Securing Your Application Against Attacks (SQL Injection, XSS, and More)

Admin

There are many ways to attack your application. But I would like to guide you on how to prevent the most basic and commonly used attacks.

SQL Injection

  • For applications that connect to the database, we often use requests from the client to query directly to the database. Vandals will rely on this to attack the database.
  • Example: A login function. The request sends a username and password to the server. You use this username and password to query directly in the database. The statement is as follows: SELECT * FROM user WHERE username=’username’ AND password=’password’
  • If the attacker changes the username to ‘ OR ‘1’=’1 . The query will now become SELECT * FROM user WHERE username=” OR ‘1’=’1′ AND password=’abc’. Now all conditions are valid and the query returns true. Imagine that a saboteur inserts code that deletes tables and databases, that’s dangerous.
  • Currently, all frameworks support this prevention through builder queries. This means that a template will be provided and the parameters of the input will be of text type, number type,… completely.
  • Encode, your escape parameter for special characters.
  • Conclusion: To avoid SQL Injection, we should not use query string(RAW) to query. Or if used, process the data before querying. Use query builds provided by frameworks.

CSRF

  • Your website application sends form data to the server for processing. What would happen if an attacker captured this packet and forged another form of data to the server?
  • To combat this, we use CSRF token. When submitting data sent to the server, it will be accompanied by a token. The server will check if this token is valid and allow access or not.

XSS

  • This is the attack from the client. Often seen in forums, posts… . Taking advantage of the loophole of not checking the content of the post and saving it directly to the database, the attacker will rely on this point to execute a javascript to retrieve information, navigate the website, logout,…
  • For websites with file upload function, file format is very important. What if you allow uploading a php file to the server, the attacker will use that file as a shell to attack your entire system.
  • The way to prevent it is to escape special characters before saving them to the database. File extension format to allow file upload
Bài viết liên quan
Tạo bản cài đặt autoupdate
Tạo bản cài đặt autoupdate en
Nov 2, 2023
mistake responsive web
Thiết kế giao diện Responsive Web Design En
Oct 27, 2023
Applying HTTPS to vietvang.net En
Applying HTTPS to vietvang.net
Sep 7, 2023

    Liên hệ





      Contact