Website common three kinds of vulnerabilities attack and prevent the introduction of the weapon

Intermediary transaction http://www.aliyun.com/zixun/aggregation/6858.html ">seo diagnose Taobao guest cloud host technology Hall

Hacker organizations or individuals at home and abroad for the benefit of stealing and tampering with the network information, has become an indisputable fact, in the constant to the units and individuals caused by economic losses, we should also note that these threats are mostly based on web site attacks, in the cause of irreparable damage to us before, We need to introduce several common web site vulnerabilities, as well as these vulnerabilities to prevent the method, the purpose is to help the vast number of web site managers to clean up the security of thoughts, to find the current focus on prevention, to maximize the avoidance or reduce the threat of loss.

1. SQL Statement Vulnerability

That is, SQL injection, by inserting the SQL command into the Web form to submit or enter the domain name or page request query string, and finally to deceive the server to execute malicious SQL commands, such as many of the previous film and television sites leaked VIP membership password is mostly through the Web Form submitted query characters, This type of form is particularly vulnerable to SQL injection attacks.

Effective means of prevention: the general approach to SQL injection problem is the principle of minimum account permissions. The following methods are recommended for use:

Perform necessary checks on user input information

Convert or filter some special characters

Using Strong data types

Limit the length of user input

Note: These checks are to be run on the server, and anything that client submits is untrusted. Using stored procedures, if you are sure you want to use SQL statements, build your SQL statements in a standard way. For example, you can use the parameters object to avoid using strings to directly spell SQL commands. When SQL runs incorrectly, do not display all the error messages returned by the database to the user, and the error message often discloses some details of the database design.

2, the website hangs the horse

Hanging a horse is in someone else's computer (or Web server) embedded in the Trojan horse program to steal some information or control the horse's computer to do some illegal activities (such as attacking the Web site, transmission virus, delete information, etc.). The website hangs the horse is in the webpage source code to add some codes, uses the flaw to realize the automatic downloading Trojan horse to the machine. The form of the website hanging horse can be divided into frame hanging horse, database hanging horse, backstage hanging horse, server hanging Horse and other forms of hanging horse way.

Effective means of prevention: to prevent the site is hanging horse, you can take the prohibition of writing and directory ban on the implementation of functions, the combination of these two functions can effectively prevent ASP Trojan horse. In addition, the webmaster upload some data through FTP, maintenance Web pages, as far as possible do not install ASP upload program. This is often affected by ASP Trojan site, there will be some help. Of course, the use of professional Trojan Horse tool is also a good protection measures.

Note: The user name and password for administrator privileges must be complex and allow only trusted people to use the upload program.

3. XSS Cross-station attack

XSS is also called CSS (Cross Site script), a passive attack, cross-site scripting attacks. It refers to a malicious attacker inserting malicious HTML code into a Web page (an attacker would sometimes add some to the page.) JS or. vbs is the code for the rear name, and when the user browses to the page, the HTML code embedded in the web will be executed to achieve the special purpose of the malicious user.

Effective means of prevention: the prevention of XSS Cross-site attack is divided into the site and the individual respectively.

For web sites, never trust any user to input and filter all special characters, which eliminates most XSS attacks.

For individuals, the best way to protect yourself is to just click on the link on the website that you want to visit. Sometimes XSS does this automatically when you open an e-mail message, open an attachment, read a message board, read a forum, and when you open an e-mail message or read a post in a public forum that you don't know. The best solution is to turn off the Javascript functionality of the browser. The security level can be set to the maximum in IE to prevent cookies from being stolen.

In fact, the above three kinds of web site attacks is currently more popular and common, and the means of prevention for professional website managers, just experience, but we are very clear that the Web site vulnerabilities emerge, whether timely defense, repair, is the site can be a safe operation of the determinants. Manual repair by technicians alone is impossible to do everything, the need for the vulnerability of the site more sensitive software to effectively protect the security of the site. The author as a 51CTO security channel guest Experts also know this point, here to the vast number of Web site management and operators to recommend a higher cost-effective software: Uniswebscanner.

This site security scanner is currently used in the market is more extensive, but also is a good web security products, compared to foreign web security scanning products, uniswebscanner speed, can closely track the latest domestic trojan, to achieve rapid response and timely updating ability; The reason why I recommend to the vast number of 51CTO users, more important is that the Uniswebscanner scan results are very accurate, and does not contain malware and adware, I believe this is important for many web site managers.

The software is mainly for the vulnerability assessment of web Security Intelligent detection System, the integration of the current types of popular web attacks, such as Web page horse attack, SQL injection vulnerabilities, Cross-site scripting attacks, is a multi-year research accumulated experience. Uniswebscanner is suitable for large, medium and small enterprises, such as finance, securities, government, electronic commerce, telecom operators, funds, net games, scientific research institutes, etc.