Web Application Security

I went to the interview some time ago and talked about the "Security" in the framework design. I didn't understand it at the moment, so I didn't answer anything.

When I was studying, I liked security technology. Why can't I answer "security? Current Logic

1. Prevent CC attacks

The so-called CC attacks are maliciously and frequently called "interfaces with high backend resource consumption", resulting in high server load.

Defense method: Perform necessary request verification, which is the same as determining whether a visitor is a robot, crawler, or a human being. The method is to be clever so that the attack can never be guessed, naturally, you will not be able to break through your verification.

2. Prevent XSS. This is a detailed issue.CodeYou must pay attention to the encode of the string submitted by the client. Therefore, the data submitted from the external is untrusted and must be checked.

The harm of XSS is very great, and many things can be done, such as XSS "worm infection", stealing administrator cookies to steal passwords.

Supplement:

In some cases, certain HTML tags are allowed. At this time, the server needs to filter the tags, retain valid tags, and remove dangerous tags. This is probably because of the defects of tag matching rules, this vulnerability caused unauthorized tags to be bypassed. (some time ago, discuz experienced this vulnerability. After reading the XSS code, I was amazed at the fact that the vulnerability was too powerful ).

However, even if we have done all the filtering, attackers may still use the specially crafted XSS to bypass your filtering by using the "Character Set bypass" method, so we should also consider Character Set Issues.

There is also the need to consider the situation of various browsers, one-to-one testing, such as this Code:

Hello, darklx</XSS style = "X: expression (Alert ('shine darklx '))">
 

It has no effect in IE8, but in IE7, it can be executed:

In addition, you can bypass the filter by using the difference between the "<" <"width and width, but in some browsers, it can still be parsed as HTML tags.

 

3. File Inclusion

This problem is very common in PHP. To include the corresponding file based on the parameters sent from the client, make sure to judge and filter the parameters, otherwise, attackers may exploit the vulnerability and escalate the privilege.

4. Download any file

Some forums and blog posts provide the additional download function, through a similar attachment. XXX? Attachment must be allowed if Id = xxx is used. directory accessed by XXX. Otherwise, attackers can construct malicious parameters (such... /.. \ similar to the skip-level path command), planted arbitrary files (usually config files ).

5. Cookie Spoofing

The Administrator coke is forged (when the Administrator's user name and MD5 password are known). First, log on to the common user to obtain the website cookie storage format (the cookie name of the user name and password ),

Then replace it with the Administrator's username and password MD5 to become the Administrator's identity.

6. Processing uploaded files

A. only determining the file type is not enough. The file type can forge the HTTP header mime-type. If we only verify the file type (mime-type, attackers only need to forge the HTTP header to upload arbitrary files.

We should also verify the file extension.

Finally, in order to ensure absolute security, we simply discard the extended file extensions (which are .jpg).gif) from the client, and change the extension names to ". config" under ASP. NET. In this way, attackers cannot directly execute any means they use.

Why?

B. Restrict the format of the folder name created by the client to the server

IIS6 has a directory parsing bug. If there is a ABC. asp folder, all files in this folder will be executed by ASP.

7. SQL Injection

That's not necessary.