Solutions to common website security vulnerabilities

The following are some common website security vulnerabilities and solutions. Let’s take a look at them.

(Learning video sharing: Programming video)

1. Sql blind injection

Solution: Add filtering

2. Sql injection

Solution: modify the underlying code to eliminate parameterized queries

3. iis file and directory enumeration/Directory listing

Solution: Disable directory browsing

4. webdav directory traversal

Solution: http://www.45it.com/net/201208/31779.htm

5 . _VIEWSTATE is not encrypted

Solution: In

6. File backup vulnerability

Do not place file backup in the WEB root directory
such as http://.. ./web.rar, the backup file needs to be placed in another directory

7. HTTP.sys remote code execution vulnerability

Vulnerability: Microsoft Windows HTTP.sys remote code execution vulnerability (CVE-2015- 1635)(MS15-034)
Solution: Install Microsoft patch package (http://www.gltc.cn/47506.html)

8. Vulnerable Javascript library

Vulnerability : Vulnerable Javascript library
Solution: Update Javascript library

9 Short file name vulnerability

Solution: https://segmentfault.com/a/1190000006225568

If it is invalid: use the following method:
https://www.cnblogs.com/xiaozi/p/5587039.html
If it is iis7 but no request filtering occurs, manually Installation
https://yq.aliyun.com/ziliao/120062
Add a red box line at the location shown

Note that the original default AllowDotInPath= 0 Change to AllowDotInPath =1

Otherwise, some function lists cannot be loaded.

10. Microsoft IIS Duplicate Parameter Request Denial of Service Vulnerability (MS10-065)

The script processing code in IIS has a stack overflow vulnerability when processing duplicate parameter requests. Remote attackers can pass This vulnerability is exploited by sending a specially crafted URI request to the ASP page of the website hosted by IIS, causing the service to crash.

Solution: http://zerobox.org/bug/2716.html

11. IIS Duplicate Parameter Request Denial of Service Vulnerability-CVE-2010-1899

Note: It is speculated that the server has implemented security protection. Even if we install patches and other operations to fix this vulnerability, the school's security rules are still there. , will prevent requests for parameters with the same name or similar parameters. Here link.axd

## is falsely reported and modified to

The request passed normally.

12. AppScan fixes vulnerability: Enable insecure HTTP methods

http://www.cnblogs.com/lyuec/p/4245175.html

Disable WebDAV
IIS Disable the webdev function in the extended function. This function can prohibit dangerous actions such as: DELETE-SEARCH-COPY-MOVE-PROPFIND-PROPPATCH-MKCOL-LOCK-UNLOCK-PUT.

13. ASP.NET information leakage

Install the patch according to the server version:

https://technet.microsoft.com/zh-cn/library/security/ms10-070. aspx

Related recommendations:

Website Security Tutorial

The above is the detailed content of Solutions to common website security vulnerabilities. For more information, please follow other related articles on the PHP Chinese website!