Website code security risk detection and elimination

Security risk types:

XSS: XSS attacks. XSS, also known as CSS (Cross Site Script), is a Cross-Site scripting attack. A malicious attacker inserts malicious html code into a Web page. When a user browses this page, the html code embedded in the Web page is executed, this achieves the Special Purpose of malicious attacks to users.

Number type SQL injection: Number type SQL injection Attack

String type SQL injection: character type SQL injection Attack

Elimination Method:

XSS: 1. Focus on reliable input verification for all submitted content by users. The submitted content includes URL, query keyword, http header, and post data. Only Accept the characters you want within the length range specified by you, in the appropriate format. Block, filter, or ignore anything else.
2. Protect all sensitive functions to prevent bots from being automated or executed by third-party websites. Implements session tokens, CAPTCHA system, or HTTP reference header check.
3. If your web application must support HTML provided by the user, the security of the application will be disastrous. However, you can do something to protect the web site: Make sure that the HTML content you receive is properly formatted and only contains the minimal and secure tag (no JavaScript ), remove any reference to remote content (especially style sheets and JavaScript ). For more security, use httpOnly cookies.

SQL Injection: transmits parameters in Post mode. For example, key characters ('--;, etc.) need to be filtered in GET mode. SQL uses stored procedures and parameterized SQL statements.

 

Check Method:

Use Safe3 Vul fuse.

Enter the URL to be tested in the first box, select "GET" and click "Scan ".

The page that has been detected is displayed in the Status box.

In the Exploit box, the problematic page and the specific problem are displayed.

<? Xml: namespace prefix = v ns = "urn: schemas-microsoft-com: vml"/> <? Xml: namespace prefix = o ns = "urn: schemas-microsoft-com: office"/>