Coding With Fun
Home Docker Django Node.js Articles Python pip guide FAQ Policy

WeChat small program security guide backstage

May 18, 2021 WeChat Mini Program Development Document

Table of contents

1. Background (including cloud functions and self-built background)

Background (including cloud functions and self-built background)

Inject the vulnerability

Injection vulnerabilities (SQL, commands, etc.) typically mean that the user bypasses background code restrictions and executes custom code directly within the database, shell, etc.

Common injection vulnerabilities are:

SQL injection

SQL injection refers to the Web program code for the parameters submitted by the user without effective filtering directly stitched into the SQL statement execution, resulting in the parameters of the special characters broke the original logic of SQL statements, hackers can take advantage of the vulnerability to execute arbitrary SQL statements.

Development recommendations:

  1. Database operations are performed using parameterized queries provided by the database, and SQL statements are not allowed to be synthesized directly by stitching strings.
  2. If there are cases where SQL needs to be synthesized by stitching, the spliced variable must be processed: for integers, you need to determine whether the variable is an integer type. For strings, you need to escape single quotes, double quotes, and so on.
  3. Avoid web apps displaying SQL error information.
  4. Ensure that every layer of data in your web app is encoded uniformly.

Command injection

A command injection vulnerability is when a web app does not effectively filter user-controlled parameters, and an attacker can construct malicious parameters to stitch them together to execute any command.

Development recommendations:

  • Data entered for the user (e.g.; , |,

Weak password

A weak password means that the username password for managing the background is set up more simply or with the default account number. An attacker could modify background data by logging into these accounts or perform the next intrusion.

Development recommendations:

  1. The background service disables the default account and modifies the background weak password.
  2. Sensitive services add secondary verification mechanisms, such as SMS verification codes, mailbox verification codes, etc.

File upload vulnerability

File upload vulnerability refers to a web application that allows users to upload specified files without verifying the legitimacy of file types, formats, etc., resulting in the ability to upload files in an unattrexpected format.

Development recommendations:

  • Correctly resolve the file types of uploaded files and limit the types of files that can be uploaded by whitelisting them.

File download

A file download vulnerability is when a web app allows a web app to allow users to download the corresponding file by specifying a path and file name, but does not correctly limit the scope of the directory in which the downloadable file is located, resulting in the download of files outside the expected range being compromised.

Development recommendations:

  1. Correctly limit the scope of the directory in which the downloadable file is located
  2. Find the file for download by specifying the file id

The directory traverses

Directory traversal refers to a leak of server directory content caused by insufficient validation or inadequate configuration of user input by the background service. Externally, sensitive files such as system files, background code, etc. may be traversed through the directory.

Development recommendations:

  1. Web service configuration
    1. The display directory is prohibited on the service side
    2. Set directory access
    3. Place an empty index page under .html directory
  2. Web app code
    1. Strictly check the file path parameters to limit the scope of the file

conditional competition

A more common example of conditional competition is when an attacker achieves the effects that can be triggered by abnormal logic such as multiple awards, multiple harvests, multiple gifts, etc. through a complex https request.

  • Example of vulnerability code 
    // 从DB里查询该用户剩余获奖次数,初始值为1
int remain_times = SelectRemainTimes();

if(remain_times > 0){
    EarnRewards();          // 用户获得奖励
    ClearRemainTimes();     // 在DB里把该用户的剩余获奖次数清零
}

    The developer was designed to allow the user to receive a reward only once, but when a parallel request occurs, there is a possibility that both request A and request B will execute line 2 code, when the remain_times of both requests is 1, i.e. two rewards can be obtained by judging by the fourth line of code.

Development recommendations:

  • Lock critical (complete) logic operations or process critical logic as queue tasks.



Related

WeChat small program API window

WeChat Small Program API Drawing CreativeCircularGradient (Creating a Circular Gradient)

WeChat small program design specifications (4) unified and stable

WeChat small program capacity party to use onGetQuota

WeChat Small Program API NFC NfcF label

WeChat Small Program API-Device-Comptrot

WeChat Small Program API NFC MifareClassic label

WeChat small program to expand the interface

WeChat applet applyPlugin

WeChat small program capacity party to use updateBusiness