Security | program | Script 2.2 cookie problem
Introduction to the concept of 2.2.1
As defined in the Netscape official documentation, cookies are a way for servers or scripts to maintain information on client workstations under the HTTP protocol. Cookies are guaranteed by the Web server
There is a small Guangxi file on the user's browser that can contain information about the user (such as the identification number, password, how the user is shopping on the Web site, or how many times the user accesses the site)
。 The Web site can access cookie information whenever the user is linked to the server.
In layman's terms, browsers support cookies with one or more qualified files. These files are called Cookie files on machines that use Windows operating systems, on Macintosh machines
Called Magic Cookie files, which are used by Web sites to store Cookie data on them. Web sites can insert information into these cookie files so that some network users
Side effects. Some users believe that this has caused a violation of privacy, and worse, some people think that cookies are an encroachment on personal space, but also to the user's computer security risk
Harm
Some cookies are temporary and others are ongoing. A temporary cookie is stored only on the browser for a specified amount of time, and the cookie will be cleared by the system once it exceeds the specified time.
Except. In PHP, for example, cookies are used to track user processes until the user leaves the site. Persistent cookies are saved in the user's cookie file, and the next time the user returns, they can still
called on it.
To understand cookies, it is essential to know how it works. In general, cookies are returned to the browser via HTTP headers from the server side. First, the server side is responding
Using the Set-cookie header to create a cookie, the browser then contains the created cookie in its request via the cookie header, and it returns
To the server to complete the browser's argument. For example, we created a cookie named login to contain the visitor's information, and when the cookie was created, the header on the server side was like
As shown here, it is assumed that the visitor's registration name is "Michael Jordan" and that the properties of the cookie created are specified, such as path, domain, expires, and so on.
Set-cookie:login=michael jordan;path=/;d omain=msn.com;
expires=monday,01-mar-99 00:00:01 GMT
The header above will automatically add a record to the cookie file in the browser-side computer. The browser assigns the cookie named "Login" to "Michael Jordon". Attention
, the value of this cookie is passed through the URL encoding of the UrlEncode method during the actual transfer process.
After the HTTP header containing the cookie value is saved to the browser's cookie file, the header notifies the browser to return the cookie to the server by requesting it to ignore the path
, complete the authentication operation of the browser.
In addition, we use some of the cookies ' properties to qualify the cookie for use. For example, the domain attribute can be qualified to send a cookie on the browser side, specifically to the example above,
The cookie can only be in the front of the specified server, and will never run to other web sites such as www.hp.com. The Expires property specifies the time period for which the cookie is saved
, for example, the cookie above is stored on the browser only until March 1, 1999 1 seconds. Of course, if there are too many cookies on the browser that exceed the range allowed by the system, the browser will automatically
it for deletion. The property path is used to specify which directory path the cookie will be sent to the server.
Description: After the browser creates a cookie, the cookie is included in the header for each request for the site, but the request cookie for the other web site is
Will never be sent along. and the browser will keep sending it until the cookie expires.
2.2.2 Essentials Method
Setcookie-----Send out Cookie information to the browser.
Syntax: int Setcookie (string name, string value, int expire, string path, string domain, int secure);
return value: Integer
This function sends a small message string to the browser followed by the identity Header. Using this function, the cookie is actually part of the identity before sending out the HTML data. of this function
Parameters can be omitted except for the first name. The parameter name indicates the name of the cookie, and value represents this cookie, which is an empty string that represents the fetch
The data of the cookie in the browser is expire, the valid time of the cookie is indicated, path is the relative path of the cookie, and the Web site that is the cookie in domain;
Valid when HTTPS is securely transmitted. Want to get more cookie information can go to http://www.netscape.com/newsref/std/cookie_spec.html, by
The complete information provided by the cookie creator Netscape.
For a website member, there is often a need to register, multiple authentication issues, such as we often contact the forum, community, etc., generally using means for cookies or input
Type=hidden to pass authentication parameters. Here are a few hidden dangers:
I. Setcookie content must complete contain the account password, or similar complete security information, if only carry the account information or use some kind of authority sign to authenticate, very easy to cause the illegal invasion.
For example, a site in the member Update page with the authentication information is two, username and UID (all plaintext transfer) known UID for each member is unique. Because we just need to know
Party's account number and UID can change the other party information (no need to know the password!) , as long as the attacker knows the UID (the attacker can get the UID by means of brute force guessing, sometimes the site itself
Also leaks the user's UID, such as in forums, etc., the attacker can then traverse the attack to complete information changes to any one account.
II. All pages that require permission to operate must perform the operation of authentication judgments. If no such authentication is made on any page, it is possible to give an attacker a chance of malicious intrusion.
Iii. Many Web sites store user names and password information in cookies for convenience, and some even save passwords in clear text. If an attacker can access a user's host, it may
The user name and password are obtained by saving the cookie file.
3. Scripting Protection issues
3.1 Concept Introduction
In the process of writing a good programmer will know that the use of meaningful variable names, file names help increase the readability of the program, with good program style. This is very good but the scripting language is not very
appropriate, in order not to allow malicious users to guess your variables or database names and other information, you must get rid of this information. A Dynamic Web page that is executed on the server side is returned to the customer after the executed code, which can be
To protect the server side of the many do not want to call or can not call the viewer to know the information. Security is relative, and every day there are new security vulnerabilities that are discovered if a malicious user before you know a
Can look at your script source code vulnerabilities or this vulnerability for a time can not be patched how to do?
3.2 Idea points
It is recommended that you name it with some weird names and delete the annotations in the script. If you still need to keep the program readable, you can create a map, and you can write a script that has a good style.
And then make a variable name mapping to create a script with a more secure naming method, remove the gaze in this script and all the information that can be removed, and make a sync when you modify it.
We can encrypt the program before it is used to protect our own program in case the lower part is compromised.
3.3 Protection methods
I've seen a lot of cryptographic methods for scripting that are good, some are specialized in encryption software, some have some tricks plus the use of language features for encryption, such as randomly generating a
Key, put the key in the "invisible" place, through some algorithms to decrypt the script, is due to some system vulnerabilities caused your script source code leaks, also useless.
4. Example Description
The following example is often mentioned on the Internet, and this is a very classic example, so here's an example to tell you the potential dangers.
Problem Description:
Most Web sites put passwords in the database and use the following SQL for login verification (for example, ASP)
Sql= "SELECT * from user where username= '" &username& "' and Pass= '" & Pass & ' "
At this point, you simply construct a special username and password based on SQL, such as: Ben ' or ' 1 ' = ' 1
You can go to a page where you don't have the privilege. Let's take a look at the above statement:
Sql= "SELECT * from user where username= '" &username& "' and Pass= '" & pass& ' "
At this point, you just construct a special username and password based on SQL, such as: Ben ' or ' 1 ' = ' 1 so the program will be like this: sql= "Select*from username where
Username= "&ben ' or ' 1 ' =1&" and pass= "&pass&" or is a logical operator that, when one of the conditions is true, the equation
will be set up. And in language, is to represent really (set up). Then in this line of statements, the "and" validation of the original statement will no longer continue, and because "1=1" and "or" return the statement to the truth value ...
Alternatively, we can construct the following user name:
Username= ' AA ' or username<> ' AA '
pass= ' AA ' or pass<> ' AA '
The corresponding in the browser-side username box is written: AA ' or username<> ' AA Password box is written: AA ' or pass<> ' AA, note that both ends of the string are not '. This
You can successfully cheat the system and enter.
The implementation is this, first of all, I will go to the registration of the place to collect information, to understand as much information as possible, such as the target database has the user what kind of information, casually fill in information and then
Submit, when you want to register the username is registered is a system will prompt you have been registered, and some sites do better, that is, they
