Defense measures for common vulnerabilities

0x01 Injection attack

Risk statement

In the following cases , Applications are vulnerable ：

• The application does not validate 、 Filter or clean the data provided by users .

• Dynamic queries or nonparametric calls without context aware escape are used directly in the interpreter .

• Malicious data is mapped in object relation （ORM） Search parameters are used to extract additional sensitive records .

• Malicious data is directly used or connected . SQL Or the command contains dynamic queries 、 Structures and malicious data in commands or stored procedures .

  Some of the more common injections include ： SQL、 NoSQL、 OS command 、 Object relation mapping （ORM） 、 LDAP And expressions Language （EL） Or object graph navigation library （OGNL） Inject . This concept is the same in all parsers . Source code review is The best way to detect whether an application is vulnerable to injection attacks . For all parameters... Is strongly encouraged 、 title 、 URL、 cookies 、 JSON、 SOAP and XML Automatic test of data input . Organizations can CI/CD Introduce static... Into the pipeline （SAST） 、 dynamic （DAST） And interactive （IAST） Application security testing tools , To identify incoming injection defects before product deployment

Preventive measures

Preventing injection requires separating data from commands and queries ：

• The recommended option is to use safe API, This avoids using the interpreter entirely 、 Provide parameterized interfaces or migrate to object relationships Mapping tools （ORM） . Be careful ： Even parameterization , If PL/SQL or T-SQL Connect queries to data , Or use EXECUTE IMMEDIATE or exec （） Execute malicious data , Stored procedures can still be introduced SQL Inject .
• Use affirmations （positive） or “ White list ” Server side input validation . This is not a perfect defense , Because many applications The program requires special characters , For example, a text area in a mobile application or API.
• For any residual dynamic queries , Use the interpreter's specific escape syntax to escape special characters . Be careful ： SQL structure （ As shown in the table name 、 Name, etc ） Can't escape , Therefore, the structure name provided by the user is dangerous . This is a common problem in report writing software .
• Use in query LIMIT And others SQL Control , In order to prevent in SQL In the case of injection, a large number of disclosure records .

0x02 File upload vulnerability

Defense during system operation

1、 The directory for file upload is set to be non executable . as long as wb The container could not parse the files under this directory , Even if the attacker uploads the script file , The server itself will not be affected .

2、 Determine file type . When judging the file type , Can be used in combination ME Next yp、 Suffix check etc . In the document type check , White list is highly recommended , The blacklist approach has proved unreliable countless times . Besides , Processing of pictures , You can use a compression function or res state e function , Destroy what may be included in the image while processing it HTML Code .

3、 Use random number to overwrite file name and path . File upload if you want to execute code , You need users to be able to access this file . In some circumstances , Users can upload , But not accessible . If a random number is applied to overwrite the file name and path , Will greatly increase the cost of attack . And then it's like shel.php.rar.rar and crossdomain.xml This kind of document , Will be unable to attack because of rename .

4、 Set the domain name of the file server separately . Due to browser homology policy , A series of client attacks will fail , For example, upload crossdomain.xml、 Upload contains Javascript Of XSS Problems such as utilization will be solved .

5、 Use safety equipment to defend . The essence of file upload attack is to upload malicious files or scripts to the server , Professional security equipment defense , Such vulnerabilities are mainly detected through the upload and utilization of vulnerabilities and the upload process of malicious files . Malicious files are ever-changing , Concealment techniques also continue to push through the old and bring forth the new , For ordinary system administrators, they can help defend by deploying security devices .

Defense in the system development stage

For file upload vulnerabilities , It's better to strictly check the file name, file path and other items uploaded by users on the client and server . Although the check of the client can be bypassed by tools for attackers with better technology , But it can also block some basic temptations .

It is best to use the method of white list filtering for server-side inspection , This can prevent case and other methods from bypassing , At the same time %00 The truncation character is detected , Yes HTTP Baotou content-type And the size of uploaded files also need to be checked .

System maintenance phase

1、 After the system goes online, the operation and maintenance personnel should have a strong sense of safety , Actively use multiple security detection tools to scan the system , Identify potential vulnerabilities and fix them in time .

2、 Check the system log regularly ,Wb Server logs to find intrusion traces . Regularly pay attention to the update of the third-party plug-ins used by the system , If a new version is released, it is recommended to update it in time , If the third-party plug-in is exposed to security vulnerabilities, it should be repaired immediately .

3、 For websites that use open source code or use online frameworks for the whole website , In particular, pay attention to the self inspection of vulnerabilities and the update of software versions and patches , The upload function is not required and can be deleted directly . In addition to the maintenance of the system itself , The server should be reasonably configured , If it is not necessary to select a general directory, the execution permission should be removed , The upload directory can be configured as read-only .

0x03 Authentication session management

1、 Prevent fixed sessions
Generally speaking , Solving fixed sessions is fairly easy . The basic advice is ： Once the user logs in successfully , rewrite SessionlD.

2、 Protect your session token

• Protect Cookie
  Cookie There are two very important attributes ：secure and HttpOnly, Setting these two properties is important to protect your Cookie crucial .
• Provide ogoutI function
  The system will automatically expire the session according to the set time , A good application should provide a function , That is, the user can manually expire the current session , This is what we see on almost all websites logout: Button .

3、 Multifactor certification

• For many important systems , If only password is used as the only authentication means , In terms of safety, it will be slightly insufficient . So in order to enhance security , Most online banking and online payment platforms will adopt two factor authentication or multi factor authentication .
• Various authentication methods provided by Alipay
• In addition to the payment password , Mobile dynamic password 、 digital certificate 、 Payment shield 、 Third party certificates can be used for user authentication .
• These different certified phones can be combined with each other , Make the authentication process more secure .

4、 The identity authentication design is perfect

• Password length and complexity policy
  Password authentication is the most popular authentication method at present , The most important security consideration is the length of the password . A strong password makes it more difficult to guess manually or crack it violently .
• Implement a secure password recovery policy
  An application will provide password recovery .
• Important operations should be carried out through HTTPS transmission
  For important operations , Such as login 、 Change password, etc , Be sure to pass HTTPS transmitted . Implement a secure password recovery policy
• Authentication error messages and account locking
  Incorrect authentication error information may lead to dictionary attack or brute force cracking , So we should give a very common error message as far as possible . such as ： Login failed , Wrong user name or password .

0x04 Access control

Risk statement

Access control enforces policies , Make it impossible for users to operate beyond their expected permissions . Failure of access control usually leads to unauthorized information disclosure 、 Modify or destroy all data 、 Or perform business functions outside the user's authority . Common access control vulnerabilities include ：

• Violate the principle of least privilege or the principle of tacit rejection , That is, access should only be granted to specific capabilities 、 Role or user , But actually anyone can To visit .
• By modifying the URL （ Parameter tampering or forced browsing ）、 Internal application status or HTML page , Or use modification API Requested attack Tools to bypass access control checks .
• By providing a unique identifier （ Unsafe direct object reference ） Allow viewing or editing other people's accounts
• API No, right POST、PUT and DELETE Enforce access control .
• Privilege Promotion . Pretend to be a user without logging in or act as an administrator when logging in as a user .
• Metadata operations , For example, by playback or tampering JSONWeb token (JWT) To access the control token , Or manipulate cookie Or hide fields to Increase authority , Or abuse JWT invalid .
• CORS Misconfigured to allow unauthorized or untrusted API visit .
• An authenticated page that can only be seen when forced to browse as an unauthenticated user or access a privileged page as a standard user
  Noodles .

Defensive measures

Access control is only on the trusted server-side code or no server API Effective in , In this way, the attacker cannot modify the access control check or metadata .

• In addition to public resources , The default is “ Access denied ”.

• Use a one-time access control mechanism , And reuse them throughout the application , This includes minimizing cross source resource sharing (CORS) The emissary of use .

• Establish an access control model to enforce ownership records , Instead of simply accepting user created 、 Read 、 Any records updated or deleted .

• Special business application access restriction requirements should be enforced by the domain model .

• Ban Web Server directory list , And ensure that the file metadata （ for example ：.git） And backup files do not exist in Web In the root directory of .

• Log the failed access control , And alert the administrator when appropriate （ for example ： Repeated fault ）.

• Yes API And the access of the controller , To minimize the harm caused by automated attack tools .

• When the user logs off , The state session identifier on the server should be invalid . Stateless JWT The token should be short , So that the attacker's attack Minimize hit window . For longer JWT, It is strongly recommended to follow OAuth Standard to revoke access .

0x05 encryption

Risk statement

First, make sure that ： What are the protection requirements for the data in transmission and stored data . for example , password 、 Credit card number 、 Medical records 、 Personal letter Information and trade secrets need extra protection , Especially when these data belong to the privacy protection law （ Such as ： The European Union GDPR) Or regulations （ Such as ： Financial figures
According to the protection standard PCI DSS) Scope of application . For these data , To be sure ：

• Whether plaintext transmission is used during data transmission ？ This is related to the transmission protocol , Such as ： HTTP 、 SMTP 、 after TLS upgrade （ Such as STARTTLS ） Of FTP. External network traffic is harmful . All internal communications need to be verified , Such as , Load balancing 、 Web Server or Traffic between backend systems .
• Whether by default or in old code , Are you still using any old or fragile encryption algorithms or transport protocols ？
• Whether to use the default encryption key 、 Generate or reuse fragile encryption keys , Or whether there is a lack of appropriate key management or key management ？ Add Whether the secret key has been submitted to the source code repository ？
• Whether forced encryption is not performed , for example , Is there a lack of safety related HTTP （ browser ） Instruction or header ？
• Are the received server certificates and trust chains properly verified ？
• Whether the initialization vector ignores , Whether the reused or generated password operation mode is not secure enough ？ Whether unsafe operation mode is being used , for example The operating model the ECB is using ？ Whether to use encryption when authentication encryption is more appropriate ？
• In the absence of cryptographic base key derivation functions , Whether to use password as encryption key ？
• Whether randomness is used for encryption purposes that are not intended to meet encryption requirements ？ Even if you choose the right function , Whether it needs to be sown by developers , If you don't need to , Whether developers use lack of enough entropy / Unpredictable seeds cover the built-in powerful seeding function ？
• Whether to use obsolete hash functions , for example MD5 or SHA1, Or use an unencrypted hash function when the hash function needs encryption ？
• Are deprecated encryption population methods being used , for example PCKS number 1 v1.5？
• Whether the encrypted error message or side channel information can be used , For example, use the form of filling Oracle attack ？

Preventive measures

At least do the following , And refer to resources ：

• Handle the application 、 Classification of stored or transmitted data , And according to the privacy law 、 Regulatory requirements or business needs determine which data is sensitive .
• For sensitive data that does not need to be stored , Should be removed as soon as possible , Or by PCI DSS Tokenize or intercept . Unsaved data cannot be stolen .
• Ensure that all sensitive data stored is encrypted .
• Make sure you use the latest 、 Powerful standard algorithm 、 Protocol and key ; And key management is in place .
• Ensure that the data during transmission is encrypted , Such as using security protocols （ For example, it has forward confidentiality (FS) Cryptographically TLS、 Password priority of the server And safety parameters ） . Ensure that data encryption is enforced , If you use HTTP Strictly secure transport protocol (HSTS) Such as instruction .
• Disable caching of responses containing sensitive data .
• Implement the required security controls according to the data classification application .
• Do not use FTP and SMTP And other traditional protocols to transmit sensitive data .
• Use with working factor （ Delay factor ） Strong adaptive and salt hash function for storing passwords , for example Argon2、 scrypt、 bcrypt or PBKDF2.
• The initialization vector suitable for the operation mode must be selected . For most modes , have access to CSPRNG （ Password security pseudo-random number generator ） . For patterns that require random numbers , Then initialize the vector (IV) No need to use CSPRNG. In all cases , For a fixed key , forever It should not be used twice IV.
• Always use authenticated encryption , Not just encryption .
• The key should be randomly generated in an encrypted manner and stored in memory as a byte array . If you use a password , Must pass the appropriate cryptographic base key The derived function converts it to a key .
• Make sure to use cryptographic randomness where appropriate , And not seeded in a predictable way or with low entropy . Most modern API No need to open Issued by CSPRNG Seed for security .
• Avoid using obsolete encryption functions and padding schemes , for example MD5、 SHA1、 PKCS number 1 v1.5.
• Verify the validity of each security configuration item separately .

0x06 Frame loopholes

https://zhuanlan.zhihu.com/p/353034640

0x07 DDOS

Defense methods

1、 Using high performance network equipment
First of all, we must ensure that network equipment can not become a bottleneck , So choose the router 、 Switch 、 Hardware firewall and other equipment should try to choose high visibility 、 Products with good reputation . And then it's better if you have a special relationship or agreement with the network provider , When a large number of attacks occur, ask them to make traffic restrictions at the network nodes to counter some kinds of DDoS The attack is very effective .

2、 Try to avoid NAT Use
No matter router or hardware protective wall equipment, network address translation should be avoided as far as possible NAT Use , Because using this technology will greatly reduce the network communication capacity , The reason is simple , because NAT You need to translate the address back and forth , In the process of conversion, we need to calculate the check sum of network packets , So a lot of waste CPU Time for , But sometimes you have to use NAT, Then there's no good way .
3、 Sufficient network bandwidth guarantees
Network bandwidth directly determines the ability to resist attacks , If only there were 10M In terms of bandwidth , No matter what measures are taken, it will be difficult to confront the present SYNFIood attack , Currently, at least 100M Shared bandwidth of , The best, of course, is to hang on 1000M It's on the trunk of . But it should be noted that , The network card on the host is 1000M It doesn't mean that its network bandwidth is Gigabit , If you connect it to 100M On the switch , Its actual bandwidth will not exceed 100M, And then it's connected to 100M The bandwidth of 100 MB is not equal to that of 100 MB , Because the network service provider is likely to limit the actual bandwidth on the switch to 10M, This must be made clear .

4、 Upgrade the host server hardware
Under the premise of network bandwidth guarantee , Please try to improve the hardware configuration , It's going to be effective against every second 10 m SYN Attack Pack , The configuration of the server should be at least ：
P42.4G/DDR512M/SCS1-HD, The main thing that plays a key role is CPU And memory , If you have a pair of high aspirations CPU Use it if you want , Memory must be selected DDR High speed memory , Try to choose the hard disk SCS Of , Don't just be greedy DE The price is not expensive, and the quantity is cheap , Otherwise, there will be a high performance cost , And then the network card must be selected 3COM or Intel And so on , if Realtekl It's still for your own use PC Come on. .
5、 Make your website static or pseudo static
A lot of facts prove that , Make the website as static as possible , Not only can greatly improve the ability to resist attack , And it also brings a lot of trouble to hackers , At least so far about HTML There's no overflow yet , Have a look ！ Sina 、 sohu 、 Netease and other portal websites are mainly static pages , If you don't need dynamic script calls , Then take it to a separate host , The main server will be involved in the attack , Of course , It's OK to put some scripts that don't make database calls properly , Besides , It's best to deny access using a proxy in a script that calls the database , Because experience has shown that using a proxy to visit your website 80% It's a malicious act .

6、 Enhanced operating system TCP/IP Stack
Win2000 and Win2003 As a server operating system , It has a certain resistance in itself DDoS Ability to attack , It's just not on by default ,
If opened, it can resist about 10000 individual SYN Attack Pack , If it is not turned on, it can only resist hundreds of , How to turn it on , Take a look at Microsoft's article ！
《 strengthening TCPP Stack security 》

7、 Installation of professional anti DDOS A firewall

8、HTTP Interception of requests
If a malicious request has characteristics , It's easy to deal with ： Just intercept it directly .
HTTP There are generally two characteristics of requests ：P Address and User Agent Field . such as , Malicious requests are from some IP From paragraph , So take this IP Just seal off the paragraph . perhaps , Their User Agent The field has characteristics （ Contains a specific word ）, Then block the request with this word .
9、 Backup website
You need to have a backup website , Or at least have a temporary home page . If the production server goes offline , You can immediately switch to the backup website , There is no way .

Backup sites are not necessarily full-featured , If you can do full static browsing , To meet the needs . At a minimum it should be possible to display announcements , Tell the user , There's something wrong with the website , We're doing our best to repair .
This temporary home page is recommended to Github Pages perhaps Netlify, Their bandwidth is large , Can deal with attacks , And all support binding domain names , It can also be built automatically from the source code .
10、 Deploy CDN
CDN Refers to the static content of the website distributed to multiple servers , Users visit nearby , Increase speed . therefore ,CDN It is also a method of bandwidth expansion , Can be used for defense DDOS attack .

The website content is stored on the source server ,CDN Above is the content cache . Users are only allowed to access CDN, If the content is not CDN On ,CDN Then send a request to the source server . In this case , as long as CDN Big enough , Can resist a big attack . however , This method has a premise , Most of the content of the website must be statically cached . For dynamic content based websites （ For example, the forum ）, We have to find another way , Minimize user requests for dynamic data ; The essence is to build a micro CDN. Advanced anti DDoS provided by major cloud service providers P, That's what you do behind your back ： The website domain name points to advanced anti DDoS P, It provides a buffer layer , Cleaning flow , And cache the content of the source server .
Here's a key point , Once on the CDN, Never disclose the source server's P Address , Otherwise, the attacker can bypass CDN Attack the source server directly , All the previous efforts were in vain . search " Bypass CDN Get real P Address ", You will know how rampant the domestic black industry is .

11、 Other defenses
The above confrontation DDoS Suggest , Suitable for the vast majority of users with their own hosts , But if the above measures still can not be solved DDoS problem , There's some trouble , More investment may be needed , Increase the number of servers and adopt DNS Round robin or load balancing technology , Even need to buy seven layer switch equipment , So that the resistance to DDoS Attack power doubled , As long as the investment goes deep enough .

0x08 Security configuration

Risk statement

Your application may be under attack , If the application is ：

• Any part of the application stack lacks proper security reinforcement , Or the permission configuration of the cloud service is wrong .
• The application has enabled or installed unnecessary features （ for example ： Unnecessary ports 、 service 、 Webpage 、 Account or permissions ） .
• The default account and password are still available and have not been changed .
• The error handling mechanism leaks stack information or other large amount of error information to the user .
• For upgraded systems , The latest security features are disabled or not configured .
• Application server 、 Application framework （ Such as ： Struts、 Spring、 ASP.NET） 、 The library files 、 The database is not accessed Row security configuration .
• The server does not send security headers or instructions , Or the safety parameters are not set .
• Your application has expired or is vulnerable （ See “A6:2021- Fragile and obsolete components ”） .
  Lack of a system 、 Repeatable application security configuration process , The system will be at high risk .

Defensive measures

A safe installation process should be implemented , Include ：

• A repeatable hardening process that can be quickly and easily deployed in another locked environment . Development 、 Both quality assurance and production environment should This is the same configuration , And use different passwords in each environment . This process should be automated , To minimize installation The cost of a new security environment .
• Build a minimization platform , The platform does not contain any unnecessary functions 、 Components 、 Documents and examples . Remove or do not install inapplicable functions Can and frame .
• Check and repair security configuration items to adapt to the latest security instructions 、 Updates and patches , And as part of the update management process （ See “A6:2021- Fragile and obsolete components ”） . During the inspection , Special attention should be paid to cloud storage permissions （ Such as ： S3 Barrel right limit ） .
• A segmented application architecture that provides effective separation and security between components and users , Include ： piecewise 、 Containerization and cloud security Whole group （ACL） .
  Send security instructions to the client , for example ： Security header .
• An automated process that verifies the correct security configuration and settings in all environments .