Author: lanker
Article Source: www.cnwill.com
Today's security issues affect the entire security community, SQL injection, cross-station script attacks, and other attacks.
Network security issues have become more important, and there are still many hosts that have been subject to such security, so we tell us how to reduce the loss of loss through safe writing web programs.
Looking at the security threats from the web host, most of them are the Web script, and talk about how to prevent attacks.
1. Many sites now use third-party programs in order to reduce the development time, many sites are partially or all of them, which is undoubtedly a good way to save time, but it also adds risks for the security of the site. If you use a third-party applying program, you have to pay attention, because the source code of such programs is open to the online casual, it is easy to download it under the hacker to study the vulnerability, so you are attacked. Sex increase. Let's take a simple example, just say that the domestic famous moving Internet cafes, style and practicality are good, there are also many sites in China, there are also a lot of the net, but the major vulnerabilities of the mobile network are also a lot. Let's talk about the loophole of UPFILE, directly uploading ASP Trojans directly! In this way, a large vulnerability that occurs once involves the site of the use of the mobile network. It is nothing in the Internet for two days, and I found a lot of sites for the 6.0 version of the network. , The official of others is DVBBS7.0 SP2. The vulnerability is not to say, it must be there there.
Solution: Try to use or use a third-party program, or should be used after evaluating third-party procedures, and the administrator should not be lazy to download update patches.
2. If you use the procedures you develop, you should pay attention to the rigorous filtering in the program entered, which is also the most vulnerable to attack, such as SQL injection, cross-station script attacks basically use filtration Not strict, to construct the abnormal statement. This is the so-called input verification attack, you should understand that every GET and POST requests can be used to enter authentication attacks. However, the most susceptible to the attack is the input field. Typically, these fields are places where login names, passwords, addresses, phone numbers, personal homepage, etc., and search. There is also a relatively easy to ignore the filter filter, let's take a look at the source code of BBSXP SP1
Below is part of the Upface.asp:
......... <% Top if Request.cookies ("Username") = Empty Then Error ("
It can be clearly seen that the variable of Request.Cookies ("UserName" is not performed at all, and there is still a lot in BBSXP in BBSXP. This allows us to submit the textured package to inject attack.
To say that cookies is easy to ignore, User-agent injection will not be unexpected, in the HTTP1.1 specification, define a "user-agent" header, we caught a package: get / bbsxp / images / Skins /1/t_bg.gif http / 1.1 accept: * / * referer: http://localhost/bbsxp/default.asp accept-language: en-cn accept-encoding: gzip, deflate user-agent: mozilla / 4.0 (Compatible ; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Host: localhost Connection: Keep-Alive Cookie: eremite = 0; member_id = 1; pass_hash = 5140c3b61780e904b05d44f8d3193564; skins = 1; ASPSESSIONIDQADBTQQA = AGIPJKACPGNICLMHAFEOBHKA; username = lanker; userpass = E10ADC3949BA59ABBE56E057F20F883E; ONLINETIME = 2003% 2D7% 2D9 22% 3A20% 3A13; Addmin = 10
"User-agent" is used to authenticate your browser. You can often see some forms of "Mozilla" in this string. The application uses the "User-Agent" string to accommodate the particularity of the browser, allowing you to specify a special string. This gives us an opportunity to injection. The User-Agent Injection of the mobile network is the best instructions and instances. Friends who don't understand can look at the "Tannam Forum DVBBS Vulnerability and Invasion" and "In-depth Analysis DVBBS7 User-Agent Injection". This may be injecting the package they say.
The usual situation is listed below to filter the characters, as shown below:
However, it is best to filter with some pure numbers. Mo is the own function of scripting language:
For example, the ASP script can be used in Cint, Clong, ISNUMERIC, can be said to be the most stringent. INTVAL in PHP scripts
Such a function.
For the prevention means of cross-station scripts that cannot be filtered "<" and ">", all scores are converted into a corresponding HTML encoding. For "<" indicated "& lt" and ">" indicates that "& gt" requires special attention to all the input filtration above, all the verification of the client will be free, it can be very easy. Bypass.
It's almost the same, it's almost the same, is it good now? The answer is negative, there are many potential error usage methods for some digital fields. Even if we limit the data, it is necessary to be a number of numbers, or there will be some errors, so we should do the border check, you don't want a small depending on the boundary check, some of whom will have an absolute path.
Generally requires us to check: Boolean, numbers, and strings.
The last written program is to have an appropriate error capture mechanism, no matter what kind of language writing program, you should have a TRY in C #, Java, Catch WWW to capture errors. It is possible to terminate the operation when you encounter an abnormal error. In the error message, you should do not need to include the system information.
