Related learning recommendations: javascript
Your Web Is the system really safe?
The embankment of a thousand miles collapsed in an ant nest.
In the Web system, a small vulnerability can often cause extremely serious consequences. Therefore, Web security is an issue that every system must consider during the design, development, operation and maintenance.
Nowadays, the defensive measures taken by many Web systems are biased toward basic and simple, often only targeting common security vulnerabilities, such as:
- Csrf
- XSS
- Sql injection
and so on. These basic defensive measures are necessary and are not expensive to implement, but they are only the basic part of system security defense. Many developers think that doing these things is enough to cope with most situations. This idea is very dangerous. In fact, in addition to these basic and standardized vulnerabilities, the business logic of each business system itself is also likely to become the target of hacker attacks. Once caught and broken, the consequences will be very serious. Below we will list some common business logic loopholes. These loopholes have also been encountered when developing systems before. I hope they can inspire everyone.
Session Credential Management Chaos
We all know that HTTP itself is stateless. In order to allow the browser and server to know each other's identities and trust each other, most web systems use "tokens" This is implemented using agreed credentials. The token will be generated after the user logs in, and will expire when the user actively logs out or after a period of time. That is to say, if the request brings the corresponding token, then the server can get the token and perform corresponding verification. If the verification passes, it will trust the request and execute the relevant business logic. If it does not bring it, it will bring an illegal or expired one. is considered illegal. This doesn't seem to be a problem, but there may be hidden loopholes in the actual implementation.
Let’s look at two examples:
1. When front-end developer Xiao Ming wrote the logic for the user to click the exit button, he simply cleared the token value in the cookie or localstorage (the token is generally stored in These two places), and did not initiate a request to the backend to let the token expire in the business. Then the validity of this token essentially goes against the user's intention, and there is a very high risk at this time. When the user spontaneously exits, the token is still valid. If the token is obtained and recorded by others in some way, he can perfectly play back the operations performed by the user, such as changing user information, placing orders, etc.
2. In the above example, we mentioned that the token needs to be set to expire. A reasonable expiration time can effectively reduce risks. But the backend development guy may be dazzled and his hands are shaking when setting the token expiration configuration, and enter an extra digit, or he may misunderstand the unit and use MS-level values for S-level units, then the expiration time will be set The order is very long. It is very dangerous for users who do not like to actively log out after logging in or who stay on the page for a long time. The token is still valid even if the user does not use it for a long time. If someone else gets the token, they can do a lot of bad things.
Verification failure
File uploading should be a common function in web applications, such as uploading avatars, uploading files to network disks, etc. Malicious users may upload Trojans, viruses, malicious scripts and other files when uploading. If such files are executed on the server, they will have serious consequences. This attack method is relatively low-cost and relatively easy to be exploited by attackers. The more file types that are allowed to be uploaded, the greater the potential for attack. When the malicious program is successfully uploaded, it may be downloaded by the user and poisoned after being executed on the user's computer. Malicious programs may also be executed on the server, causing the server to be controlled, resulting in server paralysis and data loss.
Under normal circumstances, the program will judge the file type and only allow files that we think are legal to be uploaded to the server. However, in some web programs, this judgment is only made on the front end and not on the back end. This creates opportunities for attackers, who can easily modify requests to upload illegal files.
The correct approach should be for the backend to perform file extension judgment, MIME detection, and limit upload file size and other restrictions to defend against it. In addition, files can be saved on a server isolated from the business to prevent malicious files from attacking the business server and causing service unavailability.
Data Enumeration
When logging in to the system, most systems will determine whether the user exists when the user logs in, and then give a prompt "This mobile phone number is not registered". If this logic is done using a separate interface, there is a risk of brute force enumeration. An attacker can use this interface to use the mobile phone number library to perform request enumeration and identify which mobile phone numbers have been registered in the system, which will provide opportunities for brute force password cracking in the next step.
Regarding this problem, it is recommended to put this judgment in the login verification interface and not return a clear prompt. You will see that on well-made websites, it will usually prompt "The mobile phone number is not registered or the password is wrong." Although this compromises the user experience, it is also more secure.
Data writing replay
Take a forum post as an example, use a packet capture tool to capture the request process of the forum post, and replay the process through the tool, you will find that the post list appears Two identical posts, this is a replay attack. If the replay frequency is accelerated, not only will a lot of junk data be generated in the system, but frequent writing will also put huge pressure on the business database.
For such requests with replay risks, it is recommended to add a request frequency limit. For example, you can determine the timestamps of two requests and set them to be valid if they are greater than a certain time value.
Permission vulnerability
Permission verification is a basic function of the Web system, such as a company organizational structure management system, which provides the function of modifying department names and department managers. Adding permission verification can effectively prevent any user from modifying information that he does not have permission to use through these functions. Permission verification will definitely be implemented in such systems, but is it actually implemented correctly?
Suppose we stipulate that a user in the system needs to meet two conditions: having super management authority and belonging to department A in order to modify the department name. Often in actual code implementation, developers only determine whether the user is a super administrator, but do not determine whether the user belongs to the department. In this case, we can use the super management account of department B to modify the name of department A, which is equivalent to modifying it beyond the authority. This is obviously not the result we expect. Even if the super-administrator user of Department B cannot find the entrance to modify the department name of Department A on the interface, they can still modify the parameters by grabbing the request.
In addition to unauthorized modification, of course, you can also view it beyond your authority. We certainly don’t expect the super manager of department A to be able to see the department information of department B, right?
It is recommended that your system strictly checks and restricts user access rights to roles.
Security is no small matter. As mentioned at the beginning, any vulnerability may bring devastating blows. I hope everyone will pay attention to it. Not only should we pay attention to business design, but we should also pay attention to code review to avoid low-level vulnerabilities caused by implementation.
The above are just a few of the many security vulnerabilities. For more serious web application security risks, please refer to the Top 10 security issues released in OWASP Top 10 2017. www.owasp.org.cn/owasp-proje…
The above is the detailed content of Using JS detection, is your web system really safe?. For more information, please follow other related articles on the PHP Chinese website!
The Origins of JavaScript: Exploring Its Implementation LanguageApr 29, 2025 am 12:51 AMJavaScript originated in 1995 and was created by Brandon Ike, and realized the language into C. 1.C language provides high performance and system-level programming capabilities for JavaScript. 2. JavaScript's memory management and performance optimization rely on C language. 3. The cross-platform feature of C language helps JavaScript run efficiently on different operating systems.
Behind the Scenes: What Language Powers JavaScript?Apr 28, 2025 am 12:01 AMJavaScript runs in browsers and Node.js environments and relies on the JavaScript engine to parse and execute code. 1) Generate abstract syntax tree (AST) in the parsing stage; 2) convert AST into bytecode or machine code in the compilation stage; 3) execute the compiled code in the execution stage.
The Future of Python and JavaScript: Trends and PredictionsApr 27, 2025 am 12:21 AMThe future trends of Python and JavaScript include: 1. Python will consolidate its position in the fields of scientific computing and AI, 2. JavaScript will promote the development of web technology, 3. Cross-platform development will become a hot topic, and 4. Performance optimization will be the focus. Both will continue to expand application scenarios in their respective fields and make more breakthroughs in performance.
Python vs. JavaScript: Development Environments and ToolsApr 26, 2025 am 12:09 AMBoth Python and JavaScript's choices in development environments are important. 1) Python's development environment includes PyCharm, JupyterNotebook and Anaconda, which are suitable for data science and rapid prototyping. 2) The development environment of JavaScript includes Node.js, VSCode and Webpack, which are suitable for front-end and back-end development. Choosing the right tools according to project needs can improve development efficiency and project success rate.
Is JavaScript Written in C? Examining the EvidenceApr 25, 2025 am 12:15 AMYes, the engine core of JavaScript is written in C. 1) The C language provides efficient performance and underlying control, which is suitable for the development of JavaScript engine. 2) Taking the V8 engine as an example, its core is written in C, combining the efficiency and object-oriented characteristics of C. 3) The working principle of the JavaScript engine includes parsing, compiling and execution, and the C language plays a key role in these processes.
JavaScript's Role: Making the Web Interactive and DynamicApr 24, 2025 am 12:12 AMJavaScript is at the heart of modern websites because it enhances the interactivity and dynamicity of web pages. 1) It allows to change content without refreshing the page, 2) manipulate web pages through DOMAPI, 3) support complex interactive effects such as animation and drag-and-drop, 4) optimize performance and best practices to improve user experience.
C and JavaScript: The Connection ExplainedApr 23, 2025 am 12:07 AMC and JavaScript achieve interoperability through WebAssembly. 1) C code is compiled into WebAssembly module and introduced into JavaScript environment to enhance computing power. 2) In game development, C handles physics engines and graphics rendering, and JavaScript is responsible for game logic and user interface.
From Websites to Apps: The Diverse Applications of JavaScriptApr 22, 2025 am 12:02 AMJavaScript is widely used in websites, mobile applications, desktop applications and server-side programming. 1) In website development, JavaScript operates DOM together with HTML and CSS to achieve dynamic effects and supports frameworks such as jQuery and React. 2) Through ReactNative and Ionic, JavaScript is used to develop cross-platform mobile applications. 3) The Electron framework enables JavaScript to build desktop applications. 4) Node.js allows JavaScript to run on the server side and supports high concurrent requests.
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
MantisBT
Mantis is an easy-to-deploy web-based defect tracking tool designed to aid in product defect tracking. It requires PHP, MySQL and a web server. Check out our demo and hosting services.
EditPlus Chinese cracked version
Small size, syntax highlighting, does not support code prompt function
SublimeText3 Chinese version
Chinese version, very easy to use
ZendStudio 13.5.1 Mac
Powerful PHP integrated development environment
SecLists
SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.
