Technology Sharing

한어Русский языкEnglishFrançaisIndonesianSanskrit日本語DeutschPortuguêsΕλληνικάespañolItalianoSuomalainenLatina

• Preface:

In today's digital age, web applications play an important role, providing us with a variety of online services and functions. However, these applications are often faced with various potential security threats, which may lead to sensitive information leakage, system paralysis and other adverse consequences.

• SQL Injection Vulnerabilities

SQL injection attack (SQL Injection), also known as injection attack or SQL injection, is widely used to illegally gain control of a website. It is a security vulnerability that occurs at the database layer of an application. When designing a program, the SQL instructions enclosed in the input string are ignored for checking, and the database mistakenly treats them as normal SQL instructions and runs them, thus attacking the database, which may lead to data being stolen, altered, or deleted, and further causing malicious code to be embedded in the website, implanted with backdoor programs, and other hazards.

Typically, SQL injection locations include:

1. Form submission, mainly POST request, also includes GET request;
2. URL parameter submission, mainly GET request parameters;
3. Cookie parameter submission;
4. Some modifiable values ​​in the HTTP request header, such as Referer, User_Agent, etc.
5. Some edge input points, such as some file information of .mp3 files, etc.

Common prevention methods:

• All query statements use the parameterized query interface provided by the database. Parameterized statements use parameters instead of embedding user input variables into SQL statements. Currently, almost all database systems provide a parameterized SQL statement execution interface, which can effectively prevent SQL injection attacks.
• Escape or convert special characters ('", <> & *;, etc.) entering the database.
• Confirm the type of each data. For example, numeric data must be numeric, and the storage field in the database must correspond to int type.
• The data length should be strictly regulated, which can prevent relatively long SQL injection statements from being executed correctly to a certain extent.
• The encoding of each data layer of the website is unified. It is recommended to use UTF-8 encoding for all. Inconsistent encoding between the upper and lower layers may cause some filtering models to be bypassed.
• Strictly limit the website user's database operation permissions, and provide the user with permissions that are only sufficient for his or her work, thereby minimizing the damage of injection attacks to the database.
• Avoid websites from displaying SQL error messages, such as type errors, field mismatches, etc., to prevent attackers from using these error messages to make some judgments.
• Before publishing the website, it is recommended to use some professional SQL injection detection tools to detect and patch these SQL injection vulnerabilities in time.

• Cross-site scripting vulnerability

Cross-site scripting (commonly referred to as XSS) occurs on the client side and can be used to steal privacy, perform phishing scams, steal passwords, spread malicious code, and other attacks.

The technologies used in XSS attacks are mainly HTML and Javascript, as well as VBScript and ActionScript. Although XSS attacks do not directly harm WEB servers, they spread through websites, causing website users to be attacked and website user accounts to be stolen, which also causes serious harm to the website.

XSS types include:

• Non-persistent cross-site scripting: Reflective cross-site scripting vulnerabilities are the most common type of cross-site scripting. Cross-site code usually exists in the link. When such a link is requested, the cross-site code is reflected back from the server. This type of cross-site code is not stored on the server (such as in a database). The examples given in the above section are of this type.
• Persistent cross-site attack: This is the most direct type of cross-site attack, where the cross-site code is stored on the server (such as a database). A common situation is that a user posts on a forum. If the forum does not filter the Javascript code data entered by the user, the browsers of other users who browse the post will execute the Javascript code embedded by the poster.
• DOM Cross-site Scripting (DOM XSS): is a cross-site vulnerability that occurs in the client-side DOM (Document Object Model), which is largely due to security issues caused by client-side script processing logic.

Commonly used XSS prevention techniques include:

1. As with the SQL injection protection recommendations, assume that all inputs are suspicious and strictly check for words such as script and iframe in all inputs. The input here is not only the input interface that users can interact with directly, but also includes variables in cookies in HTTP requests, variables in HTTP request headers, etc.
2. Validate not only the type of data, but also its format, length, range, and content.
3. Don't just validate and filter data on the client side; the key filtering steps should be performed on the server side.
4. The output data must also be checked. The values ​​in the database may be output in multiple places on a large website. Even if encoding and other operations are performed on the input, security checks must be performed at the output points in each place.
5. Test your application for all known threats before releasing it.

• Weak password vulnerability

There is no strict and accurate definition of weak passwords. Generally speaking, passwords that are easy to be guessed by others (who may know you well) or cracked by cracking tools are considered weak passwords. Setting passwords usually follows the following principles:

1. Do not use empty passwords or system default passwords, as these passwords are well known and are typical weak passwords.
2. The password must be at least 8 characters long.
3. The password should not be a series of characters (for example: AAAAAAAA) or a combination of repeated characters (for example: tzf.tzf.).
4. The password should be a combination of the following four types of characters: uppercase letters (AZ), lowercase letters (az), numbers (0-9), and special characters. Each type of character must contain at least one character. If a character of a certain type only contains one, then that character should not be the first or last character.
5. The password should not contain the name and date of birth of the individual, his/her parents, children, spouse, anniversary date, login name, e-mail address, or any other information related to the individual, as well as any words in the dictionary.
6. Passwords should not be words that use numbers or symbols instead of some letters.
7. Your password should be memorable and quick to type, so that others can't easily see you typing from behind.
8. Change your password at least once every 90 days to prevent undetected intruders from continuing to use the password.

• HTTP Header Tracking Vulnerability

The HTTP/1.1 (RFC2616) specification defines the HTTP TRACE method, which is mainly used by the client to submit a TRACE request to the Web server for testing or obtaining diagnostic information. When the Web server enables TRACE, the submitted request header will be returned in its entirety in the content (Body) of the server response, where the HTTP header is likely to include Session Tokens, Cookies, or other authentication information. Attackers can exploit this vulnerability to deceive legitimate users and obtain their private information. This vulnerability is often used in conjunction with other methods to conduct effective attacks. Since HTTP TRACE requests can be initiated through client browser scripts (such as XMLHttpRequest) and can be accessed through the DOM interface, they are easily exploited by attackers. The method of defending against HTTP header tracking vulnerabilities usually disables the HTTP TRACE method.

• Struts2 Remote Command Execution Vulnerability

Apache Struts is an open source framework for building Java web applications. Apache Struts has an input filtering error that can be exploited to inject and execute arbitrary Java code if a conversion error is encountered.

Most of the reasons why websites have remote code execution vulnerabilities are because the websites use Apache Struts Xwork as the website application framework. Since the software has a high-risk remote code execution vulnerability, the website faces security risks. CNVD has dealt with many such vulnerabilities, for example, the "GPS Car Satellite Positioning System" website has a remote command execution vulnerability (CNVD-2012-13934); Aspcms Guestbook remote code execution vulnerability (CNVD-2012-11590), etc.

• File upload vulnerability

File upload vulnerabilities are usually caused by lax filtering of file upload path variables in web page codes. If the file upload function implementation code does not strictly limit the file suffix and file type uploaded by users, attackers can upload any file through the Web-accessible directory, including website backdoor files (webshell), and then remotely control the website server.

Therefore, when developing websites and applications, it is necessary to strictly limit and verify uploaded files, and prohibit uploading files containing malicious code. At the same time, limit the execution permissions of related directories to prevent webshell attacks.

• Private IP address leakage vulnerability

IP address is an important identifier of network users, which attackers need to know before launching attacks. There are many ways to obtain it, and attackers will adopt different methods according to different network conditions, such as: using the Ping command in the local area network to ping the other party's name in the network to obtain the IP; using the IP version of QQ on the Internet to display it directly. The most effective way is to intercept and analyze the other party's network data packets. Attackers can find and directly parse the IP header information of the intercepted data packets through software, and then understand the specific IP based on this information.

As for the most effective "packet analysis method", you can install some software that can automatically remove the IP information of the packet header of the sent data packet. However, there are some disadvantages of using these software, such as: serious resource consumption, reduced computer performance; it will be affected when visiting some forums or websites; it is not suitable for Internet cafe users, etc. The most popular method for individual users to hide IP now should be to use a proxy. After using a proxy server, the "redirection service" will modify the data packets sent out, making the "packet analysis" method invalid. Some network software (QQ, MSN, IE, etc.) that are easy to leak user IPs support the use of proxies to connect to the Internet, especially after QQ uses "ezProxy" and other proxy software to connect, the IP version of QQ cannot display the IP address. Although the proxy can effectively hide the user's IP, the attacker can also bypass the proxy and find the other party's real IP address. Under what circumstances, the user uses what method to hide the IP, which also depends on the situation.

• Unencrypted login request

Due to the insecurity of Web configuration, the login request transmits sensitive fields such as username and password without encryption. Attackers can eavesdrop on the network to obtain this sensitive information. It is recommended to encrypt the information before transmission, such as through SSH.

• Sensitive information leakage vulnerability

SQL injection, XSS, directory traversal, weak passwords, etc. can all lead to sensitive information leakage, and attackers can obtain sensitive information through vulnerabilities. Different defense methods are used for different causes.

• CSRF

Web applications are a general term for services that use a B/S architecture and HTTP/HTTPS protocols. With the widespread use of the Internet, Web applications have been integrated into every aspect of daily life: online shopping, online banking applications, securities and stock trading, government administrative approval, etc. In these Web accesses, most applications are not static web browsing, but involve dynamic processing on the server side. At this time, if programmers of programming languages ​​such as Java, PHP, and ASP lack security awareness and do not strictly check program parameter input, Web application security issues will emerge in an endless stream.

So how can we discover the above vulnerabilities in time?

Have to mentionVulnerability Scanning Service VSS！！

What is Vulnerability Scanning Service?

Since the rise of the Internet, cybersecurity incidents that exploit vulnerabilities have continued and are becoming increasingly serious. The economic losses caused by vulnerabilities are huge and increasing year by year. Vulnerabilities have become one of the main culprits that endanger the Internet and have become the focus of everyone's attention.

"Vulnerability Scan Service (VSS) is a security detection service for website vulnerability scanning. It currently provides general vulnerability detection, vulnerability lifecycle management, and custom scanning services. After the user creates a new task, the scanning task can be manually triggered to detect website vulnerabilities and provide vulnerability repair suggestions.

The security of a network system depends on its weakest link. The security of a network system is a dynamic process. The most effective way is to regularly perform security analysis and scans on the network system to promptly discover and locate vulnerabilities and make modifications.

• • Vulnerability scanning service application scenarios:
    1. Website/application system launched

When a new website/application system is launched, a security assessment must be conducted on the website/application system first to assess whether there are any loopholes or risks in the website/application system. This will ensure the security of the website/application system after it is launched, reduce the risk of Trojan horse attacks or tampering, and ensure the safe operation of the website/application system after it is launched.

1. 1. 1. Website/application system threats and attacks

With the continuous growth of new threats and attacks, the security of web applications directly affects the sustainability of business development. Websites/application systems are often attacked and threatened with network security, resulting in network information being eavesdropped, retransmitted, tampered with, denial of service attacks, and leading to network behavior denial, electronic deception, unauthorized access, virus transmission and other problems. Security testing is a comprehensive test of the website/application system, and professional repair suggestions are given to prevent the website from being exploited by hackers and affecting the website security.

1. 1. 1. Real-time monitoring of websites/application systems

Government, education, finance and other institutions need to monitor websites in real time. If vulnerabilities are not repaired in time, it will seriously affect the image of government, education and other institutions and cause huge losses to the enterprise. Therefore, it is necessary to monitor and manage the security of websites/application systems in real time. Security detection intuitively displays monitoring results, alerts immediately when risks are found, and quickly identifies web page anomalies and notifies alarms to prevent vulnerabilities from being exploited and affecting system security.

1. 1. 1. Website/application system security compliance requirements

Information security level protection is a basic system of information security protection in my country, requiring network operators to comply with the requirements of the network security level protection system. Level protection requires website/application system operators to conduct security assessments at least twice a year to ensure compliance with the level protection. Security testing helps users with level protection needs to conduct security assessments and meet the requirements of level protection compliance!

• • What does vulnerability scanning service generally include?
    1. Web Vulnerability Scanning

The loopholes and weaknesses of the website can be easily exploited by hackers to launch attacks, bring adverse effects and cause economic losses.

Regular vulnerability scanning：A rich vulnerability rule library can conduct comprehensive and in-depth vulnerability scans for various types of websites and provide professional and comprehensive scan reports.

Most urgent vulnerability scan：For the most urgent CVE vulnerabilities, security experts will analyze the vulnerabilities, update rules, and provide the fastest and most professional CVE vulnerability scans in a timely manner.

1. 1. 1. Weak password scanning

Assets such as hosts or middleware generally use passwords for remote login, and attackers often use scanning techniques to detect their usernames and weak passwords.

Multiple scenes available：Comprehensive OS connectivity, covering 90% of middleware, supports weak password detection for standard Web services, operating systems, databases, etc.

Rich weak password library：A rich weak password matching library simulates hackers to detect weak passwords in various scenarios, and supports custom dictionaries for password detection.

1. 1. 1. Middleware Scanning

Middleware can help users develop and integrate complex application software flexibly and efficiently. Once hackers discover and exploit vulnerabilities, it will affect the security of upper and lower layers.

Rich scanning scenarios：Supports version vulnerability and configuration compliance scanning of mainstream Web containers, front-end development frameworks, and back-end microservice technology stacks.

Multiple scanning modes optional：It supports identifying the middleware and its version in the server through various methods such as standard packages or custom installation, and comprehensively discovers the vulnerability risks in the server.

1. 1. 1. Content compliance testing

When a website is found to have non-compliant speech, it will cause multiple losses to the company in terms of brand and economy.

Accurate identification：Synchronously update sample data of current political hot spots and public opinion events, and accurately locate various sensitive content related to pornography, violence, terrorism, politics, etc.

Intelligent and efficient：Conduct contextual semantic analysis on text and image content, and intelligently identify complex variant texts.

• Summarize:

Once a vulnerability is exploited by criminals, the company will suffer huge losses. If the risks of the website can be discovered proactively and repair measures are taken in time, the risk can be reduced and the loss can be minimized. Therefore, as a proactive preventive measure, vulnerability scanning plays a huge role in effectively avoiding hacker attacks and preventing them before they happen.

Vulnerability scanning services can effectively solve the challenges faced by website security management, and can also better meet the efficiency and accuracy required in security inspection work, so as to improve the security management level of websites and applications.