Web security and web Security

Source: Internet
Author: User

Web security and web Security

I. Client Script Security
(1) XSS ):
XSS attacks usually refer to attacks in which hackers tamper with the webpage through "html injection" and insert malicious scripts to control the user's browser when browsing the webpage.
The most common XSS attack is to initiate Cookie hijacking by reading the cookie object of the browser. The current user's logon credential is stored in the session of the server,
In browsers, cookies are stored. After a cookie is hijacked, attackers can directly log on to the system without passing the password. You can also directly enter the script javascript: alert (document. cookie) in the browser to obtain the current cookie value.
Implant the HttpOnly identifier into the cookie.
Solution: <Context docBase = "E: \ tomcat \ apache-tomcat-6.0.24/webapps/netcredit "path ="/netcredit "reloadable =" false "useHttpOnly =" true "/>
Or: Add the following content to web. xml:
<Session-config>
<Cookie-config>
<Http-only> true </Cookie-config>
</Session-config>
Ii. server application security
1. SQL injection attacks:
Two key conditions for SQL injection: the first is that the user can control the input, and the second is the code to be executed by the original program, splicing the user input data. PreparedStatement and Statement
2. disable the error echo function of the web server, which can prevent attackers from making adjustments to the attack content by displaying detailed error information after attacking the system. This greatly facilitates the attacker.
Add the following sample code to the project's web. xml file:
<Error-page>
<Error-code> 400 </error-code>
<Location>/error400.jsp </location>
</Error-page>
3. The database uses the minimum permission principle. The system program does not use the root with the highest permission to connect to the database, but uses the minimum permission account that can meet the system requirements for database connection,
In addition, different accounts are used between multiple databases to ensure that each database has an independent account.
4. Authentication and session management
You can use the verification code to log on to and restrict the number of wrong passwords. If the number of logon attempts is exceeded, you cannot log on to this ip address for a period of time.
Set a validity period for the Session to ensure that the Session will be automatically destroyed after the validity period, to prevent the security risks caused by Session persistent connections.
<Session-config>
<Session-timeout> 30 </session-timeout>
</Session-config>

Iii. File Upload Vulnerability
The File Upload Vulnerability indicates that a user uploads an executable script file and obtains the ability to execute commands on the server through the script file, which may cause serious consequences.
You can control the detailed format verification of the uploaded file to control the upload of the script file. If the above verification is successful, the system will rename the file name when storing the file,
And set the corresponding web server. The directory is not displayed by default. If the code needs to be executed during file upload, the user needs to be able to access the file, so the random number is used to rewrite the file name,
It will greatly increase the cost of attacks and even fail to launch attacks.

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.