The 12th chapter of the "White hat Talk web security" Study Note web framework Security

12th Chapter Web Framework Security 12.1 MVCFramework Security

in the Spring security can be used in the spring framework to increase the security of the system.

12.2template engine andXssDefense

12.3 WEBFramework andCsrfDefense

in the defense CSRF in MVC:

q in the bind tokens in the Session. If you cannot save to a Session in the database , use a Cookie.

q automatically fill in the token field in the form form

q in the encapsulates tokens in an Ajax request.

q compare on server side The token submitted by the POST is consistent with the tiken of the Session binding .

q try to use POST

12.4 Http HeadersManagement

in the The MVC framework defends against HTTP headers in response and returns

so Confrontation the CRLF solution only needs to encode all of the \ r \ n in "value" . There is no mention of encoding \ r \ n in "key" because it is extremely dangerous toallow the user to control "key" and should not be made in any circumstances.

For the framework, it is necessary to manage the destination address of the jump. In general, you can do this in two places:

q if WEB Framework provides a unified jump function, you can implement a white list within the Jump function, the specified jump address can only be in the whitelist;

q another way to solve this problem is to control The location field of the HTTP , which restricts the values of locations to only those addresses, can also have the same effect, essentially a whitelist.

There are many security-related Headerscan also be configured uniformly in a Web framework. For example , the x-frame-options used against ClickJacking need to be added to the HTTP Response of thepage :

X-frame-options:sameorigin

The WEB framework can encapsulate this functionality and provide page configurations. The HTTP header has three optional values:sameorigin,DENY,allow-from Origin, for a variety of different scenarios.

not all of them. The APIs provided by Web servers,Web containers, and scripting languages support the setting of HttpOnly cookies, so it is often necessary for theframework to implement a function: all cookies Add by default HttpOnly, cookies that do not require this feature are listed separately in the configuration file.

This will be a very useful security measure, and the benefit of achieving this in the framework is that there is no need to worry about omissions. As far as HttpOnly cookies are concerned, it requires that the cookie be set on all servers , which may mean a lot of different businesses and pages, as long as there are omissions in one place, it becomes a short board. When the site's business is complex, there may be dozens of login portals, which can be cumbersome to take care of all set-cookie pages, so resolving in the framework will be the best solution.

In General, the framework provides a uniform setting The function of the Cookie function,httponly, can be implemented in this function, if there is no such function, you need to uniformly configure the implementation in the HTTP return header.

12.5data Persistence layer andSqlinjected

for ibaits parameter references you can use # and $ two notation, where # notation is precompiled, the escape is given to the database, no injection problem occurs; notation, the equivalent of stitching strings, there will be injection problems.

For example, if the attribute value is "' or ' 1 ' = ' 1 ", there is no problem with the # notation, there is a problem with the $ notation.

q for like statements, it is inevitable to use the $ notation:

q for Oracle can pass '% ' | | ' #param # ' | | ' % ' avoid;

q for MySQL can be avoided by CONCAT ('% ', #param #, '% ') ;

q MSSQL in through '% ' + #param #+ '%.

mysql: select * from T_user where name is like concat ('% ', #name #, '% ')

Oracle: SELECT * from T_user where name is like '% ' | | #name #| | ' %‘

SQL Server:select * from T_user where name like '% ' + #name #+ '%

Note: Try to avoid using the following code:

<!                                                                                            [cdata[insertinto ' Tab_user_one ' values () ]]>

12.6What else can you think of?

in the design WEB Framework Security solution, you also need to keep a log of security checks. In the design of security logic also need to take into account the log records, such as the occurrence of XSS attacks, can record the attacker's IP, time,useragent, Target URL, user name and other information. These logs are of positive significance for post-attack analysis and intrusion analysis. Of course, the ability to turn on logs can also cause some performance damage, so at design time, you need to consider the frequency of logging behavior and avoid false positives as much as possible.

in the design when the WEB framework is secure, it needs to evolve. When new threats arise, the corresponding defense plan should be completed in time, so that a Web framework will have vitality. Some 0day vulnerabilities can also be addressed at the framework level through a " virtual patch ", because the Web framework is like a layer of outerwear for the web The application provides sufficient protection and control power.

12.7 WebFramework Self-security

The WEB framework itself may also be vulnerable, as long as it is a program, a bug can occur . However, due to the special nature of the development framework, the general website for the stability of the consideration of the infrastructure will not be frequently upgraded, so the development framework of the vulnerability may not be repaired in a timely manner, but the consequences will be very serious.

This article is from the "dream to think XI" blog, please be sure to keep this source http://qiangmzsx.blog.51cto.com/2052549/1859560

The 12th chapter of the "White hat Talk web security" Study Note web framework Security