Web application refers to the B/S architecture, through HTTP/HTTPS protocol to provide services collectively. With the popularity of the Internet, Web applications have been integrated into every aspect of our lives. In the process of enterprise informatization, more and more applications are also set up on the Web platform. Most of these Web accesses involve dynamic server-side processing rather than static Web browsing. At this time, if the technical personnel’s security awareness is insufficient, such as the program parameter input and other checks are not strict, will lead to Web application security problems emerge in endlessly. It can tamper with the content of web pages, steal important internal data, or implant malicious code in web pages to infringe on website visitors. This makes more and more users pay attention to the security of the application layer, and the attention of Web application security is gradually heating up.
According to the current security situation of Web applications, this paper enumerates the common attack principles and hazards of Web applications, and gives some suggestions on how to avoid Web attacks.
SQL injection
SQL injection threat occurs when an application splits the content entered by the user into SQL statements and submits them to the database for execution. Because the user’s input, is also a part of the SQL statement, so the attacker can use this part can control the content, inject their own defined statement, change the execution logic of the SQL statement, let the database execute any instructions they need. By controlling part of the SQL statement, the attacker can check any data he needs in the Xun database, and make use of some characteristics of the database, he can directly obtain the system authority of the database server.
Originally SQL injection attack requires the attacker to be very familiar with SQL statements, so there are certain requirements for the attacker’s technology. However, the threat of SQL injection has been greatly increased by the emergence of a large number of SQL injection utilization tools, which can allow any attacker to achieve the attack effect with a few mouse clicks.
XSS
Cross Site Scripting, which is a powerful tool for Scripting, is not the same as Cascading Style Sheets,
CSS), so XSS is abbreviated as XSS. Malicious attacker inserts malicious HTML code into the Web page. When the user browses the page, the HTML code embedded in the Web will be executed, so as to achieve the special purpose of malicious attack on the user.
Reflective XSS attacks
By means of social engineering, the attacker sends a URL to the user to open the page, and when the user opens the page, the browser executes a malicious script embedded in the page.
Stored XSS attacks
Attackers use the functions of entering or modifying data provided by Web applications to store data to the server or user cookies. When other users browse the page displaying the data, the browser executes malicious scripts embedded in the page. All visitors will be attacked.
The command injection
Command injection is similar to SQL injection, except that SQL injection is for the database, while OS command injection is for the operating system. OS command injection attack refers to through the Web application, the execution of illegal operating system commands to achieve the purpose of attack. Anywhere a Shell function can be called, there is a risk of attack. If there is an omission when calling the Shell, the inserted illegal command can be executed.
Command injection attacks can send commands to a Shell to start a program from the command line of a Windows or Linux operating system. In other words, command injection attacks various programs installed on the executable operating system.
Cross-site request forgery
CSRF(Cross Site Request Forgery), using the login user identity, in the name of the user to send a malicious Request to complete the illegal operation.
For example, if A user browses and trusts Web site A with A CSRF vulnerability, the browser generates the appropriate cookie, and the user visits the dangerous Web site B without quitting the site. Dangerous Site B requests access to Site A and makes A request. The browser uses the user’s cookie information to access Web site A. Since website A does not know whether the request is made by the user itself or by the dangerous website B, it will handle the request from the dangerous website B, thus completing the simulation of the user’s operation purpose. This is the basic idea behind CSRF attacks.
Unauthorized access
Excess of authority vulnerability refers to the loopholes in the application Authorization check, which enables the attacker to bypass the authority check in some ways after obtaining the account of the user with low authority, and access or operate to the high-authority functions that originally have no right to access. In the actual code security review, this kind of vulnerability is often difficult to be detected automatically by tools, so it is very harmful in the practical application. It is different from unauthorized access. At present, there are two types of overreach: vertical overreach and horizontal overreach.
Vertical overreach vulnerability, also known as privilege escalation, is a vulnerability caused by a design flaw in “URL-based access control”. Because the Web application does not do the permission control or only do the permission control on the menu, malicious users can access or control the data or pages owned by other roles as long as they guess the URL of other management pages, so as to achieve the purpose of enhancing the permission.
Horizontal overreach vulnerability is a vulnerability caused by the design flaw of “data based access control”. An unauthorized data access vulnerability caused by the server side failing to determine the owner of the data when it receives the requested data for operation. For example, the server obtains the user ID from the request parameter submitted by the client (the data that the user can control), and the malicious attacker views or modifies the data that does not belong to him by changing the value of the request ID.
With the wide use of Internet and Web technology, Web application security is facing increasingly severe challenges, Web system is always under the threat of various attacks. Therefore, a typical Web application like BI needs to develop a complete Web attack defense solution. Take SmartBi Security as an example to introduce how to do it before it happens.
First, SmartBi regularly updates patch files through the software’s own security patch kit, and supports hot fixes; Second, SmartBi from the Web side, source code, components and other aspects of the product security problems self-examination, but also through the cooperation with the “BU day public testing platform” and “Guangdong competition evaluation testing center” and other third-party institutions, regularly carry out security scanning of the product, and actively cooperate to solve the found vulnerabilities. Finally, through the official technical support channels, timely response to users for security issues and help.
Thus, SmartBi is to establish a comprehensive security vulnerability defense mechanism to ensure the security of user information. However, Web attack defense is a long-term sustainable work, with the development and update of Web technology, Web attack means are also constantly developing, in view of these latest security threats, it is necessary to adjust the Web security defense strategy in time, so that Web application in a secure environment for the enterprise service.