Related learning recommendations: javascript
Your Web Is the system really safe?
The embankment of a thousand miles collapsed in an ant nest.
In the Web system, a small vulnerability can often cause extremely serious consequences. Therefore, Web security is an issue that every system must consider during the design, development, operation and maintenance.
Nowadays, the defensive measures taken by many Web systems are biased toward basic and simple, often only targeting common security vulnerabilities, such as:
- Csrf
- XSS
- Sql injection
and so on. These basic defensive measures are necessary and are not expensive to implement, but they are only the basic part of system security defense. Many developers think that doing these things is enough to cope with most situations. This idea is very dangerous. In fact, in addition to these basic and standardized vulnerabilities, the business logic of each business system itself is also likely to become the target of hacker attacks. Once caught and broken, the consequences will be very serious. Below we will list some common business logic loopholes. These loopholes have also been encountered when developing systems before. I hope they can inspire everyone.
Session Credential Management Chaos
We all know that HTTP itself is stateless. In order to allow the browser and server to know each other's identities and trust each other, most web systems use "tokens" This is implemented using agreed credentials. The token will be generated after the user logs in, and will expire when the user actively logs out or after a period of time. That is to say, if the request brings the corresponding token, then the server can get the token and perform corresponding verification. If the verification passes, it will trust the request and execute the relevant business logic. If it does not bring it, it will bring an illegal or expired one. is considered illegal. This doesn't seem to be a problem, but there may be hidden loopholes in the actual implementation.
Let’s look at two examples:
1. When front-end developer Xiao Ming wrote the logic for the user to click the exit button, he simply cleared the token value in the cookie or localstorage (the token is generally stored in These two places), and did not initiate a request to the backend to let the token expire in the business. Then the validity of this token essentially goes against the user's intention, and there is a very high risk at this time. When the user spontaneously exits, the token is still valid. If the token is obtained and recorded by others in some way, he can perfectly play back the operations performed by the user, such as changing user information, placing orders, etc.
2. In the above example, we mentioned that the token needs to be set to expire. A reasonable expiration time can effectively reduce risks. But the backend development guy may be dazzled and his hands are shaking when setting the token expiration configuration, and enter an extra digit, or he may misunderstand the unit and use MS-level values for S-level units, then the expiration time will be set The order is very long. It is very dangerous for users who do not like to actively log out after logging in or who stay on the page for a long time. The token is still valid even if the user does not use it for a long time. If someone else gets the token, they can do a lot of bad things.
Verification failure
File uploading should be a common function in web applications, such as uploading avatars, uploading files to network disks, etc. Malicious users may upload Trojans, viruses, malicious scripts and other files when uploading. If such files are executed on the server, they will have serious consequences. This attack method is relatively low-cost and relatively easy to be exploited by attackers. The more file types that are allowed to be uploaded, the greater the potential for attack. When the malicious program is successfully uploaded, it may be downloaded by the user and poisoned after being executed on the user's computer. Malicious programs may also be executed on the server, causing the server to be controlled, resulting in server paralysis and data loss.
Under normal circumstances, the program will judge the file type and only allow files that we think are legal to be uploaded to the server. However, in some web programs, this judgment is only made on the front end and not on the back end. This creates opportunities for attackers, who can easily modify requests to upload illegal files.
The correct approach should be for the backend to perform file extension judgment, MIME detection, and limit upload file size and other restrictions to defend against it. In addition, files can be saved on a server isolated from the business to prevent malicious files from attacking the business server and causing service unavailability.
Data Enumeration
When logging in to the system, most systems will determine whether the user exists when the user logs in, and then give a prompt "This mobile phone number is not registered". If this logic is done using a separate interface, there is a risk of brute force enumeration. An attacker can use this interface to use the mobile phone number library to perform request enumeration and identify which mobile phone numbers have been registered in the system, which will provide opportunities for brute force password cracking in the next step.
Regarding this problem, it is recommended to put this judgment in the login verification interface and not return a clear prompt. You will see that on well-made websites, it will usually prompt "The mobile phone number is not registered or the password is wrong." Although this compromises the user experience, it is also more secure.
Data writing replay
Take a forum post as an example, use a packet capture tool to capture the request process of the forum post, and replay the process through the tool, you will find that the post list appears Two identical posts, this is a replay attack. If the replay frequency is accelerated, not only will a lot of junk data be generated in the system, but frequent writing will also put huge pressure on the business database.
For such requests with replay risks, it is recommended to add a request frequency limit. For example, you can determine the timestamps of two requests and set them to be valid if they are greater than a certain time value.
Permission vulnerability
Permission verification is a basic function of the Web system, such as a company organizational structure management system, which provides the function of modifying department names and department managers. Adding permission verification can effectively prevent any user from modifying information that he does not have permission to use through these functions. Permission verification will definitely be implemented in such systems, but is it actually implemented correctly?
Suppose we stipulate that a user in the system needs to meet two conditions: having super management authority and belonging to department A in order to modify the department name. Often in actual code implementation, developers only determine whether the user is a super administrator, but do not determine whether the user belongs to the department. In this case, we can use the super management account of department B to modify the name of department A, which is equivalent to modifying it beyond the authority. This is obviously not the result we expect. Even if the super-administrator user of Department B cannot find the entrance to modify the department name of Department A on the interface, they can still modify the parameters by grabbing the request.
In addition to unauthorized modification, of course, you can also view it beyond your authority. We certainly don’t expect the super manager of department A to be able to see the department information of department B, right?
It is recommended that your system strictly checks and restricts user access rights to roles.
Security is no small matter. As mentioned at the beginning, any vulnerability may bring devastating blows. I hope everyone will pay attention to it. Not only should we pay attention to business design, but we should also pay attention to code review to avoid low-level vulnerabilities caused by implementation.
The above are just a few of the many security vulnerabilities. For more serious web application security risks, please refer to the Top 10 security issues released in OWASP Top 10 2017. www.owasp.org.cn/owasp-proje…
The above is the detailed content of Using JS detection, is your web system really safe?. For more information, please follow other related articles on the PHP Chinese website!

Detailed explanation of JavaScript string replacement method and FAQ This article will explore two ways to replace string characters in JavaScript: internal JavaScript code and internal HTML for web pages. Replace string inside JavaScript code The most direct way is to use the replace() method: str = str.replace("find","replace"); This method replaces only the first match. To replace all matches, use a regular expression and add the global flag g: str = str.replace(/fi

This tutorial shows you how to integrate a custom Google Search API into your blog or website, offering a more refined search experience than standard WordPress theme search functions. It's surprisingly easy! You'll be able to restrict searches to y

This article series was rewritten in mid 2017 with up-to-date information and fresh examples. In this JSON example, we will look at how we can store simple values in a file using JSON format. Using the key-value pair notation, we can store any kind

So here you are, ready to learn all about this thing called AJAX. But, what exactly is it? The term AJAX refers to a loose grouping of technologies that are used to create dynamic, interactive web content. The term AJAX, originally coined by Jesse J

Enhance Your Code Presentation: 10 Syntax Highlighters for Developers Sharing code snippets on your website or blog is a common practice for developers. Choosing the right syntax highlighter can significantly improve readability and visual appeal. T

Leverage jQuery for Effortless Web Page Layouts: 8 Essential Plugins jQuery simplifies web page layout significantly. This article highlights eight powerful jQuery plugins that streamline the process, particularly useful for manual website creation

Core points This in JavaScript usually refers to an object that "owns" the method, but it depends on how the function is called. When there is no current object, this refers to the global object. In a web browser, it is represented by window. When calling a function, this maintains the global object; but when calling an object constructor or any of its methods, this refers to an instance of the object. You can change the context of this using methods such as call(), apply(), and bind(). These methods call the function using the given this value and parameters. JavaScript is an excellent programming language. A few years ago, this sentence was

This article presents a curated selection of over 10 tutorials on JavaScript and jQuery Model-View-Controller (MVC) frameworks, perfect for boosting your web development skills in the new year. These tutorials cover a range of topics, from foundatio


Hot AI Tools

Undresser.AI Undress
AI-powered app for creating realistic nude photos

AI Clothes Remover
Online AI tool for removing clothes from photos.

Undress AI Tool
Undress images for free

Clothoff.io
AI clothes remover

AI Hentai Generator
Generate AI Hentai for free.

Hot Article

Hot Tools

ZendStudio 13.5.1 Mac
Powerful PHP integrated development environment

SAP NetWeaver Server Adapter for Eclipse
Integrate Eclipse with SAP NetWeaver application server.

EditPlus Chinese cracked version
Small size, syntax highlighting, does not support code prompt function

DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software

Atom editor mac version download
The most popular open source editor
