I don’t know if you noticed. These days, information leaks from some high-profile companies are being exposed with increasing frequency. Correspondingly, the problem of network security is getting more and more attention.
Extracted from the Baidu index two graphs to share with you
It can be seen that the information and attention related to network security are gradually rising, especially in recent years several large data leaks and other security incidents have caused a large public opinion sensation.
In fact, excluding some specific security issues in the specific framework, there are also a lot of universal security issues. Some of the most common are the following, and I think every programmer should know how to avoid these common problems. SQL Injection 2. Cross-Site Scripting Attack (XSS) 3. SQL injection is probably one of the most widely known security issues. The reason is that SQL statements are written through string concatenation, including parameters. Once the user enters a parameter that changes the meaning of the entire statement, the result of executing the SQL statement becomes unpredictable. For example,
SELECT * FROM user WHERE id = '1' or 1 = '1'
. The bold part is what the user typed.
If the above SQL statement is executed, all user information is disclosed.
There are many variants of SQL injection, such as deliberately making a statement execute an error, to get important information from the error message.
How to prevent it? Just avoid SQL concatenation and execute the SQL in a parameterized way. In the example above, if the @id parameter is of type int, then “or 1= ‘1” will not be converted to type int. 2. Cross-site Scripting Attack (XSS)
XSS is most commonly found on content-oriented sites because it focuses on pages that dynamically render HTML based on server-side data.
</div><script>alert(250)</script> “. </div><script>alert(250)</script>” If the server does not do a good job of corresponding processing and directly saves the content intact in the database, then when the post goes to the floor where my reply is located, a pop-up window indicating “250” will appear along with the words “the owner of the building niubiu”.
Of course, just flipping through the window doesn’t mean anything. If the script gets the user’s local cookie information and uploads it to the specified server, then others can use the user’s cookie to log in to his account, which is a little scary.
How to prevent it? Or you can filter out the HTML tags, since plain text will do for most scenarios. If you really need rich text, you can escape it once and store it as a character instead of saving the HTML tag directly.
- Cross-site Request Forgery (CSRF)
CSRF is to use the browser’s cache and the site’s login status memory function, through malicious script to you just visited the site to launch a request, let the site think that you are operating.
Let’s say you’ve just visited a bank’s website, or even opened that bank’s website in a separate TAB. Then you accidentally open a phishing site, and the script inside the page initiates a transfer request to the bank’s website, and your bank account is mysteriously missing a sum of money. (Of course, the current bank website has taken this question into account)
How to prevent it? As a developer of a website, the easiest way to do this is to check the referer to see if the source of the request is credible. A better way would be to assign a token to each user who logs in normally, and verify the token for each request.
- Unauthorized leaks
Just as the name suggests, “overstepping authority” means going beyond the limits of authority. For example, an e-commerce sites to check the order information of the url is http://www.dianshang.com/orde… In such a format, if I manually change the last number of the URL to 10002 to initiate the request, if the server does not verify the information of the current login, then the order information of 10002 will be obtained beyond its authority.
How to prevent it? There are two main points.
Check permissions and don’t be lazy.
Numbers or ID class data, to avoid sequential increase. As an added bonus, keep competitors from guessing your actual order numbers.
In fact, there are many security issues, such as payment vulnerabilities (payment amount is not verified), upload attacks, and so on. But the general idea of dealing with the above mentioned four is similar. To make it easier for you to understand and to be more security-conscious when coding, I’ve distilled some ideas for you.
As long as the data is external input, it is necessary to do a thorough verification to ensure that the data processed and returned is in line with the expected.
The implementation of the code minimizes unnecessary external interaction.
When handling errors, you must not throw technical exception messages to the client, especially stack messages.
And if that’s too much, remember it. So keep one word in mind — “Strict in, strict out.”
Scan the QR code below to receive 10G of Infiltration Exquisite Course for free on a first come, first served basis!!