Web Ranger Web Server Security Guide (Junior Edition), 2009 edition first

‘s first gathering in 2009 was the einit gathering, with the theme of web security. At that time, promised to write an article for your reference, the result of busy half dead, and now in the long-distance car, this article is completed,


generally writes about the problems and solutions often encountered by web server today. Of course, don’t expect me to write very detailed, because the scope is too wide, I can only give a general idea.

reprint, please indicate Copyright: Zhang Baichuan (network Ranger) blog http://s.youxia.org

this article from the following aspects to analyze:

is actually very difficult to distinguish between so detailed, some areas of the cross is still there. Here is the following:

1. application

a) SQL injection. Once in the WEB attack, 2003 2005 2004, shine, especially when 03-04, is a very simple thing to get a WebShell station, at that time there is no universal anti injection script like program, programmers do not have this consciousness. But now it’s a little better, the programmer knows at least, but some of the earlier programs still haven’t been able to modify the problem very well. Solution: take advantage of generic anti injection scripts (note that some anti injection scripts are not self filtered and look for the latest version) or take some software or hardware security products. Of course, the most thorough, or proceeding from the program itself, filtering a strict number.

b) XSS attacks. It is abbreviated as CSS, but it is also written in XSS because of the repetition of the cascading style sheets. Now the most popular way to attack. The test method is the most simple: < script> alert ("XSS test") < /scritp> of course, use a lot, such as access to Cookies, great harm, specific can Google, and anti SQL injection prevention: almost security products improve the program or purchase the software or hardware form.

C) domestic manufacturers are doing WEB application scanners, I tried a few, the effect is also good. Of course, free of charge, NBSI, HDSI, Domain, pangolin and so on, and some of the fees to do better, Chi Heng alliance site woodpecker, I have tried, and the effect is good. Again, the product of information security looks good, but did not get the trial, do not comment.

2. host

a) security problems caused by the vulnerability of the operating system itself. The biggest threat is remote overflow vulnerability. For example: IIS5.0 WebDAV remote overflow vulnerability, MS08-067 remote overflow vulnerability, users do not need to contact the server, in remote can