SQL Inject

principle ：

utilize Web Security loopholes in the processing of background database query statements , The attacker submits a carefully constructed database query code , Based on the returned results , Get the data he wants to know
Affected systems ： A system that does not check and filter input parameters

common SQL Injection process ：
1. Modify parameter values and other data , The modified data is injected into SQL In the sentence
2. The database engine executes the modified SQL command , Return the result
3. Construct statements based on the returned sensitive information for further injection

example ：

Cross-site scripting attacks （XSS）

principle ：
Web The server did not validate the user input , And easily return to the client
The attacker went to Web Malicious insert in the page html Code , When a user views the web page , The malicious code embedded in it is executed

harm ：
You can steal user accounts , Modify user settings , Stealing / Pollution cookie, Make false advertisement , Check the host information

Attack steps ：
1. Looking for loopholes
2. Inject malicious code
3. Trick users into accessing

Cross-site request forgery （CSRF）

principle ：
The target site A, Malicious websites B

The file contains a vulnerability

When using this 4 When a function contains a new file , This document will serve as php Code execution ,php The kernel doesn't care about the type of file that should be included

Verification code technology

It is used to distinguish between man and machine , It's defense http A means of attack

summary

Threats to clients and servers ：

defense Web attack ：

The server ：
1. simplicity , It's best to remove unnecessary services
2. Use super users with caution
3. Local and remote access control
4. Audit , Look for suspicious data in the audit records
5. Backup policy , It is convenient to quickly restore services to reduce losses

client ：
1. Set the security of the browser , Use browsers with fewer vulnerabilities , Upgrade the browser frequently
2. Often patch the operating system 、 upgrade
3. Try not to open some untrusted websites

The same-origin policy ：