File upload vulnerability

File upload vulnerability means that a user uploads an executable script file and obtains the ability to execute server-side commands through the script file.

Therefore, common problems caused by file upload include:

  • Uploading a file isWebScripting language, serverWebThe container interprets and executes the script uploaded by the user, causing the code to execute.
  • . Uploading a file isFlashPolicy file ofcrossdo-main.xmlHackers use it to controlFlashBehavior in this domain (similar to other cases where policy files are controlled in a similar way).
  • Uploaded files are viruses or Trojan horses that hackers use to trick users or administrators into downloading and executing files.
  • Upload files are phishing images or images that contain scripts, which are executed as scripts in some versions of browsers and used for phishing and fraud.

How to design a secure upload function

  • The directory for uploading files is set to unexecutable. After the files are uploaded, they are stored on independent storage for static file processing.
  • Determine the file type and add blacklist logic.
  • Rewrite file names and paths using random numbers.
  • The domain name of the file server is set separately.

Authentication and session management

The purpose of authentication is to recognize who the user is, and the purpose of authorization is to determine what the user can do.

Figuratively speaking, suppose the system is a room, and the person holding the key can open the door and enter the room. Then the house is authenticated by the "lock and key matching", and the authentication process is the process of unlocking the lock. Keys are used in the authentication process, known as "credentials," the process of opening a door, which on the Internet corresponds to login. But when you open the door, what you can and can't do is the jurisdiction of authorization.Copy the code

Which begs the real question, is the person holding the key necessarily the owner of the house?

password

Password is the Internet as the most basic authentication means. The advantage of password is low cost, the authentication process is relatively simple, the disadvantage is easy to be pojie.

Multifactor authentication

Because passwords are not very secure, most banks will add mobile dynamic passwords, digital certificates, baoling, payment shield, third-party certificates, etc., which can be used for user authentication. These different authentication methods can be combined to make the authentication process more secure.

The Session Fixation attacks

What is Session Fixation? Here’s a graphic example:

Suppose A owns A car and sells it to B, but INSTEAD of handing over all the keys to B, A hides one. If B does not change the lock of the car, A can still use the hidden key to use the car.Copy the code

This safety problem caused by the failure to change the lock is called sessionfixing problem.

If the user’s SessionID does not change before and after the user logs in to the website, a Session fixation problem may occur.

Specific attack process:

  • The userXThe attacker first obtains an unauthenticatedSessionID;
  • And then take thisSes-sionIDTo the userYGo to the certification;
  • YThe server does not update this after authentication is completeSessionIDThe value of (note that is unchangedSes-sionID“Rather than unchangedSession);
  • soXYou can rely directly on thatSessionIDLogin intoYThe account.

The correct way to solve Session Fixation is to override the SessionID after login.

Access control

In the field of Internet security, the problem of permission control can be reduced to the problem of access control.

When designing the scheme, the principle of minimum authority should be met.

Vertical Rights Management

Role-based access control is a more popular approach at present.

You have defined different roles in the system. Different roles have different permissions. Therefore, a role is a collection of permissions.

Encryption algorithm and random number

In Web security, more attention is paid to how to use encryption algorithms, do a good job of key management, and generate strong random numbers.

In the selection and use of encryption algorithms, there are the following suggestions:

  • Don’t useECBMode;
  • Do not use stream passwords (e.gRC4);
  • useHMAC-SHA1Instead ofMD5(Or even insteadSHA1);
  • Don’t use the samekeyDo different things;
  • saltswithIVIt needs to happen randomly;
  • Do not implement your own encryption algorithms, try to use security experts have already implemented libraries;
  • Do not rely on the confidentiality of the system.

Here are some tips for when you’re not sure what to choose:

  • useCBCPatterns ofAES256Used for encryption;
  • useHMAC-SHA512For integrity check;
  • useA salt of SHA - 256orSHA-512Used forHashing.

Application layer denial of service attack

Distributed Denial of Service (Network Layer DDOS)

DDOS is also called distributed Denial of Service (TRIBUted Denial of Service).

DDOS requests cause resource overload and service unavailability. Distributed denial-of-service attacks amplify normal requests several times and attack simultaneously through several network nodes to achieve scale effects.

Simply put, a DD attack is a breach of application availability.

For example, a parking lot has a total of 100 parking Spaces. When all 100 parking Spaces are full, any car that wants to park in must wait for the existing car to leave first. If the existing cars never go out, there will be a long queue at the entrance of the parking lot, and the parking lot is overloaded and cannot work properly. This situation is called "denial of service".Copy the code

DDOS Attack Diagram

The application layer DDOS

Network layer DDOS is described above, but application layer DDOS is not used at the network layer, because it happens after three handshakes.

CC attack fully known as Challenge Collapsar (Chinese meaning Challenge Collapsar), as the security equipment used to resist DDoS attacks was called black hole. As the name implies, the black hole was unable to do so.

CC attacks simulate multiple users’ access to the dynamic pages of the target website through proxy servers or a large number of broilers to create a large number of background database query actions, consume the target CPU resources, and cause denial of service.

The difference between

DDoS attacks the server of a website, targeting IP, while CC attacks the page of a website, attacking server resources.

In technical terms, one is a WEB network layer denial of service attack (DDoS) and the other is a WEB application layer denial of service attack (CC).

Network layer is to use the flow of chicken to attack the server of the target website, for the more original things to attack, the server breaks down, so the website running on the server can not be accessed normally. The application layer is what our users see, such as the web page, CC attack is against the web page to attack, CC attack itself is a normal request, the normal request of the website dynamic page will also interact with the database, when this kind of"Normal request"At a certain point, the server becomes unresponsive and crashes.Copy the code

ReDos attack

When a regular expression is poorly written, it can be exploited by malicious input to consume a lot of resources. This attack is called re-DOS.

summary

Denial of service attack at application layer is also caused by unlimited abuse of limited resources. The core idea to solve this problem is to limit the quota of each untrusted resource user.

Verification codes can be used to solve denial of service attacks at the application layer to raise the threshold.

Internet Service Security

There are two requirements for a good security solution:

  • Good user experience;
  • Excellent performance;

Design a login security scheme

Suppose you wanted to design a security scheme to protect the Web entry to your website, how would you go about it?

  • The user name and password are used.
  • Sensitive systems will adopt two-factor authentication, but it will increase user cost and reduce user experience, which is not necessarily a good solution.
  • Requiring users to set complex passwords is also an increase in user costs.

So the essence of the security requirement to increase password complexity can be broken down into:

  • How to fight violence (Pojie);
  • How to prevent your password from including personal information.

For example, check the number of login failures of an account or the number of login behaviors of an IP address in a period of time.

During user registration, the personal information filled in by the user can be collected. If the user is found to have used personal information such as username, email address, birthday, telephone number, etc., as a password, the user should be prompted immediately to prevent the password from containing personal information.

This process, the threat analysis process, is the basis for designing security solutions.

Interesting security example

Who are the big winners

“An online shopping site, in order to combat password violence pojie, has locked out an account for one hour if an account fails to log in five times within a short period of time.

In its business, the site offers an online auction function where users can bid on items they like and latecomers must bid a higher price. After the closing time of the auction, the goods will go to the highest bidder.

After making a bid for a product, a hacker continues to observe who bid a higher price on the website. When he finds someone bidding a higher price, he tries to maliciously log into the user’s account: when the number of failed attempts reaches five, the account is locked by the system.

The order system is linked to the account security system, and when the order system discovers that the account is locked, the user’s bid is also void. So you can get what you want at a very low price.

How to avoid
  • If violent pojie behaviors are detected, such as IP detection, login will be banned after a certain number of times.
  • Do not display sensitive information such as UID or user name on the website to avoid being blamed by criminals.

stamping

A TV station’s website has developed a new feature that allows users to provide local weather information that will be rolled over the TV news. In order to prevent spam, the information provided by netizens is screened by human.

But the system is also designed to allow users to edit information.

There is a logical loophole: if a message has been reedited, it will not be reviewed again and will be sent directly to the TV news scrollbar.

Secure Development Process (SDL)

SDL stands for Security Development Lifecy-cle.

The general steps of SDL are as follows:

SDL process

The SDL process can be roughly divided into 16 stages:

training

Through training, security policies and knowledge can be implemented, and the implementation efficiency can be improved and communication costs can be reduced.

Training targets include developers, testers, project managers, product managers, etc.

The training will cover security design, threat modeling, security coding, security testing, privacy and other aspects.

Safety requirements

Before the project is established, it is necessary to communicate with the project manager or product owner in advance to determine the safety requirements and what needs to be done.

Identify project plans and milestones to avoid delays due to security issues.

Problem level Definition

Used to determine minimum acceptable levels of security and privacy quality.

Defining these standards at the beginning of a project enhances the understanding of the risks associated with security issues and helps teams identify and fix security bugs during development.

A quality gate that is applied to an entire software development project and is used to define severity thresholds for security vulnerabilities. For example, applications must not contain known vulnerabilities with critical or significant ratings at the time of release.

Security and privacy risk assessment

Used to identify functional links in the software that need in-depth analysis, including the following information:

  • Which parts of the (security) project require a threat model before release?
  • What parts of the project require a security design review prior to release?
  • What parts of the (security) project, if any, require penetration testing by a mutually agreed group that is not part of the project team?
  • (Safety) Are there additional testing or analysis requirements that the safety consultant considers necessary to mitigate security risks?
  • What is the exact scope of the (security) ambiguity test requirements?
  • (Privacy) How does privacy affect the rating?

The design requirements

Security and privacy issues should be carefully considered in the design stage, and security requirements should be determined at the beginning of the project to avoid requirements changes caused by security as much as possible.

Reduced attack surface

Reducing the attack surface Reduces risk by reducing the opportunity for an attacker to exploit a potential vulnerability or vulnerability. Reducing the attack surface includes shutting down or limiting access to system services, applying the minimum permission rule, and layered defense whenever possible.

Threat modeling

Model the threat to your project or product and identify the possible aspects of the attack.

Use the specified tool

The compiler, linker and other tools used by the development team may involve some security related links. Therefore, you need to communicate with the security team in advance about the version of the tool to be used.

Deprecate unsafe functions

Many common functions may have security risks. You should disable insecure functions or apis and use the functions recommended by the security team.

Static analysis

Code static analysis can be done with the aid of tools, and the results are combined with manual analysis.

Dynamic program analysis

Dynamic analysis is a supplement to static analysis and is used to verify the safety of the program during the test phase.

Fuzzing Test

Fuzziness testing is a specialized form of dynamic analysis that induces program failures by deliberately introducing bad formats or random data into an application. Fuzzy testing strategies are developed based on the intended use of the application, as well as the functional and design specifications of the application.

Review of threat model and attack surface

The final output of the project often deviates from the original target due to factors such as demand change. Therefore, it is necessary to re-evaluate the threat model and attack surface in the later stage of the project, so as to discover and correct problems in time.

Incident response plan

Every piece of software subject to SDL requirements must include an event response plan at the time of release.

Final safety assessment

Final Security review (FSR) is a careful review of all security activities performed on the software prior to release. There are three different results from FSR:

  • Through the FSR. All security and privacy issues identified during the FSR process have been fixed or mitigated.
  • Passed FSR but there is an exception. All security and privacy issues identified during the FSR process have been fixed or mitigated, and/or all exceptions have been satisfactorily resolved. Problems that cannot be resolved will be documented and corrected in the next release.
  • The FSR that needs to be reported. If the team does not meet all SDL requirements and the security consultant and product team cannot reach an acceptable compromise, the security consultant cannot approve the project and the project cannot be released. The team must either resolve any issues that can be resolved prior to release, or report the decision to senior management.

Publish/archive

The release of the product can be completed after the FSR is approved or issues are agreed upon. However, issues and documentation should still be archived for emergency response and product upgrades.

SDL field experience

  • Communicate fully with the project manager and allocate sufficient time.
  • Standardize the company’s project approval process to ensure that all projects are notified to the security team to avoid omission.
  • Establish the authority of the security department, the project must be audited by the security department before it can be released.
  • Write the technical proposal into the development and test manual.
  • Train engineers on safety solutions.
  • Document all securitybugIncentivize programmers to write safe code.

Safe operation

  • Establish a vulnerability repair process, e.gbugTo report.
  • Security monitoring and alarm detection, such as attacks.
  • Intrusion detection, for examplewaf.
  • Establish emergency response processes.

summary

Here, the whole book has been finished, a lot of content is selective skip, because not quite understand, there are more references to the server, PC security, etc., and part of the source code, because the level is limited, only part of the skip.

But the harvest is still a lot, such as common XSS, SQL injection method, authority management, Internet security of the scene, security development process, especially the Internet security, and daily work is closely related, directly through the example to explain, very clear.

The next chapter will explain some common security tools to give you a better sense of security.