1. Verification of the original data input by the customer does not depend on Script. Although the verification of input data on the client side such as JavaScript is more convenient, it cannot be used for security reasons. Scripts are unsafe and users may block scripts. We can send user data to the server and verify the legality of the string on the server.
2. Input identifier of HTML Remove all input sprite brackets '& lt;' '' & gt; ',
## 3. HTML to bury the data (' & lt ;' '>' ' and ' '"' ' ' ' → 'is7472e6a9a4c69ea6a844b561c4734f3a' 'is μ"' ' &39;' is replaced every other). (2) (3) Caused by cross-site scripting (css), the solution is to avoid the appearance of script symbols. URLでPermissionされる字 Alphanumeric「;」「/」「?」「:」「@」「&」「=」「+」「$」「,」 「-」「_」「.」「!」「~」「*」「'」「(」「)」「%」4. All web pages that need to be protected must have a user certification authority. After logging in, save the userID in the SESSION and add a script to each page that needs to be protected for verification. If the session is empty, the verification fails and you need to log in again.<%
If Len(Session("ID")) = 0 Then
Response.Redirect "index.html"
End If
%>The following information is subject to special processing: *Password*Personal data such as email content of Web mail*Name, age, address Personal information*Data structure inside the Web application system*Various system information such as the maximum time ticket inside the Web server →[1-3 .]5. The sessionID that can be inferred in advance cannot be defined, →[1-3.]6. The key and important data parameters should not appear in the URL when sendingUse post to pass parameters. And countermeasures: *Encrypted communication based on SSL*Interference strategy. *Hijacking Countermeasures During Conversation7. The data in the hidden field cannot be modified and transferred (the value of the hidden field cannot be displayed, but it will be transferred and the value can be viewed in the html source file to prevent it from being The value is modified and passed) Do not use hidden to retrieve data. The improvement method is to use session to save hidden data →[1-5.]8. Theca43c4a4e4e9a57ee85d2406306544fb was sent from the WWW browser The value of the 4293aa673c6b566b1b4e672be0c402d8 item, the value of the radio item, and the value of the checkbox item must be verified to see if the data submitted by the above control is legal. →[1-6.]9. When writing SQL, write it in combination with variables. Check first and then submit (filter the variables submitted by the user before putting them into the SQL text) →[2-1.]10. When assembling SQL, enter the data (') and semicolon (; ) needs to be processed. The reason is the same as 9) →[2-1.]11. Do not embed the database password in the script. Regarding the settings of sensitive data, you can set them in the configuration file, and Windows can set them in the registry. →[2-2.]12. When accessing the database, user permissions are set separately. Different user permissions are different, which can be achieved with the help of database permission settings, which is beneficial to improving security. →[2-3.]13. Import of Java class package. Only import the required classes, and do not import unused packages and classes. This will help improve security and prevent others from using redundant classes to obtain information, especially several sensitive class packages →[3-1.]14. Use security policy file (policy) settings to control the execution permissions of files. File path: ${java.home}/lib/security/java.policy
package org.penglee.policy.test;
//permission java.io.FilePermission "c://winnt//system32//notepad.exe", "execute";
import java.io.IOException;
public class NoSecurityManager {
public static void main(String[] args) {
// SecurityManager mySecurityManager = new SecurityManager ();
// System.setSecurityManager (mySecurityManager);
try {
Runtime myRuntime = Runtime.getRuntime ();
myRuntime.exec ("c://winnt//system32//notepad.exe");
} catch (IOException e) {
e.printStackTrace();
}
}
}→[3-1.]15. Set as private class ( private) to restrict the modification of data in the class, or define an interface to implement it. →[3-2.]16. The data serialized by the program is not encrypted. To prevent using the serialized data to read sensitive data, you can use transient to process the serialized data. →[3-3.]17. Use final classes except those that obviously need to be inherited. This prevents inheritance from being exploited to obtain sensitive information. →[3-4.]18. Use AssertionError to throw errors. Please refer to the api documentation of this class for details→[3-5.]19. Pay attention to the data inconsistency caused by thread synchronization to increase data security. →[3-6.]20. Avoid relative paths in the input. An error occurs when a relative path is included. The reason may be that sibling folders are accessed. →[4-1.] 26. Try to avoid clear text passwords. It is best to encrypt sensitive data. It is recommended to use sha encryption →[9-1.]27. Use sha encryption. →[9-1.]
28.29. Use the program to check the path (prevent relative paths) to check the security of the file name and data, and report an error if it contains special characters. →[9-2.]
30.31. In order not to teach too much, be very careful when doing the error message when logging in. User-facing error messages should not be sufficient to prevent users from inferring information about the internal structure of the program. →[9-3.]
32. Minimize the part of data processing that requires privileged use, and try to avoid the prevalence of general data processing privileges. Use a username with less permissions to log in, and try to avoid using special permissions to process general data. →[9-4.]
The above is the detailed content of Summary of java in web development security. For more information, please follow other related articles on the PHP Chinese website!