This is the second day of my participation in Gwen Challenge
The first public account of the article “can play code”
In hacker attacks, information collection is the first and most important step of the attack. There are many ways for information leakage to occur. Attackers can return information according to the interface, analyze front-end code, analyze page file information, or even the data hosting of developers or users on third-party websites, all of which can carry out effective information collection. As developers, we should be aware of common information disclosure risks and take care to avoid them.
The interface returns a detailed error message
- Some frameworks, such as Django, allow you to set debug=true, and when an interface call fails, print the code stack and some environment information on the page for easy debugging.
- In business development, some students may be used to returning err (containing code call stack information) directly to the user. Attackers can spy on code logic through the information, causing security risks.
Take login as an example. After a user enters the account password, the background searches the database for the corresponding password based on the account and compares the password in the database with the requested password. Select passwd from T_user where user_name = ‘XXX’ where username = ‘XXX’
If the background is SQL constructed by manual concatenation, there will be SQL injection vulnerability. SQL: select passwd from T_user where user_name = ”; MySQL server version for the right syntax to use near ””)’… In this case, the interface sends the SQL error information back to the front end, and the attacker can deduce the SQL injection vulnerability of the system according to the returned error information and launch an attack.
Password plaintext storage
This is a low-level, serious and common security problem, as many large companies have been exposed for storing passwords in clear text. Because the plaintext password storage leads to user password leakage accident is also common.
Passwords should be hashed so that if an attacker does get a password, it’s just a string of meaningless characters. Of course, for the hash password, the attacker can also use the password dictionary to crack the hash password “bump library”, or construct the rainbow table to crack the password. The hash value of 123456 is E10ADC3949BA59ABBE56E057F20F883E, for example, can easily on cmd5 pegging to the hash value of the clear information.
In order to make the password more difficult to crack, you can add salt to the hash, insert a specific string (salt) at a specific position of the password, and then hash.
The salted password is hashed to produce a completely different hash string than the pre-salted password. To further increase randomness, it is possible to hash passwords differently for each user, such as using immutable attributes such as user name or user ID as the hash salt.
Website file Leakage
Nginx can be used with static resource servers and may enable directory browsing (autoindex = true) for easy downloading of resources.
Once you accidentally store sensitive file information in the directory, users can easily download and obtain it.
To prevent arbitrary access to resources, you can add identity authentication to ensure account and password authentication before access. It is safer to turn off directory browsing at the same time so that users can only access specified resources through the full resource path. For example, if xx. TXT is stored in the root directory, users can only obtain it from http://huiwan_code.com/xx.txt rather than http://huiwan_code.com. Click on the page to download “xx.txt”.
Too detailed robots.txt
Many sites provide files /robots.txt and /sitemap.xml to help search engines crawl their sites. Search engines can know which pages can be climbed and which pages can not be climbed through robots files.
Above is the content of Baidu’s robots.txt, which can be viewed directly through the website domain name (W www.baidu.com) followed by robots.txt. Robots can carry out different restrictions on page crawling rules for different search engines. Allow: allows crawling. Disallow indicates that crawls are not allowed.
If the robots.txt file is edited in too much detail, it will reveal the site’s sensitive directories or files. For example, disallow: /admin/login and disallow/admin/register directly write out the detailed background path, which is easy for attackers to collect and use.
You can use the regular wildcard to make path matching fuzzy:
- User-agent:
*
All search engine categories are represented here - Disallow:
/admin/
Indicates that the directory under the admin directory cannot be crawled - Disallow:
/?
Prohibit access to all sites that contain question marks?
The website of - Disallow:
/.jpg
Prohibit crawling all pagesjpg
Formatted picture
.
The front end stores the key information
In some cases, the system may need to rely on third-party systems for ancillary functions, such as SMS and approval systems. If the service architecture is not designed properly, the key of these third-party services is stored in the front end, and the front end directly invokes the service. Attackers can analyze the front-end JS code to obtain the key, resulting in information leakage.
The sensitive user information returned by the interface is not desensitized
If the interface needs to return user sensitive information, such as id card, mobile phone number, name, and detailed address, desensitization is required. Avoid being exploited by attackers.
Too much sensitive user information is returned
Sometimes, an interface may be called by different front-end modules, but each module needs to use different information, for example, module A needs to display the name of the user, and module B needs to obtain the address of the user. The interface returns all the information, and the front end retrieves all the fields of the interface and uses them as needed. Some students may say that sensitive information has been desensitized, even if all the return will not be at risk.
Suppose the attacker got a mobile phone number and obtained several lists of the main name of the phone number according to weibo, QQ and other social software, how to further confirm? Believe everyone uses pay treasure to transfer account, when transferring money through mobile phone number, can show the desensitization name of payee, pay treasure is real name verification, so this is the real name desensitization information of user.
“Click here to verify” can also enter the recipient’s last name, further confirming the user’s name.
This is not to say that Alipay is vulnerable, since the risk of disclosure is nothing compared to the wrong account transfer caused by unconfirmed users, but just to remind everyone that sensitive information can be a useful piece of information for attackers. Therefore, the interface should return as little sensitive information as possible.
If you really want an interface that meets multiple data requirements, GraphQL is a good choice. The back end defines the data format and fields first. The front-end can request the required field information on demand.
Disclosure of third-party platforms
Leaks can also occur on third-party platform websites used at work.
Upload the company code to Github
Intentional or not. We may upload the company code to Github. If the code contains configuration files, database account passwords, etc., it will cause serious leakage consequences.
In addition to strengthening the training of employees’ safety awareness, strengthening the company’s management system to avoid employees uploading codes without permission. The company can also use Hawkeye and other Github leak monitoring tools to monitor the Github code base, timely discover the behavior of employees hosting company code to Github and give early warning to reduce the risk of code leakage.
Upload the working notes to the cloud storage tool
For convenience, sometimes work notes and work data will be stored in the network disk, cloud notes, multi-terminal direct synchronization. But the resulting security problems can not be ignored. Taking Evernote as an example, evernote provides the function of email password retrieval. Once the email account and password are leaked, an attacker can reset the password of the evernote account through the email to log in to the user.
Write in the last
If you like this article, welcome to pay attention to the public account “will play code”, focus on plain English to share practical technology
Welfare of public account
Mysql > get free test database!!
Reply [PDF] get continuous update massive learning materials!!