Basic ideas:
Write a separate program for each function, program page
Get as few customers as possible about your server-side information
Do not use the "customer should write" The idea of thinking about the problem
Thinking as much as possible about what's impossible.
1. Possible problems with interactive dynamic web pages
1.1 Form Type interaction
Introduction to the concept of 1.1.1
When we interact with the viewer, the most commonly used is the form (Post/get/put method), although very convenient, but a lot of problems are due to him.
Input flags in form forms
Used to accept information entered by the user, such as user name, password, email, etc. If you don't have a good check on user input, a malicious user
Will shield off some of the security machines.
System, bypassing safety certification. For example, entering standard HTML statements or JavaScript statements will change the output, and entering the standard HTML statement in the input box will
What kind of results do you get? For example, a message, we enter the content of the message: <font size=10> Hello! </font> If you don't have a screen in your program
Hide HTML statements, then you will change the "Hello" font
Size. Changing the font size and texture in the message book is sometimes not a bad thing, but it can make the message lively. But if you're writing in an input box
The dead loop of JavaScript, for example:
<a herf= "Http://someurl onmouseover=" while (1) {window.close ('/')} ' > 10,000th one soul-stirring </a> then view the message
Guests, just move.
Move the mouse to the "10,000th soul-stirring", on the user's browser because of the death cycle and die.
Main points of 1.1.2 precaution
(1) Filtering special characters
([\&;\ ' \\\| " *?~<>^\ (\) \[\]\{\}\$\n\r])/\\$1/g, this is the most basic, and has been mentioned more than once in many places.
<script language= "VBScript" >
Sub Ubotton_onclick
If form1.uusername.value= "" Then
MsgBox "Your name cannot be empty!" ", 0+32," Oh! Not yet.
Form1.uUserName.focus
Exit Sub
End If
If form1.upassword.value= "" Then
MsgBox "Your password cannot be empty!" ", 0+32," Oh! Not yet.
Form1.uPassword.focus
Exit Sub
End If
If form1.uusername.value= "" Then
MsgBox "Your name cannot be empty!" ", 0+32," Oh! Not yet.
Form1.uUserName.focus
Exit Sub
End If
Form1.submit
End Sub
</script>
function IsEmpty (objname)
{
var str = Document.inputform[objname].value
var tmpstr = str.replace ([\&;\ ' \\\| ') *?~<>^\ (\) \[\]\{\}\$\n\r])/\\$1/g;, "")
var tmpstr = tmpstr.replace ([\&;\ ' \\\| ') *?~<>^\ (\) \[\]\{\}\$\n\r])/\\$1/g;, "")
Return (tmpstr.length==0)
}
function Check ()
{
Tf=document.inputform
Errors= ""
if (IsEmpty ("username")) errors = = "User name cannot be empty. \ n ";
if (IsEmpty ("password")) errors = = "Password cannot be empty!" \ n "
if (errors!= "")
alert (errors);
Return (errors== "")
}
(2) Limit the length of the characters entered
(3) Make as many mistakes as possible and error traps
(4) Use these logos as many as possible to reduce the chance of user input
<input type= "checkbox" name= "checkbox" value= "checkbox" >
<select name= "Select" > </select>
<input type= "Radio" name= "RadioButton" value= "RadioButton" >
1.2 Post/get type of interaction
Introduction to the concept of 1.2.1
The main problem with this type is that viewers can interact with the server by adding parameters to the script page through the browser's address bar, which has been bypassed
Enter a check on the client submission page
Check, and there is the use of the address bar to enter a longer parameter or maliciously fabricated code caused the server abnormal operation errors, resulting in server downtime or buffer overflow
Out
Main points of 1.2.2 precaution
(1) Try not to let the viewer understand your calculation submission page
(2) Do not allow the address bar to submit parameters
For example, Request.ServerVariables (query_string) in an ASP program detects parameters and, if so, uses Response.Redirect () to force the return
Specify a page that you can
It's the homepage, or the warning page you made yourself.
(3) Pass parameters between script pages do not display the browser bar, as little as possible to let visitors know your program rules, parameters, etc.
For example, the Request.Form and request.querystring in ASP are used in both post and get methods, and we try not to use
Request.QueryString this data set, as little as possible to allow visitors to have the opportunity to interact with you,
2. Security Certification Issues
2.1 Possible problems in need of security authentication password authentication
Introduction to the concept of 2.1.1
Today's popular CGI applications tend to collect credit card information. Data collection is a simple task for CGI applications, but sensitive information
Collection requires a secure way to transfer information from the browser to the server and CGI programs.
For example, suppose I want to sell a book over the internet. I might create a form in the browser that allows the person who wants to buy a book to submit it through the form to the individual
Information and credit card number. Affected
After this information, I will store them on my computer as a business record.
If someone invades my business computer, he may access confidential data that stores customer information and credit card numbers. In order to avoid this situation, I will review
My computer is configured securely.
and determine that the CGI script used to accept the form will not be maliciously manipulated. In other words, I, as a computer's system administrator and CGI programmer, try to control
Live the first question: prevent
The information is stolen directly from my computer.
However, how to prevent someone from stealing the information when it is sent to the server by the client? Remember how the Web server sent the information to the CGI program? Information
Through the network by the browser first
To the server, and then the server transmits the information to the CGI program. This information may be intercepted by the client when it is routed to the server (Figure 2). Attention
To protect the information so that it does not
Is stolen in the middle and must be encrypted between the client and the server. Of course, you can't perform a specific CGI encryption if your client doesn't recognize it.
Because of the characteristics of web processing, the only way to use the secure processing protocol that you have alone through a CGI program is to transfer the form information through the browser to the service
Before the device is encrypted.
This program is like.
Before, it is almost impossible to develop your own security processing protocols. Thanks to languages such as Java, the recent innovations in client-side processing make this development
Become possible. method is to produce
A Java interface with a standard HTML format extension. When the Java Submission button is selected, the Java applet will send it to a standard post HTTP request
Before the Web server
Encrypt the value.
Using Java as a client to send and receive encrypted data will allow you to use your own customized encryption scheme without the need for an expensive commercial server.
Therefore, it is necessary to adjust the communication path between the browser and the server in the secure and confidential transmission of data on the network, some of which cannot be controlled by CGI alone.
Of There are currently two types of encryption guests
Hu Ji/Server Information Processing recommendations: SSL (secure Sockets Layer) and shttp (secure HTTP), respectively, by Netscape and EIT (Enterprise
Integrations
Technology) proposed. At this point, it is not clear which will become the standard; many companies have adopted both in their servers. Therefore, knowing as
Where the two are written
CGI programs are very useful.
SSL is a protocol-independent encryption scheme that provides a secure channel between the application layer of the network packet and the transport layer (refer to Figure 5). In short, it's HTML.
Or CGI went through the behind-the-scenes
The server has been encrypted, but it is transparent to the authors of HTML and CGI.
Because the client and server-side network program handles the encryption process, almost all of your CGI scripts do not need to be modified for security transactions. There is a notable exception.
A NPH (no-parse-
header) to bypass the server and communicate directly with the client. Therefore, NPH CGI scripts are not encrypted because the information is not encrypted.
Affected by this is a worthwhile
Note that the CGI application is a dynamic implementation of Netscape server-driven (Netscape Server-push animations). I suspect it's mostly worth the bet
Meaning, however, the more
It is possible to sacrifice the animation in the page because it is safe to transmit sensitive information.
Shttp uses a different approach to SSL. It works by extending the HTTP protocol (application layer), which is superior to a lower layer. Therefore, although SSL can be applied to all
of network services, however
Shttp is a specific Web protocol.
In addition, there are other advantages. As an HTTP extension set, Shttp is fully compatible with HTTP and shttp browsers and servers. In order to use SSL, you must have a
SSL-enabled browsing
Device and server. In addition, Shttp is a more flexible protocol. For example, this server can specify the preferred encryption scheme.
Shttp processing relies on additional HTTP headers. So if you want your CGI program to use SHTTP encryption, you need to include the appropriate headers. For example, replace
Simple return HTTP Headers
。
Content-type:text/html
When a shttp server receives this information from a CGI application, it knows to encrypt the information before sending it to the browser. A browser that is not shttp
The additional headers are ignored.
For more information on using shttp, please refer to Shttp's manual:
Http://www.commerce.net/information/standards/drafts/shttp.txt
2.1.3 Script parsing
Here is a paragraph of my previous ASP script, made some changes, put him out, let everyone see I joined the settings, there do not good enough. I'm not going to be here.
More said, interested to be able to
My forum is for you to discuss.
<!--#include file= "conn.asp"-->
<%
Dim errmsg
If Request.Form ("username") = "" Then
errmsg= "User name cannot be empty"
Founderror=true
Else
Username=request.form ("UserName")
End If
If Request.Form ("password") = "" Then
errmsg= "Password cannot be empty"
Founderror=true
Else
Password=request.form ("PassWord")
End If
If Founderror=true Then
Showannounce (errmsg)
Else
Set Rstmp=server.createobject ("Adodb.recordset")
If Request.ServerVariables ("request_method") = "POST" Then
Rstmp.open "SELECT * from User Where username= '" & UserName & "'", conn,3,3
If Rstmp.bof Then
Session.Contents ("UserName") =username
Rstmp.addnew
Rstmp ("username") =username
Rstmp ("UserPassword") =password
Rstmp ("logins") =1
Rstmp ("online") =1
Rstmp.update
Response.Redirect ("index.asp")
ElseIf password<>rstmp ("UserPassword") Then
errmsg= "wrong password."
Founderror=true
Showannounce (errmsg)
Else
Session.Contents ("UserName") =username
Rstmp ("Logins") =rstmp ("logins") +1
Rstmp ("online") =1
Rstmp.update
Rstmp.close
Set rstmp=nothing
Response.Redirect ("index.asp")
End If
Current 1/3 page
123 Next read the full text
