Web script attack prevention

Recently, Web SQL Injection attacks, JS scripts, and HTML scripts appear to be more intense. many websites are plagued by such attacks. They are not immediately repaired as they do with host vulnerabilities. WEB attacks make us very inconvenient to prevent or repair them. HOOO ...... The greatest pain for a webmaster is this. How can I keep my passwords strong but always be obtained by attackers? But how can I ensure real security? First, do not associate your password with your life. Second, it is best for you to know the Supermaster PWD. Third, you must complete your website program. However, how can we improve it will be the ultimate goal of this article.

How does one implement security protection? To defend against these attacks, you must know how the other party performs the attack. Many articles are writing about how to attack a website. In fact, the attack methods are just the following:

1. Simple script attacks

Such attacks should be boring. For example, ***: alert (); </table>, because the program filter is not strict, attackers cannot obtain any available information, however, it makes him confused. Currently, many websites provide free services, or their website programs are not strictly filtered.

2. Dangerous script attacks

This type of script attacks is too powerful to steal administrator or other user information. For example, we all know that cookies are stolen and local write operations are performed on the client using scripts.

3. SQL Injection vulnerability attack

It can be said that this attack started from the internet forum and BBSXP. The SQL special characters are not strictly filtered, but the database is vulnerable to cross-table queries. For example:

Http: // 127.0.0.1/forum/showuser. asp? Id = 999 and 1 = 1

Http: // 127.0.0.1/forum/showuser. asp? Id = 999 and 1 = 2

Http: // 127.0.0.1/forum/showuser. asp? Id = 999 and 0 <> (select count (*) from admin)

Http: // 127.0.0.1/forum/showuser. asp? Id = 999 '; declare @ a sysname set @ a = 'XP _' + 'Your shell' exec @ a' dir c: '--- & aid = 9

If the administrator's password is obtained, the whole site that has been controlled may not be able to obtain the permissions of the host, but it also paves the way for this step. Similar SQL Injection attacks have many methods, and different query methods are adopted for different files that are not strictly filtered. Therefore, it is impossible to create a complete character filtering program.

4. Remote injection attacks

The so-called filtering of a site is simple JS filtering on the submitted table page. For general users, you do not have to guard against such attacks. For early premeditated attackers, such filtering seems useless. We often say that POST attacks are one of them. Attackers can remotely submit illegal information for attack purposes.

Through the introduction of the above attack methods, we have a general understanding of the attacker's attack methods. Next we will begin to focus on how to effectively prevent script attacks!

Let's start from the simplest:

L prevent script attacks

The prevention of JS and HTML script attacks is actually very simple: server. HTMLEncode (Str) is complete. Of course, you should not yell. How can this problem be solved? Are you sure you want me to filter all the sites like <% = uid %>? To facilitate filtering, we only need to filter out several key characters in the HTML script and JS script: The Program body (1) is as follows:

'Below are filter functions

<%

Function CHK (fqyString)

FqyString = replace (fqyString, ">", "> ")

FqyString = replace (fqyString, "<", "<")

FqyString = replace (fqyString ,"&#","&")

FqyString = Replace (fqyString, CHR (32 ),"")

FqyString = Replace (fqyString, CHR (9 ),"")

FqyString = Replace (fqyString, CHR (34 ),""")

</