u can’t trust user input
1.sql injection
attack:
u need urlencode
1.login bypass (‘ or 1=1 /*)
2.integer bypass( 1;drop table users)
3.select information(‘ union select username,NULL,NULL from user /*)
4.insert or update information (‘ update groupid where user = 100 /*)
5.second order injection(create a user name like ‘ drop table user/*,single quote may be correctly encoded and store this record into db.when u execute query with this username,problem occur)
protection:
prepared statement
|
1 2 3 4 5 6 7 8 9 10 11 |
$stmt = $conn->prepare("INSERT INTO MyGuests (firstname, lastname, email) VALUES (:firstname, :lastname, :email)"); $stmt->bindParam(':firstname', $firstname); $stmt->bindParam(':lastname', $lastname); $stmt->bindParam(':email', $email); // insert a row $firstname = "John"; $lastname = "Doe"; $email = "john@example.com"; $stmt->execute(); |
2.image upload
attack:
1.upload php file directly,no extension check
2.filename with invisible character(fool.php(%00).jpg) pass the extension check,but store in server as fool.php
protection:
if there is a upload file
validate upload path(is_empty,is_dir,is_writable)
if upload success
check extension (white list extension)
check mime(white list mime)
check filename(limit length,no invisible character,remove space)
check size and dimension
rename file
do not overwrite file
3.csrf
attack:
1.forces an end user to execute unwanted actions on a web application in which they’re currently authenticated by sending a link via email or chat(transfer money via e-banking)
protection:
add csrf token in cookie,check the token in the backend,then regenerate. make sure the request was sent by the correct end user.
two-factor authentication
4.xss
attack:
http://wooyun.jozxing.cc/search?keywords=author%3A+%E5%BF%83%E4%BC%A4%E7%9A%84%E7%98%A6%E5%AD%90&content_search_by=by_bugs
1.反射型xss
|
1 2 3 4 |
<script>alert(1)</script> </script><script>alert(1)</script> // javascript腳本 " onclick="alert(1) //inside input \(kill double quote) %0a(break the comment) // javascript腳本 |
2.dom xss
|
1 2 3 4 5 6 7 8 9 10 |
(1)\u003cimg src=1 onerror=alert(1)\u003e //javascript腳本插入element到html中,\沒有過濾 (2)如果是隱式利用url參數,可以直接在調試工具中search (3);alert(1);// //inside eval() (4)inside iframe <iframe onload="alert(1)"></iframe> <iframe src="javascript:alert(1)"></iframe> <iframe src="vbscript:msgbox(1)"></iframe> //IE <iframe src="data:text/html,<script>alert(1)</script>"></iframe> //Chrome <iframe src="data:text/html,<script>alert(1)</script>"></iframe> //Chrome <iframe srcdoc="<script>alert(1)</script>"></iframe> //Chrome |
protection:
1.http-only cookie(prevent read cookie from document)
2.use htmlspecialchars with ENT_QUOTES to filter output in html