当前位置:网站首页>Web security -- core defense mechanism
Web security -- core defense mechanism
2022-07-02 08:28:00 【Defeat of Fujiwara Qianhua】
Core defense mechanism
Preface
Web Basic security issues for applications ( All user input is not trusted ) A large number of security mechanisms need to be used to attack regions , These mechanisms are composed of the following core factors :
- Access control
- Filter / Limit input
- monitor ( Normal indicators )
- Safety products (WAF)
The vast majority of the attack surface of a typical application is also composed of these mechanisms , That is, attackers exploit vulnerabilities by taking advantage of the defects of these mechanisms . Now let's learn about the security mechanism .
One 、 Access control
majority Web Applications use three layers of interrelated security mechanisms to handle user access :
- Authentication
- session management
- Access control ( Realization )
Authentication
Authentication mechanism is the most basic mechanism for applications to handle user access . Verifying users refers to determining the true identity of users . today , most Web Applications use traditional authentication models , That is, users are required to submit user names and passwords , Then the application verifies it , Confirm its legitimacy
session management
After successfully logging in to the application , Users will access various pages and functions , Send some columns from the browser HTTP request . meanwhile , The server will also receive countless requests from various users . To implement effective access control , The application needs to identify and process various requests submitted by each user .
To meet the above needs , Almost all Web The application establishes a session for each user , And issue a token to the user to identify the session . The session itself is a set of data structures stored on the server , Used to track the interaction status between users and Applications
. The token is a unique string , The application maps it to the session ( Such as cookie)
. When the user receives a token , The browser will follow HTTP Return it to the server in the request , Help the application associate the request with the user .
Access control
Two 、 Processing user input
Basic safety issues : All user input is not trusted . A lot is directed at Web Different attacks on applications are related to submitting incorrect input . Enter confirmation (input validation) Is a necessary means to defend against these attacks .
Input processing method
- Reject known bad input —— The blacklist
- Accept known normal inputs —— White list
- purify —— Input handler 、 code 、 escape
- Secure data processing —— Safe programming method ( The database access process uses correct parameterized queries , Avoid unsafe application function design )
- Syntax check —— authentication
Boundary confirmation
Each individual component or functional unit of the server-side application treats its input as input from a potentially malicious source . Except for the external boundary between the client and the server , The application performs data validation on each of the above trust boundaries .
(1) The application receives the login information of the user . The form handler confirms that each input contains only legal characters , Meet special length restrictions , And does not contain known attack signatures .
(2) The application executes a SQL Query and verify user certificate . To prevent SQL Inject , Before executing the query , The application program escapes all characters contained in the user input that can be used to attack the database .
(3) If the user logs in successfully , The reference program then transmits some data in the user data to SOAP service , Further information about user accounts . To prevent SOAP Injection attack , You need to XML Properly encode metacharacters .
(4) The application displays the user's account information in the user's browser . To prevent cross site scripting attacks , The application executes on any user submitted data implanted in the return page HTML code .
source
《 The classic of hacker attack and Defense Technology Web Actual combat 》
边栏推荐
- On November 24, we celebrate the "full moon"
- 深入理解JVM
- Jumping | Blue Bridge Cup
- 什么是SQL注入
- c语言将字符串中的空格替换成%20
- Global and Chinese market of tillage finishing machines 2022-2028: Research Report on technology, participants, trends, market size and share
- sqli-labs第2关
- How to back up the configuration before the idea when reinstalling the idea
- 力扣每日一题刷题总结:字符串篇(持续更新)
- ARP and ARP Spoofing
猜你喜欢
ICMP协议
2022 Heilongjiang's latest eight member (Safety Officer) simulated test question bank and answers
[untitled]
乐理基础(简述)
c语言自定义类型枚举,联合(枚举的巧妙使用,联合体大小的计算)
方法递归(斐波那契数列,青蛙跳台阶,汉诺塔问题)
Comparable,Comparator,Clonable 接口使用剖析
Smart agriculture solutions smart agriculture system development
[dynamic planning] p4170: coloring (interval DP)
How to build the alliance chain? How much is the development of the alliance chain
随机推荐
用数字 5,5,5,1 ,进行四则运算,每个数字当且仅当用一次,要求运算结果值为 24
STM32-新建工程(参考正点原子)
sqli-labs第8关(布尔盲注)
My VIM profile
Use the kaggle training model and download your own training model
c语言自定义类型——结构体,位段(匿名结构体,结构体的自引用,结构体的内存对齐)
In depth understanding of prototype drawings
SQL操作数据库语法
Opencv's experience of confusing X and Y coordinates
Comparison between setTimeout and requestanimationframe (page refresh)
cve_ 2019_ 0708_ bluekeep_ Rce vulnerability recurrence
Simply test the two different data transmission methods of content length and chunked
c语言自定义类型枚举,联合(枚举的巧妙使用,联合体大小的计算)
Matlab-其它
Carsim 学习心得-粗略翻译1
Matlab mathematical modeling tool
Generate database documents with one click, which can be called swagger in the database industry
idea中注释代码取消代码的快捷键
文件上传-upload-labs
[dynamic planning] p4170: coloring (interval DP)