Preface

Web Basic security issues for applications （ All user input is not trusted ） A large number of security mechanisms need to be used to attack regions , These mechanisms are composed of the following core factors ：

• Access control
• Filter / Limit input
• monitor （ Normal indicators ）
• Safety products （WAF）

The vast majority of the attack surface of a typical application is also composed of these mechanisms , That is, attackers exploit vulnerabilities by taking advantage of the defects of these mechanisms . Now let's learn about the security mechanism .

One 、 Access control

majority Web Applications use three layers of interrelated security mechanisms to handle user access ：

• Authentication
• session management
• Access control （ Realization ）

Authentication

Authentication mechanism is the most basic mechanism for applications to handle user access . Verifying users refers to determining the true identity of users . today , most Web Applications use traditional authentication models , That is, users are required to submit user names and passwords , Then the application verifies it , Confirm its legitimacy

session management

After successfully logging in to the application , Users will access various pages and functions , Send some columns from the browser HTTP request . meanwhile , The server will also receive countless requests from various users . To implement effective access control , The application needs to identify and process various requests submitted by each user .
To meet the above needs , Almost all Web The application establishes a session for each user , And issue a token to the user to identify the session . The session itself is a set of data structures stored on the server , Used to track the interaction status between users and Applications . The token is a unique string , The application maps it to the session （ Such as cookie）. When the user receives a token , The browser will follow HTTP Return it to the server in the request , Help the application associate the request with the user .

Access control

Two 、 Processing user input

Basic safety issues ： All user input is not trusted . A lot is directed at Web Different attacks on applications are related to submitting incorrect input . Enter confirmation （input validation） Is a necessary means to defend against these attacks .

Input processing method

1. Reject known bad input —— The blacklist
2. Accept known normal inputs —— White list
3. purify —— Input handler 、 code 、 escape
4. Secure data processing —— Safe programming method （ The database access process uses correct parameterized queries , Avoid unsafe application function design ）
5. Syntax check —— authentication

Boundary confirmation

Each individual component or functional unit of the server-side application treats its input as input from a potentially malicious source . Except for the external boundary between the client and the server , The application performs data validation on each of the above trust boundaries .

（1） The application receives the login information of the user . The form handler confirms that each input contains only legal characters , Meet special length restrictions , And does not contain known attack signatures .
（2） The application executes a SQL Query and verify user certificate . To prevent SQL Inject , Before executing the query , The application program escapes all characters contained in the user input that can be used to attack the database .
（3） If the user logs in successfully , The reference program then transmits some data in the user data to SOAP service , Further information about user accounts . To prevent SOAP Injection attack , You need to XML Properly encode metacharacters .
（4） The application displays the user's account information in the user's browser . To prevent cross site scripting attacks , The application executes on any user submitted data implanted in the return page HTML code .

source

《 The classic of hacker attack and Defense Technology Web Actual combat 》