WebCodeSecurity Question Summary
I,Database Security
1. MSSQL database security
L sa-level users are not allowed to connect to the database on the web.
Solution:
- Delete the SA user and create a new user with the SA permission. the user name and password are as complex as they are. To prevent brute-force cracking.
- Create a web connection user, remove all server roles, and add the database and db_public identity to the user ing.
- If you need other operations, add additional permissions (for example, add insert/delete/select/update only ).
- No one can guarantee that the code they write is free of vulnerabilities. You only need to process it at the database layer to prevent intrusion. If you have the same SQL Injection db_public identity, you can add/modify/delete permissions to the database. Therefore, you must not have the SQL injection vulnerability.
- If it can defend against SQL injection and permission restrictions, it is very difficult to create a storm Library/cross-database image.
2. Access Database Security
Solution:
- Anti-Riot Database: add error handling code when connecting to the database. If the database connection fails, an error message or redirection is prompted. The system itself cannot prompt an error message,
- Download prevention.
U Step 1: Create a new table.
U Step 2: create a field in the table with a random name and an OLE object of the type. Then, use ASP code to add a record to the field and write the single-byte "<%" code: insert into tablename (fieldname) value (chrb (ASC ("<") & chrb (ASC ("% "))).
U Step 3: Change the database name to *. asp
- The safest way is to use an ODBC data source for connection.
II,WebCode Security
1. Small vulnerabilities in file backup.
Some ASP editors will automatically back up ASP files and change their names *. in this way, the vulnerability will be downloaded. Do not change the name of the ASP file *. TXT /. bak/, etc. Be sure to keep the extension unchanged (*. ASP), do not upload backup files when uploading to the site.
2. Prevents SQL injection.
SQL injection is mainly used to generate a threatening SQL statement without filtering single quotes.
Such as: http://www.livexy.com/view.asp? Id = 100 if there is SQL Injection we can write this: http://www.livexy.com/view.asp? Id = 100; Delete * From tablename; select * from AAA where when running in the background; Delete * From tablename
Here, we would like to remind you not to think that. NET is safe and there will be no SQL injection. If the SQL injection vulnerability exists in all database operations. Both software and websites exist.
Solution:
- Filter illegal characters received at the beginning of the page, such as exec/delete/insert into/update/'. Here, filtering does not mean to filter invalid characters into empty strings, it filters out similar characters. Or, if an invalid character exists, go to the error handling page. Here is an example of what will happen if exec is filtered as an empty string. If exexecec exexexexexexexec exists in the string, What is it after filtering or exec. I will not talk about it here. Everyone understands it.
- If the receiving parameter is numeric, you must first determine the data type to prevent other errors. Often, the source of hacker information is the page error information.
- If the parameter is character type, you must filter the single quotation marks in the string as double quotation marks or other characters.
Here is an example: Our code is usually written in this way. Select * from AAA where BBB = '"+ sval +"' "seems to be correct on the surface, however, this sentence contains SQL injection. Why? See: The sval value is the data submitted externally. If the sval value is aaa'; delect * From BBB; -- it is written together: select * from AAA where BBB = 'aaa'; delect * From BBB; -- 'Where --' is the comment.
- Using dbparameter is much more than splicing SQL statements.
3. logon vulnerability.
Solution:
- Filter invalid strings
- SQL statement select password from user where username = '"+ sqlstr (suser) +"' "where sqlstr () is used to filter invalid string functions, and suser is the character entered in the User Name text box. Then, determine whether the password in the database is consistent with the password entered.
- Principle: The user name finds the user's record in the database and compares it with the password. Do not use "select * from user where username = '" + sqlstr (suser) + "and Password ='" + sqlstr (spass) + '', and then judge whether it is null." This method.
4. Save the file as a protection File
Solution:
- <NoScript> <IFRAME src = "*. html"> </iframe> </NoScript>
It is not perfect to prevent others from downloading the website's HTML code.
5. Anti-embed
Solution:
- <SCRIPT> If (self! = Top) {top. Location = self. Location ;}</SCRIPT>
Prevent others from Embedding our website, and then do some work. For example, record the keyboard and monitor the input data.
6. prevents local data submission
Solution:
- When saving data, the first step is to determine the source. If data is not submitted from the specified source, an error message is displayed.
- Step 2: Filter invalid characters for submitted data.
- Step 3: Save the data to the database. Make sure to handle errors when saving the data.
7. Unlimited refresh Protection
Solution:
- This is hard to do. Of course there are also many methods.
- 1. Create a badge on the server
- 2. Add access log information to the code and analyze the log information to determine the access frequency of the same person.
- 3. Use js to operate cookies to record access log information and determine the access frequency. This method does not occupy server resources.
8. Unlimited data submission/ajax automatic data submission
Solution:
- The verification code and submission time (for example, sending messages in different types) are added.
9. Defense Against JS Code
Solution:
-
- It is difficult to filter all JS Code. js attack vulnerabilities account for the majority. Javascript is also a strange way to write. Here I am sending some offensive HTML code. These are common, and each of them is written differently. Single quotation marks and double quotation marks are different/case-insensitive/sorted in different order, tab and space are different, HTML tags are different, events are different, and styles are different.
-
- <P style = "Background: URL (Java Script: Alert ('000000')"> test </P>
-
- <Body>
-
-
- <Style> Div {behavior: URL ("HTC. js") ;}; <style>
-
- <Style> body {omouseout: expression (onclick = function () {alert ('000000') ;}< style>
-
- <Style> body {Background: URL (javascript: Alert ('000000');} <style>
-
- <Style> @ import "javascript: Alert ('000000')"; <style>
-
- <Link href = "javascript: Alert ('000000')" rel = "stylesheet"/>
-
- <SCRIPT src = HK. js> </SCRIPT>
-
- <P style = "Background: URL (javascript: Document. Write ('<SCRIPT src = HK. js> </SCRIPT>')"> test </P>
-
- <IFRAME src='hk1.html '> </iframe>
10. Prevent cookie counterfeiting
Solution:
- Do not store password information in cookies
- When using data in cookies, you must re-read the data from the database. Then compare. Prevent cookie tampering.
- Cookie data needs to be encrypted
11. Buffer Overflow
Solution:
- Do not open useless software on the server.
- In the code running on the server, a pair must be released.
- In the JS/vbs/ActiveX/flash code running on the client, the DOM object used must be released at the end.
12. Others
- Browser protection plug-in
- Modify the security options of IE to disable or prompt the running of "active script" and ActiveX.
- Or set the security level to high in IE security settings. The privacy option is also set to high.
3,Server Security
- Disable useless ports
- Download patches/update operating systems
- Install anti-virus software
- Install firewall
- If there are multiple sites on the server and each site is assigned permissions, each site cannot operate other files and directories or affect other sites.
Note: As we all know above, why are there so many vulnerabilities. Sometimes my colleagues and I often talk about some difficult things. Do I often say that single quotes are filtered out? The answer is filtered out. I also said that I should reply to me again, all the answers are still filtered out. This reflects a problem that everyone understands. It is a habit to write code using select * from AAA where BBB = '"+ sval +. In fact, I often make this mistake, so it is especially mentioned here. This is a heavy lifting.
All of the above are nonsense.ArticleSome help. If you are not writing enough, please add some emails to me to learn together. (End)
2006-12-15 to 2006-12-17
Email: cexo255@163.com
MSN: cexo255@hotmail.com