Web应用受到攻击必须有防御方法
针对XSS、Sql注入、拒绝服务等常见网络攻击,您必须具备哪些防御方法?
编辑:我根据维基百科的描述收集了您的回复。 我添加了一些额外的问题以获得完整的参考。
SQL注入
SQL注入是一种代码注入 利用安全性的技术 漏洞发生在 应用程序的数据库层。 这 当用户 输入被错误过滤 对于字符串文字转义字符 嵌入 SQL 语句或用户 输入不是强类型的并且 从而意外地被执行。 这是 更一般类的一个实例 可能出现的漏洞 每当一个编程或脚本编写 语言嵌入到另一种语言中。
- 不要相信用户输入并尽早验证它。
- 不要根据原始用户输入构建 SQL - 而是使用参数。
跨站脚本攻击 (XSS)
跨站脚本是一种 计算机安全漏洞 通常出现在网络应用程序中 允许代码注入 恶意网络用户进入网页 被其他用户查看。 示例 此类代码包括 HTML 代码和 客户端脚本。 一个被剥削的 跨站脚本漏洞可以 被攻击者用来绕过访问 控件如同源 政策。
- 切勿逐字输出或执行用户提交的内容。
- 对所有输出进行 HTML 编码。
拒绝服务攻击
拒绝服务攻击 (DoS 攻击)或分布式 拒绝服务攻击(DDoS 攻击) 是尝试制造一台计算机 资源无法达到预期目的 用户。 虽然携带手段 DoS 的原因、动机和目标 攻击可能会有所不同,通常包括 一致的、恶意的努力 一个人或多个人,以防止 互联网站点或服务来自 有效运作或完全运作, 暂时或无限期。
我知道以编程方式避免拒绝服务攻击似乎是不可能的,但您认为呢?
暴力攻击
在密码分析中,暴力攻击 是一种击败的方法 系统地制定密码方案 尝试大量 可能性; 例如,一个大的 一个键中可能的键数 空间以解密消息。 在大多数方案中,理论 暴力攻击的可能性是 公认的,但它是建立在这样一个 这样就可以计算出 无法实施。
- 每当登录尝试出错次数过多时,就会锁定帐户。 绝不允许无限次重试。
- 当密码输入错误时添加延迟。
一些额外问题:
您对尝试根据您的内容发布输入的网络机器人有何看法? 例如,SO 正在使用图像验证。
您对 javascript eval 函数有何看法?
有没有办法访问服务器上未暴露于外部的内容。 例如,我有一个页面将一些重要记录插入到我的数据库中,只有我知道它的网址。 有没有办法获取此类文件? 我知道您可以对其设置一些安全规则。
(注意:目录列表已禁用,我托管此文件。)
感谢您的回复!
What is your must have defence methods to common web attacks like XSS, Sql Injection, Denial of Service, etc. ?
Edit : I collected your responses under descriptions from Wikipedia. And I add some extra questions to have a complete reference.
Sql Injection
SQL injection is a code injection
technique that exploits a security
vulnerability occurring in the
database layer of an application. The
vulnerability is present when user
input is either incorrectly filtered
for string literal escape characters
embedded in SQL statements or user
input is not strongly typed and
thereby unexpectedly executed. It is
an instance of a more general class of
vulnerabilities that can occur
whenever one programming or scripting
language is embedded inside another.
- Do not trust user input and validate it as early as possible.
- Don't build SQL from raw user input - use parameters instead.
Cross Site Scripting (XSS)
Cross-site scripting is a type of
computer security vulnerability
typically found in web applications
which allow code injection by
malicious web users into the web pages
viewed by other users. Examples of
such code include HTML code and
client-side scripts. An exploited
cross-site scripting vulnerability can
be used by attackers to bypass access
controls such as the same origin
policy.
- Never output or execute user-submitted content verbatim.
- HTML-encode all output.
A denial-of-service attack
A denial-of-service attack (DoS
attack) or distributed
denial-of-service attack (DDoS attack)
is an attempt to make a computer
resource unavailable to its intended
users. Although the means to carry
out, motives for, and targets of a DoS
attack may vary, it generally consists
of the concerted, malevolent efforts
of a person or persons to prevent an
Internet site or service from
functioning efficiently or at all,
temporarily or indefinitely.
I know it seems impossible to avoid denial-of-service attacks programmatically, but what you think ?
Brute Force Attacks
In cryptanalysis, a brute force attack
is a method of defeating a
cryptographic scheme by systematically
trying a large number of
possibilities; for example, a large
number of the possible keys in a key
space in order to decrypt a message.
In most schemes, the theoretical
possibility of a brute force attack is
recognized, but it is set up in such a
way that it would be computationally
infeasible to carry out.
- Lock an account whenever too many login attempts went wrong. Never allow unlimited retries.
- Add a delay when the password typed in is wrong.
Some extra questions :
What do you think about web robots that try to post inputs according to your content ? For example SO is using an image validation.
What do you think about javascript eval function ?
Are there a way to access content on server which didn't exposed to outside. For example, I have a page that inserts some important records to my db, and only I know it's url. Is there a way to get this kind of files ? I know you can set some security rules over it.
(NOTE : Directory listing is disabled and I host this files.)
Thanks for the replies !
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(7)
你的问题涉及面很大。 我会尽力给你一些指示。 如果你把你的问题说得更清楚,我可以给你一些更具体的信息。
您可能认为某人无法访问您的页面只是因为他们不知道 URL。 这是通过默默无闻实现安全,从长远来看永远不会奏效。 Google 索引蜘蛛将简单地尝试遍历您的整个网站并为其可以访问的每个页面建立索引。 如果您的页面包含敏感信息,请添加身份验证和授权机制。
Your question covers a large scope. I'll try to give you some pointers. If you specify your question more clearly, I can give you some more specific information.
You may think that someone cannot access your page simply because they don't know the url. This is security through obscurity and will never work in the long term. The Google index spider will simply try to walk your entire site and index every page it can access. If you have pages with sensitive information, add an authentication and authorization mechanism.
对于 XSS 和 SQL 注入:绝不逐字输出或执行用户提交的内容。
For XSS and SQL injection: never output or execute user-submitted content verbatim.
验证!
Validation!
最重要的是防止暴力破解密码。 很简单,只要在密码输入错误时添加延迟即可。
The most important is to prevent brute forcing of passwords. That simple by adding a delay when the password typed in is wrong.
我们使用名为 fortify 的工具来扫描我们的软件http://www.fortify.com/(抱歉商业产品,但也许还有更多)
它捕获未经验证的用户输入、字符串连接而不是参数等等。
只需尝试该产品,您就可以学习如何安全编程。
We use a tool called fortify to scan our software http://www.fortify.com/ (sorry commercial product but maybe there are more)
It catches user input that is not validated, string concatenation instead of parameters and a lot more.
Just from trying this product you can learn how to program secure.
图像验证称为验证码。 它可以防止自动机器人填写表单,并有助于验证人类是否确实在提交表单。 这些通常用在您想要控制对表单的访问的任何地方。 垃圾邮件机器人会尝试填写联系表格以绕过垃圾邮件过滤器,因此您可能需要对此类内容添加一些保护。 在大多数情况下,表单滥用的情况很少,但在某些情况下您会看到它。
这取决于你如何使用它。 与其他任何事情一样,不要相信用户输入。 如果您要通过 eval() 运行他们的输入,请确保它首先经过适当的卫生流程。 如果您将他们的输入存储在数据库中并将其拉出以供其他用户查看,那么这一点就显得尤为重要。 这适用于 SQL、HTML 和 JavaScript。 如果有人能够在足够了解你的网站如何工作的情况下执行 JS 代码,他们就可以做各种疯狂的事情,模仿登录的用户,更改他们的密码等。
正如其他人提到的,这将是通过默默无闻的安全性,并且不推荐。 任何敏感内容都需要放在安全登录区域后面。 不要仅仅依赖“隐藏的 URL”。 如果有人猜到了您的特殊 URL 或者它最终出现在 Google 有权访问的日志文件中,您可能永远不知道是否有人设法进入。围绕此类事情进行一些身份验证。
The image validation is called a CAPTCHA. It prevents automated bots from filling out forms and helps to verify that a human is actually submitting the form. These are generally used anywhere that you want to control access to the form. Spam bots will try to fill out contact forms to bypass spam filters, so you may need to add some protection on things like that. For the most part, form abuse is minimal, but you will see it in some cases.
It depends on how you use it. Like anything else, don't trust user input. If you're going to run their input through eval() make sure it's run through a decent sanitation process first. This is doubly important if you're storing their input in a database and pulling it back out the displaying it for other users to see. That goes for SQL, HTML, as well as JavaScript. If someone can get JS code executed with enough knowledge about how your site works, they can do all sorts of crazy things and imitate the user who is logged in, change their password, etc.
As someone else mentioned, this would be security through obscurity and is not recommended. Anything sensitive needs to be put behind a secure login area. Don't rely on the "hidden URL" alone. If someone guesses your special URL or it ends up in a log file that Google has access to, you may never know if someone manages to get in. Put some authentication around things like that.