security summary

u can’t trust user input

1.sql injection
attack:
u need urlencode
1.login bypass (‘ or 1=1 /*)
2.integer bypass( 1;drop table users)
3.select information(‘ union select username,NULL,NULL from user /*)
4.insert or update information (‘ update  groupid where user = 100 /*)
5.second order injection(create a user name like ‘ drop table user/*,single quote may be correctly encoded and store this record into db.when u execute query with this username,problem occur)
protection:
prepared statement

2.image upload
attack:
1.upload php file directly,no extension check
2.filename with invisible character(fool.php(%00).jpg) pass the extension check,but store in server as fool.php
protection:
if there is a upload file
validate upload path(is_empty,is_dir,is_writable)
if upload success
check extension (white list extension)
check mime(white list mime)
check filename(limit length,no invisible character,remove space)
check size and dimension
rename file
do not overwrite file

3.csrf
attack:
1.forces an end user to execute unwanted actions on a web application in which they’re currently authenticated by sending a link via email or chat(transfer money via e-banking)
protection:
add csrf token in cookie,check the token in the backend,then regenerate. make sure the request was sent by the correct end user.
two-factor authentication

4.xss
attack:
http://wooyun.jozxing.cc/search?keywords=author%3A+%E5%BF%83%E4%BC%A4%E7%9A%84%E7%98%A6%E5%AD%90&content_search_by=by_bugs
1.反射型xss

2.dom xss

protection:
1.http-only cookie(prevent read cookie from document)
2.use htmlspecialchars with ENT_QUOTES to filter output in html