1, injection

SQL injection : Program passing to background database SQL Time , Data submitted by users are directly spliced into SQL Statement and execute , To import SQL Injection attack .

Character injection : Black part is the problem parameter of splicing
select * from t_user where name='test' or '1' = '1';
Digital injection : Black part is the problem parameter of splicing ( For strongly typed languages , String conversion int Type throw exception . So this kind of injection usually occurs in php On isoweak type language .
select * from t_user where id=1;drop table t_userinfo;
Search injection : Guess the name of the table
select * from t_user where userName like ‘%test%' and 1=2 union select 1,2
from t_admin';
Repair method :

a, stay mybatis Used in # Treat parameter as a string , out of commission $ Symbol

b, stay JDBC Using precompiled method to bind parameters in , The details are as follows :
String userName = request.getParameter("userName"); String sql = "select *
from t_user where userName = ?"; JdbcConnection conn = new JdbcConnection();
PreparedStatement pstmt = conn.preparedStatement(sql);
pstmt.setString(1,userName);
2,XSS Cross site script attack ( Malicious embedding of script code into pages for other users )

Reflex type : Through the back end , Without database

Storage type : Back end through database

DOM type : Based on document object model DOM, By control url Parameter trigger

Repair method :

a, Background settings XSSFilter, inherit RequestServletWrapper class , Filter the controllable parameters in the front-end request

b, Server settings Http-only Security properties , Make browser control cookie No leakage

c, To introduce DOM Use of parameters in htmlEncodeByRegExp code , Use in the corresponding display box htmlDecodeByRegExp Decoding ( Common )
var HtmlUtil = { /*1. Implementation with regular expression html transcoding */ htmlEncodeByRegExp:function (str){ var s
= ""; if(str.length == 0) return ""; s = str.replace(/&/g,"&"); s =
s.replace(/</g,"<"); s = s.replace(/>/g,">"); s = s.replace(/
/g," "); s = s.replace(/\'/g,"'"); s = s.replace(/\"/g,""");
return s; }, /*2. Implementation with regular expression html decode */ htmlDecodeByRegExp:function (str){ var s =
""; if(str.length == 0) return ""; s = str.replace(/&/g,"&"); s =
s.replace(/</g,"<"); s = s.replace(/>/g,">"); s = s.replace(/ /g,"
"); s = s.replace(/'/g,"\'"); s = s.replace(/"/g,"\""); return s; } };
3, Sensitive information disclosure

Leakage caused by procedures :

* Server returns redundant sensitive data : User only applies for information of a single account , But it returns information of multiple users
* Write sensitive information directly in the comments on the front page
* The password written in the configuration file is not encoded
* Request parameter sensitive information not desensitized ( Data can be used in the front end RSA encryption , Decryption in the background )
* Sensitive information displayed on the front end , No desensitization in the background ( Data processing in the background , The middle part can be replaced by a number )*
4, Ultra vires ( The attacker can execute the permission that he is not qualified to execute )

Horizontal ultra vires : Permission type unchanged , jurisdiction Id change ( Users in the same role , Not only can you access your own private data , Access to other people's private data ).

Vertical ultra vires : jurisdiction ID unchanged , Permission type change ( That is to say, there are some ways for low authority roles , Ability to gain high authority ).

Cross and ultra vires : The intersection of the two above

Repair method :

Perform authentication according to the user information carried by the request , Match user role and Data permission for user information carried by current request .

Function of each important operation , Authority judgment is performed at each stage of step-by-step operation . Interrupt operation if insufficient permission .

5, File download

Any file download : Download any file from the server ,web Business code , Specific configuration information of server and system , You can also download the database configuration information , And the information detection of the intranet, etc .

File download beyond authority .

Repair method :

a, Repair for any file download , Add a direct comparison between the absolute path at the upper level of the file currently requested to be downloaded and the path allowed to be downloaded in the configuration file (file.getCanonicalFile().getParent() Get the absolute path of the upper level )

if(!file.getCanonicalFile().getParent().equals(newFile(Constants.TMP_PATH).getCanonicalPath())){
return ; }
b, File download beyond authority : Allow to judge the user information brought by the request before downloading , Have enough permission to download .

6, File upload

A network attacker uploads an executable file to the server and executes . The files uploaded here can be Trojans , virus , Malicious script or WebShell etc .

Repair method :

a, client , Server whitelist verification ( Blacklist is not recommended ), Client verification is not secure enough , It's easy to get around .
String fileName = file.getOriginalFilename(); String extName =
fileName.subString(fileName.lastIndexof(".")+1);
Get the suffix of the uploaded file , And compare with the suffix on the white list , Pass allowed if included in the white list , Direct interrupt request if not included .

b,MiME Type test : When the file is uploaded, the browser will Header Add to MIMETYPE Identify document type , The server needs to detect this .
String mime = file.getContentType();// Get file's ContentType Type value
Same as on the white list contentType Type name for comparison , Pass allowed if included in the white list , Direct interrupt request if not included .

c, Document content detection : Read different file content streams in different ways .
BufferedImage image = ImageIO.read(file.getInputStream());
7,CSRF

Cross-site request forgery , complete CSRF attack , Two steps are required :

* Sign in to a trusted site A, And build locally cookie;
* No sign out A In the case of , Visit the danger website B.
CSRF Essential cause :

Web Implicit authentication mechanism of .Web Although the authentication mechanism can guarantee that the request comes from the user's browser , However, there is no guarantee that the user approves the .

Repair method :

CSRF
Token check : Add a hidden For storage token field , Carry when request is sent token To server , Server verification token Is the value accurate . Inaccurate direct interrupt operation .

​ Source network , For learning purposes only , In case of infringement , Contact delete .

Technology
©2019-2020 Toolsou All rights reserved,
TP6 Application examples of verifier and correct verification data ESP8266/ESP32 System : Optimize system startup time 2021 year 2 Chinese programming language ranking 2021 year 1 Monthly programmer salary statistics , average 14915 element CSS architecture design It's not depravity that's terrible , It's about knowing you're falling Gude Haowen serial - You deserve to be an engineer ( Preface ) Software testing BUG describe C Course design of language programming of 《 Student achievement management system 》vue In the project axios Global encapsulation of