What are the common security vulnerabilities in the Web site and how to modify them?

With the development of the Internet, network security issues more and more attention, a company's website if there is a security problem, the brand image of the enterprise and User Trust has a very large impact, how to protect the security of the site? What we can do is to prevent problems before they occur, and today we will share some of the common security holes in website construction.

1. Clear text transmission

Problem Description: The system user password protection is insufficient, the attacker can use the attack tool to steal legitimate user password data from the network.

Modify recommendation: The transmitted password must be encrypted.

Note: All passwords are encrypted. to complex encryption. Do not use Base64 or MD5.

2. SQL injection

Problem Description: An attacker can take advantage of SQL injection vulnerabilities to obtain a variety of information in the database, such as managing the password in the background to take off the contents of the database (off-Library).

Modification Suggestion: Filter and verify the input parameters. Use the black and white list method.

Note: Filtering, checking to overwrite all parameters within the system.

3. Cross-site scripting attacks

Problem Description: No validation of input information, an attacker can inject malicious instruction code into a Web page in a clever way. This code is usually JavaScript, but in fact it can include Java, VBScript, ActiveX, Flash, or plain HTML. After the attack succeeds, the attacker can get higher privileges.

Modification Suggestion: Filter and verify the user input. The output is HTML entity encoded.

Note: filtering, checking, HTML entity encoding. To overwrite all parameters.

4. File Upload Vulnerability

Problem Description: No file upload restrictions, may be uploaded executable files, or script files. Further causes the server to fall.

Modification suggestions: Strictly verify the upload file, prevent uploading ASP, ASPX, ASA, PHP, JSP and other dangerous scripts. Colleagues should join the file header verification to prevent users from uploading illegal files.

5. Disclosure of sensitive information

Problem Description: The system exposes internal information, such as: absolute path of the website, webpage source code, SQL statement, middleware version, program exception and other information.

Modification Suggestion: Filter the exception characters entered by the user. Masks some false echoes, such as Custom 404, 403, 500, and so on.

6. Command execution vulnerability

Problem Description: Script calls such as PHP's system, exec, shell_exec, and so on.

Modification suggestions: Patching, the system needs to execute the command to be strictly limited.

7, CSRF (cross-site request forgery)

Problem Description: Use an attacker who has logged in to perform some kind of action without your knowledge.

Modify Suggestion: Add token validation. Timestamp or this picture verification code.

8. SSRF Vulnerability

Problem Description: Service side request forgery.

Modification suggestions: Patching, or uninstalling useless packages

9. Default password, weak password

Problem Description: Because the default password, weak password is easy to guess.

Suggested changes: Stronger password strength does not apply to weak passwords

Note: Passwords do not appear in common words. such as: root123456, admin1234, qwer1234, pssw0rd and so on.

Of course, these are not all possible vulnerabilities, corporate Web site in the operation of the process must always detect maintenance, preferably a dedicated person in charge of the company's website regular inspection and maintenance, to ensure the safety of the site.

What are the common security vulnerabilities in the Web site and how to modify them?