[every Monday shift] - Issue 3: web development security precautions

In this issue, let's talk about safety , The topic of safety has never changed , Everything we do involves security , Especially now everyone's safety awareness has been improved , Safety protection is also becoming more and more important , Recently, you may have heard of data leakage , It can be seen that most of the safety is caused by man , Of course, our safety protection work , It's not just about people , And the machine , In essence, it is the formulation of norms , The code level ： Anti hacker , prevent DDoS attack ; Safety work is very important or can't be ignored , Server security 、 Database security will be involved , Today, I will focus on the process of service development Web security ：

Certification and authorization

authentication ： Prove who you are . There will be problems ：

• 1、 Weak password
• 2、 Voucher theft （cookie）
• 3、 The logical question

to grant authorization ： What are you allowed to do .（ Horizontal authority 、 Vertical permissions ）

How to solve ：

• 1、 Authentication and authorization are separated
• 2、 Permission control is at the back end
• 3、 Use a unified authentication method （ The Security Department of the company generally has a unified management system ）

Information disclosure

• 1、debug Information disclosure （ for example console.log Printed information ）
• 2、 Error message （ There is sensitive content in the error message returned by the backend , for example sql sentence ）
• 3、 Source code exposure （ Upload the source code to the server ）
• 4、 safety consciousness （ Click on unsafe links, etc ）

XSS

• reflective ： Such as malicious links . Triggered by user click , Do it all at once .
• Storage type ： For example, malicious code is saved to the database , Malicious code will be triggered whenever the user requests
• DOM type ： Change users dom structure

How to solve ：

• 1、 Data type checking
• 2、 Key tag filtering
• 3、 escape 、 code

ps：XSS The type of is distinguished according to the data flow . For example, the storage type needs to go through the database , The reflection type is directly returned to the browser through the back end .

XSS Introduce

SQL Inject

Solution ：

• 1、 Parameter check
• 2、 Special symbol escape
• 3、 Use parameter binding or precompiled statements （ some sql The framework has precompiled sql The function of the statement , But not all statements can be precompiled ）

Cross-site scripting attacks

Solution ：

• 1、 Check referer（ The head Fields can be forged ）
• 2、 Add in request csrf_token
• 3、 Add secondary verification for important operations （ Mobile phone verification code, etc ）

Server request forgery

quite a lot web Applications provide the function of obtaining data from other servers . Use user specified URL,web The app can get pictures , Download the file , Read file contents, etc . If this function is used maliciously , You can take advantage of defective web The application acts as a proxy to attack both remote and local servers . This form of attack is called server request forgery attack (Server-side Request Forgery).

• 1、 Parameter check
• 2、 Check the returned content （ Prevent the return of sensitive information ）
• 3、 The blacklist limits specific ports to ip
• 4、 Return a unified error message

Command execution

• 1、 Parameter check
• 2、 Use dangerous functions with caution
• 3、 Divide code and data （ Processing data alone , Make sure it's safe ）

Redirection has been tampered with

• 1、 Address verification
• 2、 Redirect address plus signature

Clickjacking

• 1、X-Frame-options：Deny、SAMEORIGN、ALLOW_FROM（ This header can control whether the page can be nested ）
• 2、 Operation secondary confirmation

Security development

• 1、 Processing parameters ： Type checking 、 Parameter filtering （ White list - Safer 、 The blacklist 、 Cyclic filtration ）、 Escape coding （html escape 、js escape 、url code 、sql escape ： Choose according to the context ）
• 2、 Certificate authority ： Login authentication （ Logic is not in the front , Sensitive data is not on the front end , Secondary verification , The return prompt should not be too clear ,ip control ）
  • sessionId（ Update and delete in time ）
  • Access control （ The principle of minimum authority ）
  • Upload and download （ Check document type 、 Filename handling 、 For ’…/…/‘ Filter it , Avoid path crossing , Stand alone server ）
  • User submit
• 3、 Account security ： Password back （ Prevent requests from being tampered ）

Common protocol security

This document introduces common security problems caused by protocol configuration errors or code vulnerabilities in the development process to avoid similar phenomena . Common protocols in the development process :

• HTTPS
• WebSocket
• JWT
• OAuth
• Json
• XML

WebSocket Security

• Input is not verified
• There is no limit on the number of frames
• The maximum number of connections is not limited , Both the client and the server can be exhausted
• Too many persistent links are not automatically closed
• Origin The head is not verified
• Not used HTTPS
• The access policy is not restricted , There is ultra vires ( Authorization needs to be restricted by the server )

OAuth Security

• Callback domain name requires white list to restrict access
• OAuth Token Let the cat out of the
• Refer The message header leaks Authorization Code

JWT Security

JWT yes JSON web Token Abbreviation , It is an implementation based on JSON Open standards for (RFC 7519), The token Designed to be compact and safe , Especially for single sign in of distributed sites (SSO) scene .

• Strictly protect yourself secret_key, Prevent leakage
• It is forbidden to use one set of online sites and test sites JWT
• utilize RS Algorithm instead of HS Algorithm
• Online environment must be prohibited debug
• Set strong secret_key, And replace it regularly

Json, XML Security

• Cross-site request forgery ： Cross-site request forgery （CSRF） It is a way to attack by using the trust of the site to the user's browser .
• Cross-site scripting attacks ： Injection attack is to inject malicious code into the website by using the vulnerability of the system itself .

Mysql Security configuration

Reference resources ：https://www.securitypaper.org/2.sdl Specification document /9-mysql Security configuration /