White hat speak web Reflections on safety reading 2

Framework security

An excellent security scheme , Should be ： In the right place , Do the right thing .

for instance , stay “ Injection attack ” Chapter 1 , We didn't use it PHP Of magic_quotes_gpc As a confrontation SQL Injected defense plan , This is because magic_quotes_gpc It's flawed , It doesn't solve the problem in the right place .magic_quotes_gpc In fact, it is called once addslashes(), Put some special symbols （ For example, single quotation marks ） Transference , Turned into '. Corresponding to MVC In architecture , It's in View The layer does this , and SQL Injection is Model Problems that need to be solved by layer , What's the result ？ Hackers have found many ways to bypass magic_quotes_gpc The way to , For example, use GBK code 、 Use injection without single quotation marks, etc .PHP Officials finally began to face up to this problem after several years , Therefore, it is no longer recommended in the description of official documents

Generally speaking , We need to figure out what problem to solve first , After deeply understanding these problems , And then “ correct ” Where data security checks are carried out . Some of the main Web Security threats , Such as XSS、CSRF、SQL Inject 、 Access control 、 authentication 、URL Jump and other security issues that do not involve business logic , Can be concentrated on MVC Solve in the framework . Implement the security scheme in the framework , Rather than having programmers fix specific ones in the business bug, Has more advantages .

So according to the original , Most people use frameworks , In terms of safety , Try to use the standard mode of use , Safety problems are easy to avoid .

• For example, use ORM Query constructor for , To access the database , It's better to build than yourself sql Statements are much safer .

• For many php In the frame , Try to avoid adding key value pairs . The major CMS The emergence of SQL Inject , Due to the of the array $key If the filtering is not strict, it will be directly brought into SQL Query vulnerabilities are common .

  ci Framework injection vulnerability There is a discussion of this problem in this article

• Be careful when uploading files , This will appear later , Simply put, try not to use the local storage file mode . If there is a problem with the application implementation , It may become a serious loophole . If each business realizes the file upload function separately , There will be differences in its design and code , Complex situations can also make security issues difficult to control . But if Web The framework can provide a sufficiently secure binary library or function for file upload function

• stay Web Application development , It is necessary to “ Read operations ” and “ Write operations ” To distinguish , For example, require all “ Write operations ” All use HTTP POST. In many stories CSRF Defense articles , All require the use of HTTP POST Defend , But actually POST Itself is not enough to fight CSRF, because POST It can also be submitted automatically . however POST Use , For the protection of token Has a positive meaning , and security token The privacy of （ The principle of unpredictability ）, It's defense CSRF Basis of attack

• Be especially careful with the code for remotely running commands . Often mentioned before javalog Loophole , And in Django 0.95 In the version , There is also a remote command execution vulnerability , According to the official code diff Details after , You can see that this is a very obvious “ Command injection ” Loophole , We are “ Injection attack ” Chapter 1 , This vulnerability has been described .Django There was a problem processing the message file , Remote attackers build malicious ．po file , Entice users to access processing , Can cause arbitrary commands to be executed with the privileges of the application process

Application layer denial of service

Application layer denial of service attack is an extension of traditional network denial of service attack , Its essence is also caused by the unrestricted abuse of limited resources . therefore , The core idea to solve this problem is to limit the quota of each untrusted resource user .

ddos attack

DDOS Also known as distributed denial of service , The full name is Distributed Denial of Service.DDOS This is to use reasonable requests to cause resource overload , Service Unavailable . It's difficult to defend

Flood attack

The core is the use of three handshakes , Because the second time of three handshakes, the server will provide resources , Only the third requestor needs to provide resources .

SYN flood In an attack , First, forge a large number of sources IP Address , Send a large number of SYN package , The server will return SYN/ACK package , Because the source address is forged , So fake IP Will not answer , The server did not receive the forged message IP The response of the , Will try again 3～5 And wait for one SYNTime（ It's usually 30 Seconds to 2 minute ）, If it times out, discard the connection . Attackers send a large number of such forged source addresses SYN request , The server side will consume a lot of resources （CPU And memory ） To handle this semi connection , At the same time, we have to constantly deal with these IP Conduct SYN+ACK retry . The end result is that the server has no time to ignore normal connection requests , Cause a denial of service .

cc attack

CC The principle of attack is very simple , It is to constantly make normal requests for some application pages that consume large resources , In order to achieve the purpose of consuming server resources . stay Web Application , Query the database 、 read / Write hard disk files and other operations , It will consume more resources .
For example, a big table turning pages , When post The table data is huge , Turn pages frequently ,$start When the number increases sharply , Queries affect the result set =$start+30; The query efficiency shows an obvious downward trend , And multiple concurrent and frequent calls , The query cannot be completed immediately , The resource cannot be released immediately , It will cause too many database requests to connect , The database is blocked , The website cannot be opened normally .

It often happens that crawlers directly crawl small websites to death , This is related to the application layer DDOS The result of the attack is very similar to . It seems , application layer DDOS The line between attack and normal business is blurred . Before, a crawler crawled the government website to death , As a result, the relevant departments sent people in

Way of defense

• Limit request frequency ： In the application, make a limit on the request frequency for each client
• Use verification code ( Usually login , However, some forms are being submitted , If you submit frequently, you can also add )
• Performance optimization should be done for application code
• Optimize the network architecture . Be good at using load balancing and shunting , Avoid the concentration of user traffic on a single server . At the same time, we can make full use of CDN And the role of the image site , Relieve the pressure of the main station .

SIowIoris attack

Slowloris Is in 2009 By the famous Web Security experts RSnake An attack method is proposed , The principle is to send to the server at a very low speed HTTP request . because Web Server There is a certain upper limit for the number of concurrent connections , Therefore, if these connections are occupied maliciously, they will not be released , that Web Server All connections of will be occupied by malicious connections , Unable to accept new requests , Cause a denial of service .

HTTP POST DOS

stay 2010 Year of OWASP At the conference ,Wong Onn Chee and Tom Brennan Demonstrates a method similar to Slowloris Effective attack method , The author calls it HTTP POST D.O.S.. The principle is to send HTTP POST Packet time , Specify a very large Content-Length value , Then contract out at a very low speed , such as 10～100s Send a byte , Keep this connection open . In this way, when there are many client connections , Occupied Web Server All available connections , Which leads to DOS.

Regular expression attack

ReDOS Regular expressions can also cause a denial of service ？ Yes , When regular expressions are not well written , It may be used by malicious input , Consume a lot of resources , As a result DOS. This attack is called ReDOS.

PHP Security

The file contains a vulnerability

include、require、include_once、require_once, Use this 4 Functions contain files , This document will serve as PHP Code execution ,PHP The kernel doesn't care what type of file it contains

Code Execution Vulnerability

Danger function exec、shell_exec、system You can directly execute system commands .eval Functions can be executed PHP Code

Pseudo random number and true random number

Pseudo random number

Random numbers generated by some mathematical algorithms , Not really random numbers

True random number

Random numbers generated by some physical systems

Safe random number

• Linux

Use /dev/random perhaps /dev/urandom To generate random numbers , Just read

Social work safety

This is very metaphysical , For example, I use the Internet in some ways ( Password Library , The password obtained after dragging the Library , Guess common passwords ), Got a famous front-end code github Such permissions , Even the extreme section , I went directly to him with a gun and asked him to force the front-end code of the vulnerability into the basic library , In this way, a large amount of mining code is left in the common frameworks .

Or I pretend to be a beauty to hook up with a famous programmer ( So many big guys are always hungry ), Spermatozoa asked him to click my phishing website . In the case of spermatozoa on the brain, the human brain cpu It will drop sharply . You don't even need famous programmers , Just send it to the background administrator of some companies .
However, this book does not specifically talk about social workers , Later, you can see the magic power of social workers when you are free