First, an overview When the network programming is more convenient, the system functions are getting stronger, but the security index is longed. This is probably the misfortune and sorrow of the network programming. Various dynamic content builds the environment prosperous WWW, their design goals are more convenient to give the final user more convenience to developers. Because of this, system designers and developers must express security issues as a considering factor, and it is difficult to play afterwards. From a secure perspective, the weaknesses of the server-side WWW application are derived from a wide variety of interaction capabilities and transport channels. They are tools that attackers can directly affect the system. When an attacker finds and utilizes system security vulnerabilities, they always bring pressure to system security. A common defense strategy to dealing with all these attacks is the so-called input verification. From the same level, there are two main designs that have caused security issues: • Battery access control, and assigns for deploying the environment. In the relevant security literature, there are many in-depth analysis for access control issues. Here we want to discuss the security management issues on the underlying implementation (code and configuration), the environment discussed is JSP. Alternatively, we will discuss the malicious user input to camouflage itself and change various methods for applying a scheduled behavior, consider how to verify the enterprise and reduce the unwelcome detection of information and application interfaces. Second, JSP Overview JSP technology allows Java code logic to be embedded within HTML and XML documents, bringing convenience to create and manage dynamic WWW content. The JSP page is processed by the JSP engine and converted into a Java servlet. If there is a request to the JSP page, the web server will use the corresponding servlet output result as a response. Although JSP and Servlet are functional, the JSP's dynamic content generation method is just in contrast: JSP is embedded in the document, rather than embedding the document into the Java application. To access external features and reusable objects, JSP provides additional tags for interacting with JavaBean components, which are similar to HTML tags. It is worth noting that HTML syntax belongs to a subset of JSP syntax (a pure HTML document is a legitimate JSP page), but it is not necessarily correct. In particular, the JSP allows for easy dynamically generating content and formats to embed other tags within the flag. For example, the following is a legal JSP code: It will be seen from this article that this structure adds the complexity of security issues. JSP has a better performance and session management (ie, session state persistence) mechanism compared to CGI. This mainly handles multiple servlet implementations by using Java threads within the same process, and CGI generally requires each request to create and remove a process, respectively. Third, security issues are completely open to the server resources, the unsafe servlet from the JSP page may give the server, the network, the network, access to any one or all of the client in the client, and pass DDoS or worm distributed attacks may also affect the entire Internet. It is often assumed that Java is a type of safe, garbage collection ability, a sandbox mechanism, which is miraculously guaranteed to ensure software security. And in fact, many low-level security issues existing in other languages, such as buffering or pile over, rarely bring harm to the Java program. However, this does not mean that people are difficult to write unsafe Java programs, especially for writing servlets. Verifying input and control of resources to resource is a problem that must be concerned. In addition, the JSP architecture is quite complex, including many sub-systems that cooperate with each other. Interaction between these subsystems is often the root cause of safety hazards.
In addition, although all JSP implementations are surrounded by Java, the JSP specification allows almost all other languages to play this role. In this way, the security issues of these alternative languages must also be considered. In short, the opportunity to generate security vulnerabilities in the JSP system is quite. Below we will discuss the most common part of them. Fourth, the general problem input by non-confidence user is not confidential user input actually contains all user inputs. User input is derived from the client, and you can reach the server side through many different ways, sometimes even camouflage. User inputs provided for JSP servers include (but not limited to): • Request URL parameter sections, • HTML forms submitted by POST or GET request, • Data, temporarily saved in the client (also cookie), · Database query , · The environment variables set by other processes. The problem entered by the user is that they are interpreted by the application of the server side, so an attacker can reach the purpose of the control server fragile part by modifying the input data. The fragile part of the server often manifests some data access points, which are marked by the user, or by performing an external program. JSP can call the local code (via JNI) saved in the library and perform external commands. The class Runtime provides an exec () method. The exec () method treats its first parameters as a command line that needs to be performed in a separate process. If some parts of this command string must be obtained from the user, the user input must first filter, ensuring that the commands executed by the system are unexpected. Even if the command string and the user input do not have any relationship, the necessary check is required when performing an external command. In some cases, an attacker may modify the execution of the server's environment variable affects the execution of the external command. For example, modify the PATH environment variable, let it point to a malicious program, and this malicious program disguised into the name of the program called the exec (). To avoid this hazard, it is a good habit to explicitly set the environment variable before any external call. The specific setup method is: In the exec () call, the array of environment variables as the second parameter, the elements in the array must be the Name = Value format. Similar problems also occur when the user enters any type of input / output stream used to identify the program. Access files, databases, or other network connections should not be rely on untruritable user input. In addition, after opening a stream, send the user into it directly to it is very unsafe. This is especially prominent for SQL queries. The JSP code segment of the JDBC API will be unsafe, because the attacker can embed the character's character in the input of his submit, thus achieving the purpose of performing the dangerous command: <% @ page import = "java.sql. *"% >
<% Statement stmt = connection.getStatement (); String query = "SELECT * FROM USER_RECORDS WHERE USER =" request.getParameter ( "username"); ResultSet result = Statement.executeQuery (query);%> If a partition contains username No., for example: http://server/db.jsp? Username = joe; select% 20 *% 20FROM% 20System_records Some versions of SQL Server ignore the entire query, but there are some versions of SQL Server will execute two commands. If it is the latter, an attacker can access database resources that have not been eligible (assuming the web server has access). Performing an appropriate input test prevents such problems. V. Input inspection From a secure point of view, the input test includes grammar checking the data from the external data source (not confidential data source, see the previous description), and sometimes semantic checks. Depending on the key degree of application and other factors, the action taken as input test results may be one or more of the following: • Ignore unsafe ingredients on the syntax, • Replace unsafe part with secure code, · Surperse Use the affected code, report error, and activate an intrusion monitoring system. The input test can be performed in one of the following two modes: Enumeral unsafe characters and reject them; define a set of secure characters, then exclude and reject unsafe characters. These two modes are called forward and reverse input filtration, respectively. In general, positive input is simpler and safe, because many times, it is not easy to list the server-side applications, client browsers, web servers, and operating systems that may be misunderstood. Please refer to the example below in this article "Attack Tag Implemented Attack" section, this example demonstrates how to avoid misunderstanding of the input content of malicious commit. 6. The sensitive data in the GET request and cookie is as defined in the CGI protocol, transmitting the request data from the client to the server side is the easiest way to request the GET request method. When using the GET request method, the input data is attached to the request URL, the format is as follows: URL [? Name = value [& name = value [& ...]]] Obviously, this encoding method is not to transmit sensitive data. Suitably, because in general, the entire URL and the request string use a communication channel in a clear text. All routing devices can log this information as with the server. If you want to transmit sensitive data in a customer request, we should use the POST method, plus a suitable encryption mechanism (for example, through an SSL connection). From the perspective of the JSP engine, it is largely, which transmission method is used insignificant because the process of the two is the same. During the development of WWW, Netscape introduced the concept of cookie. Cookies are a small amount of information saved to the client, and the server extracts this information to maintain a session state or track the activities of the client browser. JSP provides an addCookie () method for RESPONSE hidden objects to set cookies at the client; provide a request () object's getCookie () method to extract the cookie content. Cookies are an instance of a javax.servlet.http.cookie class.
For two reasons, if the sensitive data is saved to cookie, the security is threatened: First, all the content of cookie is visible to the client; second, although the browser generally does not provide forged cookie's ability, There is no thing to prevent users from using a fully fake cookie answering server. In general, the information submitted by any client browser cannot be assumed to be absolute security. 7. Attacks implemented by embedded tags Cert Advisory CA-2000-02 describe the issue of embedding malicious HTML tags in the request. This problem is generally called "cross site scripting" problem, but its name is not correct, because it is not only related to the script, but it does not have a special relationship with the "Cross Site). However, when this name appears, the problem has not been widely understood. Such an attack typically contains a path-sized script submitted by the user, or contains malicious HTML (or XML) tags, the JSP engine introduces these content into the dynamically generated page. This kind of attack may be performed for other users, or the server is not commonplace. A typical example of the "Cross Site Scripting" attack can be seen on the Forum server because these servers allow users to embed formatted tags in the article submitted. Typically, the abused tags are those that can embed the code to the page, such as
