Share solutions to several common web security risks

The following are several common web security problems and solutions. I hope they can be helpful to everyone.

1. Cross Site Scripting

Solution

xss occurs because the data entered by the user becomes code, so it needs Perform HTML escape processing on the data input by the user, and escape and encode special characters such as "angle brackets", "single quotes", and "double quotes".

2. SQL injection

When reporting an error, try to use the error page to overwrite the stack information

3. Cross-site request forgery (Cross- Site Request Forgery)

Solution

(1) Set the cookie to HttpOnly

server.xml is configured as follows

<Context docBase="项目" path="/netcredit" reloadable="false" useHttpOnly="true"/>

web.xml is configured as follows

(2) Add token

Add a hidden field to the form, submit the hidden field when submitting, and the server verifies the token.

(3) Identification through referer

According to the HTTP protocol, there is a field in the HTTP header submitted to the Referer, which records the source address of the HTTP request. If an attacker wants to implement a CSRF attack, he must forge requests from other sites. When a user sends a request through another website, the value of the Referer requested is the URL of the other website. Therefore, the Referer value can be verified for each request.

4. File upload vulnerability

We often operate on the Internet to upload pictures and files to the server for storage. At this time, if the picture files are not processed Correct verification will cause some malicious attackers to upload viruses, Trojans, plug-ins, etc. to the server, steal server information, and even cause the server to crash.

Therefore, the uploaded files need to be verified. The first few bytes of many files are fixed. Therefore, based on the contents of these few bytes, the type of the file can be determined. These few Bytes are also called magic numbers.

Set type whitelist

Related recommendations: web server security

The above is the detailed content of Share solutions to several common web security risks. For more information, please follow other related articles on the PHP Chinese website!