避免穿透性测试需要注意的事项
By:Roy.LiuLast updated:2014-02-02
web应用的开发中,安全性是个很重要的东西, 除去通常知道的 sql 注入,xss注入, csrf 攻击之外,在老外的网站还发现以下一些地方需要注意, 一般程序员要看这些英文应该是不成问题的:
1. Do not use request attributes to pass data across application layers. Always use session attributes instead.
Request attributes and parameters can be easily manipulated to allow one user to see data belonging to another user.
2. Do not use concatenation to build queries to be executed against your database.
Application inputs must be subject to stringent server-side validation prior to being used in SQL commands. Ideally, each input should be validated according to the expected set of characters, data type, and length. Data that does not conform should always be rejected by the application. Secure data access objects (i.e. ADODB command objects, Callable/PreparedStatement objects, etc) should always be used to pass data into SQL queries or stored procedures as they automatically
escape characters such as single quotes. These objects can also be used to enforce strong data typing and input length requirements. The use of string concatenation to build SQL queries within application code should be discontinued.
As an additional defensive measure, all SQL queries should be executed using stored procedures. This will allow application database permissions to be restricted such that only EXECUTE permissions are granted to application stored procedures and permissions on underlying tables (Select, Insert, etc) can be revoked.
3. Do not place unwanted files or feed files in your web servers
Server build procedures should include steps to remove all unnecessary files and other components that are installed within the web server root directory. Application web root directories should be subject to regular review to ensure that unnecessary or old components are deleted. Examples would be Unix shell scripts, help files, data feeds coming in from upstream systems etc.
4. Catch Exceptions cleanly throughout your code in all the layers
Uncaught exceptions can force the application to go into an infinite loop, and fall prey to a DOS (Denial Of Service) attack
5. Data input validations must be present on both GUI and the Server side
Especially important for date and date range validations, special character validations, and data type checks. Otherwise the server side URLs can be manipulated to bypass the GUI validations.
6. Error messages shown to the end user should not be technical
Do not print the exception stack trace, or show the SQL query etc which has caused the error.
7 Email addresses shown in error pages should not belong to individuals.
Always use a group id in such cases, to protect the employee’s privacy.
8 During compilation of flex files, the ‘debug’ option should be set to false
If we don’t do this, information about the machine on which the code was compiled and user can be obtained by decompiling the swf. e.g. debug option of struts.
1. Do not use request attributes to pass data across application layers. Always use session attributes instead.
Request attributes and parameters can be easily manipulated to allow one user to see data belonging to another user.
2. Do not use concatenation to build queries to be executed against your database.
Application inputs must be subject to stringent server-side validation prior to being used in SQL commands. Ideally, each input should be validated according to the expected set of characters, data type, and length. Data that does not conform should always be rejected by the application. Secure data access objects (i.e. ADODB command objects, Callable/PreparedStatement objects, etc) should always be used to pass data into SQL queries or stored procedures as they automatically
escape characters such as single quotes. These objects can also be used to enforce strong data typing and input length requirements. The use of string concatenation to build SQL queries within application code should be discontinued.
As an additional defensive measure, all SQL queries should be executed using stored procedures. This will allow application database permissions to be restricted such that only EXECUTE permissions are granted to application stored procedures and permissions on underlying tables (Select, Insert, etc) can be revoked.
3. Do not place unwanted files or feed files in your web servers
Server build procedures should include steps to remove all unnecessary files and other components that are installed within the web server root directory. Application web root directories should be subject to regular review to ensure that unnecessary or old components are deleted. Examples would be Unix shell scripts, help files, data feeds coming in from upstream systems etc.
4. Catch Exceptions cleanly throughout your code in all the layers
Uncaught exceptions can force the application to go into an infinite loop, and fall prey to a DOS (Denial Of Service) attack
5. Data input validations must be present on both GUI and the Server side
Especially important for date and date range validations, special character validations, and data type checks. Otherwise the server side URLs can be manipulated to bypass the GUI validations.
6. Error messages shown to the end user should not be technical
Do not print the exception stack trace, or show the SQL query etc which has caused the error.
7 Email addresses shown in error pages should not belong to individuals.
Always use a group id in such cases, to protect the employee’s privacy.
8 During compilation of flex files, the ‘debug’ option should be set to false
If we don’t do this, information about the machine on which the code was compiled and user can be obtained by decompiling the swf. e.g. debug option of struts.
From:一号门
Previous:spring mvc jackson 防止XSS 注入方法
COMMENTS