How to improve security by embedding h5 pages in apps

In case the packet is captured or the data transmitted by the app is changed, how to improve security and prevent XSS attacks and SQL injection.

Reply content:

In case the packet is captured or the data transmitted by the app is changed, how to improve security and prevent XSS attacks and SQL injection.

This has nothing to do with whether your app is embedded in HTML5 or not.
You use the API interface to save xss and sql injection.
(1) If the server is attacked manually, how to analyze and solve it?
1 First check the windows/linux system log to determine whether the hacker has obtained server permissions through an attack, because if the server has getshell, it will still be useless to fix the vulnerability at this time.

Mysql injection analysis solution
1 Analyze and find vulnerability methods
(Write log file at program entry) Analyze apache/nginx/iis log file, that is, all POST and GET requests and parameters, check whether the mysql keyword exists in the submitted parameters
(entire file Search for the mysql keyword union/select/and/from/sleep), and if it exists, then search for the PHP file corresponding to the request address and the corresponding PHP code and MySQL execution statement. Then look for the creation and modification times of the entire web directory folder and text to check whether there is a backdoor.

2 Prevention
1 Add global sql keyword filtering to the program
2 Enable PHP single quote escaping (modify php.ini magic_quotes_gpc).
3 Apache/nginx/iis enables service logs, mysql slow query logs, and program entry record request logs
4 The server installs web application security software such as SafeDog
5 Use UTF-8 for database links to prevent gbk double-byte injection
6 Enhancements The complexity of the mysql password, prohibiting mysql external links, and changing the default port number
7 Reduce the rights of the program mysql account and only give ordinary addition, deletion, checking, and modification permissions. It is forbidden to give file operation permission

XSS cross-site attack solution
1 Use htmlspecialchars to escape where text is written
2 Use SSL to prohibit loading and referencing external js
3 Set httponly to prohibit obtaining cookies
4 The above is to ensure that there is no injection (if there is injection , you can use hexadecimal to bypass htmlspecialchars to achieve the effect of xss attack)
5 It is best to use 2 sets of programs with different routing rules for the backend and the frontend. Key backend operations (backup database) should set a secondary password and add request parameters. complexity to prevent CSRF

PHP Security
1 Add suffix filtering where files are uploaded, and do not make "logical negation" judgments when filtering.
2 It is forbidden to upload files with the suffix php and htaccess. Do not use the data submitted by the client to obtain the file name suffix. You should use the program to add the suffix and random file name
3 Unified routing to limit unauthorized access
4 PHP deprivation processing, web The directory restricts the creation of folders and texts (except for folders required by the program, there is usually a cache directory that requires writable permissions)
5 Filter the exploits of IIS/nginx file parsing vulnerabilities
6 Retrieve the password using the mobile phone verification code , mailbox retrieval should use an additional server. (Prevent the real IP from being obtained through the password retrieval function). The last link to reset the password sent to the user's mailbox needs to have complex encryption parameters
7 The user login system should have a single login function. If the user has logged in, other people should be prompted to log in again.
8 The webroot directory can only have one index.php (entry file) for external defense. All other directories are prohibited from external defense. All resource (uploaded) files have an anti-hotlink function in nginx

1 Security knowledge
1 Web applications use site-library separation and change the default path of the environment web directory
2 When using an integrated environment, you should delete the php probe, phpmyadmin, and phpinfo after the installation is complete (the probe can view your web path, phpmyadmin can be violently cracked)
2 The user password is best to use the md5 value after password salting
3 Add a verification code where the user logs in, how to add a limit on the number of errors to prevent brute force cracking
4 Use CDN acceleration to hide the real IP
5 When the user logs in, do not pass the plaintext account and password to prevent C-side sniffing and obtain the user and administrator plaintext account and password through ARP spoofing
6 Disable the php system command line number exec, system, etc.
7 Install security software such as Security Dog on the server
8 The web directory is prohibited from storing .rar and zip files