9-2 Web Security Test Site

1. Focus on test sites

Common websecurity problems, principles and precautions. Security awareness
1. SQLInjection
2. XSS(Cross-site scripting attack, Cross-Site Scripting)
3. CSRF(Cross-site request forgery, Cross-Site request forgery)

2. What is SQLinjection?

SQLInjection and Prevention
1. special input parameters passed configuration webapplication, resulting in malicious backend SQL
2 since the programmer is not generally an input filter, the direct dynamic splicing SQLgenerates
3. open source tools may be used sqlmap, SQLniniathe detection

Code demo:

Create database and insert data
CREATE TABLE `users`(
	`id` INT NOT NULL AUTO_INCREMENT,
	`name` VARCHAR(45) NULL,
	`email` VARCHAR(45) NULL,
	`password` VARCHAR(45) NULL,
	PRIMARY KEY (`id`)
);

insert into users(name, email, password) values ('laowang', '[email protected]', md5('laowang123'));
insert into users(name, email, password) values ('zhangsan', '[email protected]', md5('zhangsan123'));
insert into users(name, email, password) values ('lisi', '[email protected]', md5('lisi123'));

Generate database tables and data as follows:

Insert picture description here
sql injection demo code
import os
import MySQLdb   # pip install mysqlclient

db = MySQLdb.connect(
	host='localhost',
	user='root',
	password=os.getenv('MYSQL_PASS'),
	db='test'
)

cur = db.cursor()

name = input('Enter name: ')
print(f'您输入的用户 name 是:{name}')
password = input('Enter password: ')
print(f'您输入的密码是:{password}')

# 直接拼接 sql 参数
sql = " SELECT * FROM users WHERE name='" + name + "'" + " AND password=md5('" + password + "')"   # 有 sql 注入危险的语句
sql = "SELECT * FROM users WHERE name=%s and password=md5(%s)"   # 用占位符,防止 sql 注入
print(sql)
cur.execute(sql)   # 没用点位符时的执行
cur.execute(sql, (name, password))   # 用占位符时的执行,代码会在底层做一个转义操作,可以防止 sql 注入
for row in cur.fetchall():
	print(row)

db.close()

Normal operating procedure:

Insert picture description here


sqlRun injection process:
password here just input, or output the results, is sqlinjected into

Insert picture description here


how to prevent SQLinjection?
webA security principle: never trust any input from the user
1. carry out inspection (type and scope) on the input parameters; filter and escape special characters
2. Do not directly spliced sql, use ORMcan greatly reduce the sqlinjection of venture
3. Database Layer: do Good authority management configuration; to store large sensitive information in clear text

Three, what is XSS?

XSS( Cross Site Scripting), cross-site scripting attack
1. Malicious user implants code into the page provided to other users, and the unescaped malicious code is output to other user’s browser to be executed
2. When the user browses the page, it is embedded in the page The script ( js) in will be executed to attack the user.
3. Mainly divided into two categories: reflective type (non-persistent type, usually put the script in the urlparameter), storage type (persistent type, usually let the script be stored in the website database)

XXSharm:

xssIt can be used to jsachieve a lot of harmful operations
1. Misappropriate users cookieand obtain sensitive information
2. Use the user's private account to perform some illegal operations, such as stealing personal or commercial data, and perform some privacy operations
3. It can even be used in some highly-visited Implementation of the DDosattack on the website

How to prevent it XSS?
Don't trust any input from the user:
1. Filter (input and parameters). <script> <img> <a>Filter sensitive labels, etc.
2. Escaping. Escape common symbols ("&", "<", and ">") ( python3 html.escape)
3. Set to HttpOnlyprohibit browser access and operationDocument.cookie

Examples of escape codes:

import html

new_html = html.escape('script>')
print(new_html)   #  &lt;script&gt;

old_html = html.unescape(new_html)
print(old_html)   # <script>

Four, what is it CSRF?

CSRF: Cross-site request forgery(Cross-site request forgery)
1. A malicious attack that uses the authority of the website to execute unauthorized commands on the authenticated user.
2. The attacker will steal your login information and send the request as your identity
. 3. webIdentity authentication The mechanism can only identify whether a request comes from a user’s browser, but there is no guarantee that the request is

Insert picture description here


CSRFgenerated by the user or approved by the user :
to complete an CSRFattack, two conditions are required:
1. The victim has logged in to the target website and has not Log out (keep logged in)
2. The victim visits the link or form posted by the attacker
3. Both must be indispensable.

How to prevent it CSRF?
Do not GEThave any data modification operations requested in
Token synchronization ( Synchronizer token patternabbreviated STP): embedding a hidden in the form requested by the user csrf_token, the server and verify that it is cookieconsistent with the (same origin policy based on other websites are unable to obtain cookiethe csrf_tokenprovided that the site does not have XSSloopholes)
2. If you are jssubmitting need to start cookieacquiring csrf_tokenas X-CSRFTokensubmitting the request header
3. other: detecting sources HTTP Referer(easily forged); verification code mode (safety but tedious)