Web script attack Prevention Strategy (I)

Recently, Web SQL Injection attacks, JS scripts, and HTML scripts appear to be more intense. Many websites are plagued by such attacks. They are not immediately repaired as they do with host vulnerabilities. WEB attacks make us very inconvenient to prevent or repair them. HOOO ...... The greatest pain for a webmaster is this. How can we ensure that our passwords are strong but can always be obtained by attackers? But how can we achieve real security? First, do not associate your password with your life. Second, it is best for you to know the Supermaster PWD. Third, you must complete your website program. However, how can we improve it will be the ultimate goal of this article.
How does one implement security protection? To defend against these attacks, you must know how the other party performs the attack. Many articles are writing about how to attack a website. In fact, the attack methods are just the following:

1. Simple script attacks

Such attacks should be boring. For example, ***: alert (); </table>, because the program filter is not strict, attackers cannot obtain any available information, however, it makes him confused. Currently, many websites provide free services, or their website programs are not strictly filtered.

2. Dangerous script attacks

This type of script attacks is too powerful to steal administrator or other user information. For example, we all know that cookies are stolen and local write operations are performed on the client using scripts.

3. SQL Injection vulnerability attack

It can be said that this attack started from the Internet forum and BBSXP. The SQL special characters are not strictly filtered, but the database is vulnerable to cross-table queries. For example:

Asp? Id = 999 "> http: // 127.0.0.1/forum/showuser. asp? Id = 999 and 1 = 1

Http: // 127.0.0.1/forum/showuser. asp? Id = 999 and 1 = 2

Http: // 127.0.0.1/forum/showuser. asp? Id = 999 and 0 <> (select count (*) from admin)

Http: // 127.0.0.1/forum/showuser. asp? Id = 999 '; declare @ a sysname set @ a = xp _ + your shell exec @ a dir c: --- & aid = 9

If the Administrator's password is obtained, the whole site that has been controlled may not be able to obtain the permissions of the host, but it also paves the way for this step. Similar SQL Injection attacks have many methods, and different query methods are adopted for different files that are not strictly filtered. Therefore, it is impossible to create a complete character filtering program.

4. Remote injection attacks

The so-called filtering of a site is simple JS filtering on the submitted Table Page. For general users, you do not have to guard against such attacks. For early premeditated attackers, such filtering seems useless. We often say that POST attacks are one of them. Attackers can remotely submit illegal information for attack purposes.

Through the introduction of the above attack methods, we have a general understanding of the attacker's attack methods. Next we will begin to focus on how to effectively prevent script attacks!

Let's start from the simplest:

L prevent script attacks

The prevention of JS and HTML Script attacks is actually very simple: server. HTMLEncode (Str) is complete. Of course, you should not yell. How can this problem be solved? Are you sure you want me to filter all the sites like <% = uid %>? To facilitate filtering, we only need to filter out several key characters in the HTML Script and JS Script: The program body (1) is as follows:

'Below are filter functions

<%

Function CHK (fqyString)

FqyString = replace (fqyString, ">", "> ")

FqyString = replace (fqyString, "<", "<")

FqyString = replace (fqyString ,"&#","&")

FqyString = Replace (fqyString, CHR (32 ),"")

FqyString = Replace (fqyString, CHR (9 ),"")

FqyString = Replace (fqyString, CHR (34 ),""")

FqyString = Replace (fqyString, CHR (39 ),"")

FqyString = Replace (fqyString, CHR (13 ),"")

FqyString = Replace (fqyString, CHR (10) & CHR (10), "</P> <P> ")

FqyString = Replace (fqyString, CHR (10), "<BR> ")

CHK = fqyString

End function

%>

'The following are Application Instances

<% = CHK (Username) %>

Username = CHK (replace (request ("username "),"'",""))

Using Include to write functions on a public page is the best efficiency.

 

Program body (1)

In addition, it is worth noting that many sites also lack script filtering on user registration or user data modification pages, or are only filtered in one of them, after registration, you can still perform script attacks by modifying the information. Check and filter the data submitted by the user. The program body (2) is as follows:

'Below are filter functions

If Instr (request ("username"), "=")> 0 or
Instr (request ("username"), "%")> 0 or
Instr (request ("username"), chr (32)> 0 or
Instr (request ("username "),"? ")> 0 or
Instr (request ("username"), "&")> 0 or
Instr (request ("username"), ";")> 0 or
Instr (request ("username"), ",")> 0 or
Instr (request ("username"), "")> 0 or
Instr (request ("username "),"? ")> 0 or
Instr (request ("username"), chr (34)> 0 or
Instr (request ("username"), chr (9)> 0 or
Instr (request ("username "),"? K ")> 0 or
Instr (request ("username"), "$")> 0 or
Instr (request ("username"), ">")> 0 or
Instr (request ("username"), "<")> 0 or
Instr (request ("username"), ")> 0 then
Response. write "friend, your submitted username contains invalid characters. Please change it. Thank you for your cooperation. <a href = *****: window. history. go (-1);> return </a>"
Response. end
End if

Program body (2)

In order to provide work efficiency, we will program the filtering content, so that the filtering efficiency of multiple parameters will be greatly improved: for example:

Program body (3)

'Below is the Program subject

Dim Bword (18)
Bword (0) = "? "
Bword (1) = ";"
Bword (2) = ">"
Bword (3) = "<"
Bword (4) = "-"
Bword (5) = "'"
Bword (6) = """"
Bword (7) = "&"
Bword (8) = "%"
Bword (9) = "$"
Bword (10) = ""
Bword (11) = ":"
Bword (12) = ""
Bword (13) = "("
Bword (14) = ")"
Bword (15) = "--"
Bword (16) = "chr (9 )"
Bword (17) = "chr (34 )"
Bword (18) = "chr (32 )"
Errc = false

'The following is the application instance Section

For I = 0 to ubound (Bword)
If instr (FQYs, Bword (I) <> 0 then
Errc = true
End if
Next
If errc then
Response. write "<script language =" "*****" ">"
Response. write "parent. alert (sorry! Your operation is illegal );"
Response. write "history, back ();"
Response. write "</script>"
Response. end
End if

 

Program body (3)

With the above filter function, you can apply the filter function directly wherever you need to filter. This greatly simplifies our repair work.

In addition, I would like to remind you again that UBB of some sites may also encounter Filtering Problems When converting small emoticon icons. It is difficult to find out because it is hidden:

For example:

Modify the text in the label,

I don't know if you can understand it. The first single quotation mark is used to enclose the left quotation marks provided by the program, and the second single quotation mark is used to enclose the closed right quotation marks. In this way, the program output is:

If the image does not exist, the onerror tag is activated to execute the script program. For sites that have filtered single quotes, double quotation marks can be used here. Only alert () can filter the *** field. Therefore, to filter data, it is necessary to filter data completely. Do not give attackers a chance.

Prevent SQL Injection vulnerability attacks

This seems to be the focus of the entire article. The diversity of SQL Injection vulnerability attacks also makes us have to think more about program protection. What should we filter out in the face of the powerful "offensive" of SQL Injection?

Some common dangerous characters are:

Closed database Field Identification

-- Annotation mark of some databases

# Some database comment marks

"May cause program errors

Across Directories

3221143836 nicode-encoded feature characters

$ May be used for variable Annotation

/Same

NULL: Be careful with the danger of "NULL" input, which may cause errors in database or system processing. Overflow is constructed using the error reporting.

Create SQL injeciton with spaces

? = & If there is a second parameter transfer, querystr may be rewritten.

(1) From the most common. SQL Injection vulnerability attacks: user name and password filtering problems, such:

Submit: Username: 'or ''=' User Password: 'or'' ='

Starting from the program, we can conclude that the database is performing the following operations:

SQL = "SELECT * FROM lUsers WHERE Username = or = and Password = or ="

In this way, the SQL server will return all records in the lUsers table, and the ASP script will mistakenly assume that the attacker's input matches the first record in the lUsers table, this allows attackers to log on to the website in the name of the user.