert ('000000') ;}< style>
<STYLE> body {background: url (JAVASCRIPT: alert ('000000');} <style>
<STYLE> @ import "JAVASCRIPT: alert ('000000')"; <style>
<Link href = "JAVASCRIPT: alert ('000000')" rel = "stylesheet"/>
<Script src = hk. js> </script>
<Pstyle = "BACKGROUND: url (JAVASCRIPT: document. write ('<scriptsrc = hk. js> </script>')"> test </P>
<Iframe src='hk1.html '> </iframe>

10. Prevent Cookie counterfeiting

Solution:

Do not store password information in cookies
When using data in cookies, you must re-read the data from the database. Then compare. Prevent Cookie tampering.
Cookie data needs to be encrypted

11. Buffer Overflow

Solution:

Do not open useless software on the server.
In the code running on the server, a pair must be released.
In the js/vbs/activex/flash code running on the client, the dom object used must be released at the end.

12. Others

Browser protection plug-in
Modify the security options of IE to disable or prompt the running of "active script" and ActiveX.
Or set the security level to high in IE security settings. The privacy option is also set to high.

Iii. Server Security

Disable useless ports
Download patches/update operating systems
Install anti-virus software
Install firewall
If there are multiple sites on the server and each site is assigned permissions, each site cannot operate other files and directories or affect other sites.

Note: As we all know above, why are there so many vulnerabilities. Sometimes my colleagues and I often talk about some difficult things. Do I often say that single quotes are filtered out? The answer is filtered out. I also said that I should reply to me again, all the answers are still filtered out. This reflects a problem that everyone understands. It is a habit to write code using select * from aaa where bbb = '"+ sVal +. In fact, I often make this mistake, so it is especially mentioned here. This is a heavy lifting.

The above are all nonsense and I hope it will be helpful to anyone who has read this article. If you are not writing enough, please add some emails to me to learn together

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More