Web security Threats and defenses

One, cross-site scripting attacks (XSS)

Defined:

XSS is also called CSS (Cross Site Script). One of the most dangerous and common security vulnerabilities, this vulnerability is commonly used to perform cookie theft, malware propagation, session hijacking, and malicious redirection.

It is divided into three categories:

1, non-persistent XSS. Hijacking links . Most commonly used, the widest use. URLs with malicious script code parameters are parsed and executed by HTML. It is characterized by non-persistence and must be clicked by a user with a link with a specific parameter.

2, persistent XSS (storage). Refers to malicious script code that is stored in the compromised database . This type of attack usually occurs on the message board and other places.

3, DOM-based XSS. Also known as "type-0 XSS". When it occurs, the XSS variable executes the result of modifying the user's browser page by the DOM. The HTTP response on the client does not change, but the script executes in a malicious manner. This is the most advanced and well-known type-0 XSS. In most cases, the vulnerability exists because the developer does not understand how it works.

Prevention:

1. Filter the HTML tags. such as URLs, HTTP reference objects, getting parameters from a form, form POST parameters, Window.location, Document.referrer, Document.location, Document.url, document.urlunencoded. Encode HTML by using the HtmlEncode () method.

2, filter coded special characters.   For example, single quotes, double quotes, underline, & filter to &amp;    < filter for &lt;   > Filter for &gt;   "Filter for &quot;   ' Filtration for & #x27; /filter for & #x2F;

3, filter the main data. such as cookie data, header data, data in the database.

commonly used tool class library

1,ANTIXSS, a class library introduced by Microsoft to prevent XSS attacks. Its implementation principle is also the use of the white list mechanism. antixss.getsafehtmlfragment (HTML) method, this method will replace the dangerous characters in the HTML  

Second, DDoS attacks

Iii. SQL injection attacks

Defined

Steal database data or modify database corruption by submitting carefully constructed SQL statements. Its way is concealed, not easy to detect.

Prevention

1, using SqlCommand to transmit parameters.

2, filter keywords, prohibit the operation of the law.

3, Stored procedures

Four, Web page hanging horse attack

The code development phase should start from two aspects, one is the development project to develop coding specifications, especially to pay attention to illegal input check and avoid overflow vulnerability; The second is to test and evaluate the security of web systems by using commercial Web program security evaluation software or evaluation services after the end of web system development.

Web security Threats and defenses