Understanding of "OWASP top 10"

ArticleDirectory

• Verification Code and operation confirmation
• Session token

The recent phone interviews have been quite tragic. I am not sure much about what the interviewers are concerned about, it is difficult to leave a strong, professional, profound, and powerful feeling during the interview, but it may not be too late to make up for it now.

Since it is difficult to complete the sorting at one time, it is not regularly updated first.

------------------------------------------------------------------------------

Injection is actually caused by the fact that user input filtering is not strictly enforced. Injection SQL injection is also the most common one, the frequency is relatively low. OS command injection is similar to SQL injection, except that this injection is for OS commands. If an injection point exists and has the root permission, you can execute the OS command. XPath injection is based on the injection of XMP storage data, which is rare. XPath Boolean query is used. For example, this is required for login check.

 
// Users/user [loginid/text () = 'abc' and password/text () = 'test123']
 

To bypass verification, use the following structure:

 

// Users/user [loginid/text () = ''or 1 = 1 and password/text () ='' or 1 = 1]
 

Except for syntax failure, other statements are similar to SQL injection.

 

LDAP injection to Lightweight Directory Access Protocol is also a data storage method. Not too familiar> <SQL injection is the most common, and there is not much to worry about. JSON injection JavaScript Object Notation is a lightweight data exchange format. Intruders can insert additional data through JSON. Cross-site scripting (XSS) is a type of intrusion method that is more passive than social engineering. The reflection type is also called non-permanent XSS. Usually, scripts are written in URLs and transmitted by email. Stored-type XSS is also known as permanent row. scripts are stored on servers, which usually have the characteristics of self-diffusion. Worms are formed on social networks. JS-based XSS introduced by js xss html-based XSS introduced by html xss session attack session hijacking using XSS and other methods to get the user's sessionid and then obtain access permissions. Sessions are fixed by creating their own sessionid to trick users into using this ID for login (I have a lot of doubts about the feasibility of this method). In this case, future generations Code There is a logic error between the verification user and the session to be saved, and the resulting user verification fails, but the session is saved. For example, the process is as follows. If you want to terminate the final jump, the logic will be wrong.

 
(1) Remove all sessions in login. asp (2) create a new session, Pay the user name to this session(3) If user verification succeeds, switch to the welcome page (4) if verification fails, switch to login. asp
 

In fact, this situation is still rare> _ <

Cross-Site Request Forgery is similar to XSS. Malicious Code is inserted into a website trusted by the user. However, csrf directs the user to another website. If the user happens to store the cookie or session of the website, you can perform operations as the user. Generally, the GET Request Forgery method is relatively simple.

 
Http://www.mybank.com/Transfer.php? Tobankid = 11 & amp; money = 1000
 

JS Code

If the front-end page uses post, and the back-end directly uses request for reading, you can also simply use get.

POST Request Forgery request page

 
<? PHP session_start (); If (isset ($ _ post ['tobankid'] & isset ($ _ post ['money']) {buy_stocks ($ _ post ['tobankid'], $ _ post ['money']) ;}?>
 

JS Code

<HTML>  
 
Verification Code and operation confirmation
 

 
It can solve the csrf problem perfectly, but it will impose a burden on user operations, and the security and convenience cannot be completely different.
 
The session token can solve most csrf attacks, but it cannot be left empty. If the target site also has an XSS Vulnerability (this probability is extremely small), generate a token.
<? PHP function gen_token () {// here I am greedy and convenient. In fact, it is not safe to use the random number obtained by rand () as a token. // For details, refer to "random object created and used only once" in my findbugs note $ token = MD5 (uniqid (RAND (), true); return $ token ;} <? PHP function gen_stoken () {$ ptoken = ""; if ($ _ session [stoken_name] = $ ptoken) {// no value, new value $ _ session [en_name] = gen_token ();} else {// continue to use old value }}?>
 
 
Form submission
 

<? PHP function gen_input () {gen_stoken (); echo "<input type = \" den \ "name = \"". ftoken_name. "\" value = \"". $ _ session [en_name]. "\"> ";}?> <? PHP session_start (); Include ("functions. php");?> <Form method = "Post" Action = "transfer. PHP "> <input type =" text "name =" tobankid "> <input type =" text "name =" money "> <? Gen_input ();?> <Input type = "Submit" name = "Submit" value = "Submit"> </form>
 
Unverified redirection and forwarding for unrestricted URL access