safety-specifications
Access to WeChat city services, business parties need to ensure functional security.
Common safety checklist
Xss
-
Input check: length limit, correct value type, inclusion of special characters (e.g.,
-
Output encoding: Encoding according to the location of the output, such as HTML encoding, JavaScript encoding, URL encoding.
-
When output between HTML tags, the data is HTML Enterprise encoded
-
When output to HTML properties, special characters are encoded as #xHH
-
When output to SCRIPT, the data is scripted, encoding all characters except Arabic numerals and letters, as long as the character's ASCII code is less than 256.
The format of the encoded output is .xHH
-
When output to the Style property, the data is encoded in CSS, encoding all characters except Arabic numerals and letters, as long as the CHARACTER's ASCII code is less than 256.
The format of the encoded output is .HH
-
When output to an HTML URL, the data is URL encoded, and when untrustworthy data needs to be inserted into the URL on the HTML page, it needs to be URL encoded
SQL injection
-
The best way to do this is to use precompiled statements to bind variables
-
Check the data type
-
Use security functions, such as php mysql_real_escape_string
-
For its part, the database itself should use the minimum permission principle, keeping in mind that you do not use dba permissions
Upload vulnerability
-
Strict inspections on file names and file paths uploaded by the client and server side, especially if the server detection cannot be less
-
The server-side check is best to use white list filtration, such as only JPG file upload, etc.
-
Upload target path is not in the web directory, if the executable permissions of the directory are removed in the web directory
-
Carefully use third-party uploading components such as FcKeditor, Ewebeditor, and there have been multiple vulnerabilities in history.
Struts2
History Struts2 framework has several high-risk loopholes, these vulnerabilities are enough to black off a website, try to use the latest version
Information leakage
-
Online machine deletes test pages, such as Test.html, PHPINFO.PHP, etc.
-
Forbidden detailed error tips
-
Display debugging information
-
It is forbidden to update SVN related files to the online machine, for example .svn / entries
Login security
-
Login page is best to join the verification code
-
Try to use the HTTPS protocol
Session security
The public number is usually identified as a user identity. When using OpenID, use OpenID to set the OpenID to cookies. Do not stitch to the URL, such as http://www.qq.com/getuser?code=aaaaa
Management page
Tomcat, JBoss, WebLogic, etc. can do the following security policies.
Use whitelisting to restrict IP that can be logged in
If you do not use these management interfaces, delete them directly
Parallel permission issue
Scenarios such as orders require extra attention to parallel permission issues, such as order? I
d=111, is it order? O
ther orders can be seen at Id=112. F
or the defense of this situation, you can add the check parameter, order?
Id-111-sign-hash (string constant-id)
Payment of the amount
-
Web applications involving micropay must be designed in strict accordance with the documentation of WeChat Payment's official website
-
Determines whether the user's payment amount is equal to the amount due