Write Secure Code-the sword of damaklis at the top of the programmer's head

Program Hackers and hackers have a kind of endless complaints. Many hackers with a high count are also skilled programmers, but most programmers are struggling with hackers, especially programmers who write business systems that run on the Internet are more careful. however, compared with hackers, programmers tend to have more elbows. hackers only need one vulnerability, but programmers must guard against it, A small vulnerability may cause you to be in trouble. the program is an organic whole, not all Code We can rest assured when everything is impeccable. Many times, it seems that the security system is everywhere. Let's look at an example.
System A is an online transaction system with the user registration function. However, because users often forget their own passwords, a password retrieval function is provided. because system a uses the strictly tested ORM datamapping component, there is no injection problem. So it seems that SQL injection is useless, but is it safe? So the programmer Z has made a lot of security improvements in the retrieval of passwords, but users have bad habits, because it is too troublesome, in many cases, the user's password retrieval prompt and answer are the same. ctrl c and ctrl v are faster. So here he first restricts the IP address. an IP address can only be requested three times in 30 seconds, and then each account can only enter the wrong verification code three times when retrieving the password, if you have reminded the user that your account cannot be recovered again today and has been frozen for more than three times, please try again tomorrow. Now it seems that this system is really solid.
In fact, security is just like a float cloud. The real security is to turn off the server. Let's take a look at how hacker H broke through the system in a simple way. First, hacker H was a cainiao hacker who only used shuoxue. He had an account in system, after entering something on the password retrieval page, he took out the tool and started writing the script. First of all, he needs tools to constantly request the dictionary user name to retrieve the password. The verification code is lost at will because it is no longer important. He sets each user name to be requested only four times, then analyze the feedback result HTML. If you find the string "your account cannot be recovered today", record the User Name of the request, this indicates that the user already exists in the system. Then students H put the tool on the bots that the master gave him, and they waited for the result.
The next day, H opened his mailbox to check the result. At this time, the tool had found more than one thousand accounts. As he could not break through the verification code, he decided to do it manually and use the user name he had found, the answer is directly indicated by password retrieval. After an afternoon's effort, H received the password for more than 80 accounts, and the monthly consumption quota for each account was 200 yuan, after two days of hard work, cainiao hacker H earned a profit of 1600 yuan.
In addition to the fictitious characters of students H, the entire event is adapted from a real case, and the behaviors of students H are derived by analyzing IIS logs.
I would like to remind you that you should not focus solely on the Code itself. If you have vulnerabilities in the business logic outside the code, they will also be very fatal.