This is a post on the original company (already collapsed in the struggle of shareholders), casually posted, (for the protection of systems and other partial deletions and modifications), suitable for beginners!
hjleochen@hotmail.com
http://www.safechina.net (please indicate the source)
-------------------------------------------------- --------- Discussion B / S System Security As these years of development B / S systems have exceeded the personal homepage, the application of the message, the core applications of various companies are gradually constructed in Web It's up, and the Web server-side program security is also eye-catching. This article introduces some common security issues through several instances, then discuss some basic guidelines and suggestions written by the web application code. Since I have been working in this regard because I have been working in this area, the content may be more than or wrong, and everyone is responsible for jokes.
If you don't want to see a lengthy discussion, you will be turned directly to: Some Profile Principles.
One. SQL Injection This is a problem that is now the most easiest application. This problem may occur if you use the database system, which is that the user's input is not necessary to detect and filter, causing users to perform illegal SQL statement. Common, such as landing procedures, use 1 '1 1' = '1 to log in, remember that the website of Taiwan Li Dang X is therefore black .... Oh, it is still a matter of time. There is no countless examples and teaching on this type of problem. It doesn't want this mixed water, but it is because of its universality (I have seen at least five manufacturers in more than 10 telecommunications industries. The degree of landing problem) and the content of the semantic semanties buried, so decided to talk from the code analysis record of a system at the end of 2003. Example 1: The following content comes from the code analysis record at the end of 2003. The last modification date of the code file is 2003.12.xx XX Account - XX Management System Level: AAA is serious
Scenario: Landing conditions have been legal user name (non-essential conditions), such as: TT. Procedure: Enter the operator in the login interface: 1'or '1' = '1 password: Casual execution results: Login success, have all operational permissions. Analysis Login_CHECK.JSP line 15 Start: User input validity processing is not performed here ......... User_code = Request.getParameter ("user_code"). Trim (); strsql = "SELECT Count (*) from userinfo where user_code = '" user_code "' and password = '" password "' and status = 1 ";
The above query is the problem. When User_code is TT 'or 1 = 1, strsql is: where user_code =' tt 'or 1 and password =' aaa 'and status = 1 results are all records in the table .... The construction of the user_code input value can almost any action on the database, some of the system's highest permissions in some database systems ......... The above description is the SQL INJECTION problem, and further turn to application logic integrity judgment discussion, user login needs Strong judgment logic, only determined whether the return result is not enough, should also be the same as the content of the query result, which is consistent with the corresponding input, so that even if the query result returns a plurality of records, it will not log in to success. After the query is not rigorous, it is not only caused by the user to log in, but also has all the operation rights of the system: if (count.equals ("0")) {login failed, error handling. } Else {strsql = "SELECT field name from userinfo where user_code = '" user_code "'"; The above statement is in the user_code, so all the operation permissions of the system are obtained ... Set the session query module permissions ...
IF (userinfo! = null) {This successfully enters the system. Redirect .........} SQL INJECTION, the most famous may be the BBS system (DVBBS) of the network, the main reason for the problem is not to check the legality of the user input (this is almost all the problems in the B / S system) The key) [Its actual network is a very good program. If you don't choose ASP to do it, I believe that such problems will have a lot more and more success. ] Workaround: Validity is determined by the user input. If the verification is not simply used in the above, it is determined whether the two password is consistent, the external personnel are more difficult to log in (but still executing illegal statements), and People in the system have a legal account can still log in to have any user (large part of the attack comes from the interior of the organization). Good method: 1. Appropriate input, such as: limit username, password can only be [A-ZA-Z0-9] and limit the length, special symbols such as ['] ["] (strict input control 2. Verify the result of the query in the database, the user name is consistent (strong application logic} 3. If you use the language you can use parameters like parameters (....), Do not use string to operate database operations The statement, not only makes your code more efficient (such as the structure of the String object, the resolution of Oracle's SQL, etc.), which makes your code safer. (Good programming style) Network recorder:
One. Web security is SQL INJECTION!
two. Invasion is not difficult, will be SQL to take ....
But is SQL INJECTION not all, is it simple to invade? More than the previous year, because I went to Xinhua Book City where I was run, I couldn't find the "hacker Daquan" who was selling now.
two. Invalid data rights Verify that the permission module of the general system is divided into functional permissions and data rights: Feature Permissions: Refers to the software function module that the operator can use. Data privilege: refers to the data that the operator can operate. Only control operation permissions are not good to control data privileges, can result in override operation, causing serious consequences. Example 2: Code and Description.
For example: the user has permission to edit its own information and modify the personal password (modify the functionality of the data), such as: Access Edit.php? User_name = leo, but if the program is not completely considered data privileges (can not modify other people's information ), Leading to the output, such as: intruder modification User_name parameters to pass the edit.php, modify the information of others (edit.php? User_name = admin) is only a simple instruction example in the independent environment, in complex systems The complexity of personnel permission levels and management models, uncertainty in developers, and interaction between modules, development and testers often do not exhaust all possible, resulting in such issues very common. If the system login interface is the first door of the system, it decides what should be placed in the door, what should be placed outside the door, then system authority control is to decide what people can do and what can't be done in the house, this Just like our behavior, you should know that the red light stops, green lights, but there are always those who don't keep the rules will violate these guidelines, causing us to drive, even if you see the green light, you should carefully prevent it. Some people suddenly rushed out, and even management departments need to set up monitors and colleges in the intersection to control those who are not rules, authority management is like these behavior planning and coordinators, with a mandatory means to determine you. What should I do and what I can't do, if the permissions are managed, you are a very busy crossroads without traffic lights like a chaotic. Oh, it's far away. In fact, the system authority model is a very complicated theme, from my first application, some system, for some years, I haven't been able to make a similar thing, I don't dare to comment, what? Looking forward to the high guidance. Www.jdon.com has a few good discussions, you can go see (although I hate that webmaster). Network recorder: one. The network is free, the network is shared!
two. What forgot your password? Log in with admin, I changed his password to 1234, convenient to memories!
But is you willing to share your MM just take a photo last night? Ha ha…..
three. Access source file or other important resources ...
Experieving the power of DBMS, experienced a strict level society, let us return to the ancient but also the à file system of all things.
Some people have to say: Since the database is not safe, I use the file, this is cooked ...
is that true? What is the ultimate goal of intrusion? (Well, maybe for some people not purpose but a way), it is information (this is not nonsense), the document is information, the information is the document (of course, the file is only an organizational way, we do not discuss so high-profile differentiation Question, ^ _ ^), when an external Creaker wants to get any permissions, what is the most wanted information! Yes, of course, if there is a choice, I will choose the target file, and the password is too tired (and for the average person to achieve the way to achieve the purpose). The files referred to here may be XX company confidential documents may also be JSP, PHP, or ASP source, or all the / etc / passwd. This is not easy, but it is not impossible (although I don't dare to say iMpossible is nothing ...
The following is 2003.06 to the security analysis record of a certain domestic site. For various reasons, please do not release the following content in the public network, thank you: another: I still decided to delete the paragraph before posting ... huh, the space is too long ... ^ _ ^ There is / usr / local / share / bin, we understand what CD / usr / local / share / bin means, but
CD /USR/LOCAL/SHARE/../../../bin What does it mean? You are not very clear? The result of the execution is / bin (the windows is established as the same as it), does not understand? Go back and look at the definition of the relative path absolute path ....
Such as: A page reads the specified file according to the parameter and displays the file content to the client, if the file is not restricted, there is no restrictions to access all files through the relative path, thus disclosing all the files interested in invaders. Such as system source code. I don't know, I don't remember (2000?) The Unicode of the IIS found by Green Corps is actually use ../../../../../../10 (.% 255c ..% 255C..winnt / system32 / cmd.exe).
This problem is very common. Help a friend before watching his web server source code (C language) found this problem (will tell in another article, this king's technical level, I can only use it ), The solution can be more, I feel better is: using RealPath (3) char * realpath (const char * path, char * resolved_path) in UNIX; using DWord getFullPathname (LPCTSTSTSTSTSTR LPFILENAME, DWORD NBUFFERLENGTH, LPTSTR LPBUFFER, LPTSTSTR * LPFILEPATH); obtain the true path name of the incoming parameters, compared to the path (or file list) allowed by the system, determine if this directory (file) can be accessed. The Access_Control section in the P-source code of PHP also has a better solution (http://www.php.net), I don't know if Java has a library. If not, you can use JNI to call the above two functions. to fulfill.
Some programming principles:
Cultivate security awareness and good programming habits of coding personnel and testers. Now the success of the B / S system, system security plays an important role, and management should also gradually pay attention to system security. The detection of the input and output and whether the secure code can be written is important criteria for verifying if a web program is qualified.
One. For the user's input, the ['] ["] character in the input data is converted to the input data when necessary, and the input should be converted to the corresponding type when using the forced type language. Of course some people do for all inputs The same control, for example, the single quotes becomes two single quotes, and it is unreasonable (such as: When saving is saved, it is inconsistent with the original input), and it should be as clear as possible to understand the data stream of the system, according to specific The situation is controlled. Generally there are two inputs, output controls, width and strictness, each has its own characteristics, also have applicable, and the input control can solve most of the code security issues, the first example If the question telling the question, if you do a good input control, you can get a good solution to the reasonable judgment logic.
two. Not only check the data output, but also to prevent data directly output, such as cookies, environment variables, etc., do not use cookies to save the core application data, because the HTTP package is easy to construct, when using the POST method does not affect the system useless If you return it, you will try to avoid using a GET method (very basic way, we found this very useful, at least for some small black, if it is not very convenient to test, there is not much patience and then do it, sometimes I This is also like this. Always remember: Not all users are in your own build path to the operating system to the module's data streams should be necessary to check and safe prevention measures. Are you doing this important impact on system security? Do you believe in the code written by your companions, or send the data sent? Do you make sure that these data have not been modified before your program received ?? When you point to others with a finger, there are three fingers pointing to yourself. --- A spy! (Now I have forgotten such a sentence, but I want to see a suspicious attitude in work and study from a different perspective. 2004- 11-11). After the deployment is deployed, set the file and directory permissions to anyone can only read, and set the configuration directory (required to modify the currently modified directory) to not be executed, so that others can not change your homepage and code. , You can't put on the wood, Script Troja is very terrible. Not only can the anti-virus software can't find, but the administrator is not easy to find, but if it embeds your code (modify your code, add a certain condition), it is more terrible. Read-only privileges can also prevent development, maintenance personnel mistakenly delete the program and configuration of the system, HEHE, think of this, my hand begins to sweat, I am really thrilling, I remember: I didn't accidentally delete data, don't talk about the process . But I think I still don't take anything wrong with the system.
four. Don't figure out the touch, TextArea, Hidden's name as the field name in the database, which makes it easy to grasp the naming rules of the database, which is a big source of information for intruders. As long as he masters the information, you will finish it. I think this is a good thing to do, nearly garbled. - :) You don't know what this variable is doing.
Fives. Do not publish the version of the Debug version, and publish all the information outputs when publishing the Release version, blocking all the system error messages (for easy check error). Successful invasion often starts with the error start information.
six. Don't take variables directly to make a SQL statement !!!!!!!!!!!!! See example.
Seven. Input, input, input, how to emphasize that the detection input is not too much. At least some basic validity judges should be performed, I feel that using Java developed from Struts Validate, to AOP, there is a good solution.
Eight. The following suggestions from "Secure Programming Cookbook for C and C " Chapter 3. Input Validation, although this book is to write a secure C / C code, these principles are the same for any program: 3.1.2 Solution Perform data validation at all levels whenever possible. At the very least, make sure data is filtered on input. Match constructs that are known to be valid and harmless. Reject anything else. In addition, be sure to be skeptical about any data coming from a potentially insecure channel. In a client-server architecture, for example, even if you wrote the client, the server should never assume it is talking to a trusted client. 1. Assume all input is guilty until proven otherwise. 2. Prefer rejecting data to filtering data. 3. Perform data validation both at input points and at the component level. 4. Do not accept commands from the user unless you parse them yourself. 5. Beware of special commands, characters, and quoting. 6. Make policy Decisions based on a "default deny" rule. 7. You Can Look for a quoting mechanism, But Know ho W to use it is allly. 8. When Designing Your OWN Quotating Mechanisms, Do Not ALLOW Escapes. 9. The Better You CAN Filter It. This sentence is absolutely classic, you must know yourself, try to invade people Angle Consider your system security (the last part of this article will be discussed). This article only discusses the security of the web program, and the system security is the foundation of this. If the system security does not guarantee, there is no meaning to talk about the program security, but this is the system administrator's thing ^ _ ^, But the code to write robust and safe is absolutely a basic responsibility of a qualified programmer.
I delete 516 words here ... (not the restricted level, huh, huh)
The following content is coming to another article, some ideas are very naive, I really don't dare to come out, take some content everyone to discuss
I remember that when I started to enter the online world, I continued to tell me that the invasion needs endurance and luck (initially should be the tutorial of Coolfire, I don't know if there is anyone who remembers), many times, but recently I am more and more It is not enough to find a vulnerability and use, with superb technologies, advanced tools, complete lists, patience and keen sense of smell. We also need to know that developers are safe when writing code and system administrators. The psychology of the strategy setting is "Psychology", although I am psychology, I am a "great" lawyer, but this kind of psychological branch is often emphasizing the only solution of things. In the case of finding the vulnerability, we must find the problem efficiently, and it is necessary to be "program development psychology" or "security strategy psychology". The security problem is caused by the problem of the program, the program reflects the mind's mind, but because human is born is imperfect, what they created is always defective, and people with people There are a lot of similar aspects, so the code's error also has universality (I think no one dared to say that I have not made the wrong version of the first line of code), so the program check error and vulnerability test always exist. There must be universal laws, this requires experience, inspiration needs to understand the developer's psychology (people who have not written code will not know what is buried in the surface of the program error?), But regret is that our masters are often It is only the record of the means and procedures of the invasion, but ignores the communication between the endless attempts and the experiencies of the procedure (except for the "password psychology" before, there have been other discussions from the psychological perspective. Article, and strictly speaking, "password psychology" does not belong to this range), in fact, in many cases as long as you understand the psychology of the procedure, then the problem will no longer have problems, otherwise it may only rely on luck and Endurance.
There is an experience that makes me more profoundly realizing that the psychology of the program developers is very important: at least half a year ago, I found a problem with the Web program of a well-known network security site in China, but almost exhausted all of me. Patience and tried all possible methods that can not use this problem (but I still believe that this vulnerability can be used), maybe it is my luck, but the weird expression of the program is unable to guess the program full error logic Where (or the author at the time, of course, the author may be very high, his thoughts are not the you can guess.). So I urgently hope that someone can see (or sort out) the proceeds of the program vulnerability, indicating which the general procedures caused by the defects of human thinking.
Oh, laugh!
HEHE, so tired, my text is very poor, and many things I can't write it. I have been so long, but only for the brick, I hope that the majority of programmer comrades will increase the awareness of safety. That is also worth it. According to Huang Ya's 4, this is called: It has not been unknown. Hehe, I am too great.
Dare to love you, because I am afraid that I will love you so again after I die. ---- H.j.leochen 2004/04/07
