Web Application Security Detection and defense mechanisms

As the Internet gradually deepens people's lives, Internet enterprises have gradually evolved from the era of over-supply of information to the era of application supply, from the early door-to-door competition to the Battle of application. People can complete daily behaviors such as shopping, social networking, auction, and transaction on the Internet, and also form Web applications with hundreds of millions of users, such as Facebook and Sina Weibo. While providing a good user experience, it is undoubtedly imperative for Internet enterprises to strengthen the security of Web applications. The Security Quality of a large number of servers, numerous Web applications, and R & D operations is uneven, undoubtedly, it brings more security challenges to enterprises. The main content is that the number of attacks is getting more and more frequent, the attack sources are becoming more and more team-based, and the attack methods are becoming more and more diversified. The attacks mainly include XSS cross-site attacks, SQL Injection, command execution, phishing, malicious code, etc. The attack may take a few seconds to several minutes to complete data theft and script Trojan implantation, you can also control the entire database or server, causing serious tangible or intangible losses to the enterprise. This article tries to discuss the security risks and Countermeasures Faced by Internet enterprises from the perspective of Web application detection and defense. Web Application Security Detection Web Application Security detection can be divided into three technologies from the perspective of security testing: black box testing, white box code auditing, and gray box testing. Gray-box testing is essentially a combination of black box and white box technologies. Both mutual evidence and mutual inclusion. Theoretically, the analysis of white-box code audit results should contain black-box testing content. However, due to the omission of audit tools and the energy of personnel, there are often deviations. In daily security testing, black box testing and white box code auditing are usually used to compensate for inherent defects. The detection of the Web defense mechanism is not based on how many defense measures are bypassed for attacks, but aims to achieve 100% coverage of the Web Application Security Test path. It does not prove the Web application's vulnerabilities, but proves that the Web application is secure and controllable. After two rounds of black box and white box tests, it can be said that the Web application is secure. Black box testing of Web applications mainly uses Web crawling to analyze URLs for detection, such as common Web application vulnerability scanning (AWVS, WebInspect, of course, most large interconnected enterprises have their own scans, but the defect is that directories or links that are not crawled cannot be detected, and some logical parameter applications are omitted, comprehensive testing cannot be completed. It can only be done by comparing the detection results of multiple scanners and understanding the business logic. The coverage scope includes: User Access testing, user input testing, exception and error testing, which can reach 60% coverage. The mature technology of white-box testing for Web applications is static code analysis. For example, for commercial forenders, white-box testing can solve the following problems: Type Variable check, user input detection, and high-risk function detection, some application logic detection. Compared with the black box test, the covered content will be more detailed and comprehensive, but it will still generate missed reports and more false positives. Its Detection path coverage can reach 70%. Although the above two main security testing technologies have their own inherent defects, their reasonable strengths and circumvent weaknesses can also meet the ultimate goal of security testing. The following are some Web security testing principles. (1) understand the Web application business, identify the types of high-risk vulnerabilities, and invest security testing resources to find high-risk vulnerabilities. (2) The core Web application business test enters from different test portals and adopts the multi-person code audit principle. (3) construct more test URLs and different types of data by referring to the interface functions of Web application services. Although the Coverage Path of Web security testing cannot reach the ideal 100%, the use of reasonable technologies and methods can still ensure business security and stability. The security experience of people is the most critical factor. Simply put, the Web application defense mechanism does not trust any user input, that is, all user input is untrusted. The establishment of Web application defense measures is comprehensively considered from three aspects: processing user access, processing user input, and handling abnormal errors. 1. processing user access first, user access includes identity authentication, session management, and access control. These three security mechanisms are established: (1) identity Authentication is the most basic security mechanism for Web programs targeting visitors and is used to determine the real identity of users. Common authentication methods include form-based authentication, logging card, hardware key, or SSL certificate. However, most Web applications are based on user experience, all adopt the simplest user name and password method, and some user participation is required. The user's own security awareness determines its own defects, for example, users may use short passwords, common words, or birthdays. Attackers may use dictionary-based brute-force cracking and social engineering to guess the password. Most users prefer to use a single password for multiple purposes, which will cause the security boundary to expand outward. In the specific confrontation, the Web application will add policies such as mobile phone binding, mailbox binding, password length detection, and password problem retrieval to supplement, in fact, it only increases the difficulty of username cracking. Of course, some specific policies may conflict with each other. For example, when an attacker modifies a bound mobile phone, the attacker should send a password change message to the old and new mobile phones at the same time. (2) session management means that Web applications track the interaction status of users and maintain contact by releasing a session token. Common Implementation methods include Http cookies, hidden form pass values, and Url pass values. The security of these methods depends on the token security. In practice, multiple devices may face versatility, for example, PC browsers and mobile browsers are very different. Some Web applications usually use a Url to send their tokens on their mobile phones. In addition, persistence is usually used for better user experience, the risk of this implementation method is that once the token is disclosed, the user session will be hijacked. Therefore, the time stamp, secondary token, incoming judgment, and other measures will be added in session management settings. (3) access control is a mechanism for Web applications to confirm User Access Permissions after identity authentication, and whether to allow or reject user requests. It is common in Web applications with user roles, for example, some applications are differentiated by a identifier, such as isadmin = ture, to determine the Administrator permission. However, common users also have the Administrator permission after adding their URLs. As a result, we can see that the security of access control lies in the security of the identifier it uses, including its transmission, cracking strength, survival cycle, and close relationships. From the above analysis and discussion, it can be concluded that Web applications may use more diverse security policies to prevent the defects of a single method in the Process of processing user access. More detailed permission allocation can be used to prevent possible defects. 2. processing user input because Web applications need to interact with users, the principle of processing user input content is "all user input is insecure ", that is, you do not trust all data submitted. In practice, we usually take the following measures: (1) Check the input content, type, length, encoding, and other attributes. Type check is performed on the content entered by the user. For example, you can check the length limit of the number type and character type to forcibly convert the content encoding. (2) design the blacklist and whitelist of input content. The blacklist and whitelist of input content is designed based on the principle of minimizing controllable data to facilitate targeted detection of controllable data. For example, the whitelist of Rich Text tags can reduce the risk of bypassing. (3) Safe purification of input content. In the security purification of input content, the content can be transmitted and stored in a controllable manner. For example, Html encoding on the Web Front-end can be used to escape the content that enters the database, for example, convert "'" to "\'" and "\" to "\" to make the input content safe and controllable. 3. A good Web application exception and error handling mechanism provides programmers with a better basis for tracking and analyzing bugs, but may be used by attackers. For example, database query errors, forced type conversion, and webpage response return time can all be used as the basis for determining SQL injection. Generally, messages of large Web applications are blocked from appearing on the front end and custom error content, which is more conducive to security improvement. The one-sentence principle of the Web application defense mechanism is to "doubt the input data of all users ". This service uses external data processing methods such as attribute control, content control, and security purification to establish defense mechanisms. Summary This article describes three aspects of the Web application defense mechanism: user access, user input, and troubleshooting of abnormal errors, the Web Application Security Risks and the security testing content of its defense mechanism are elaborated in detail. The three principles of Web security testing are summarized to guide the security testing work.