Home > Java > javaTutorial > Summary of java in web development security

Summary of java in web development security

怪我咯
Release: 2017-06-25 10:22:06
Original
2565 people have browsed it

1. Verification of the original data input by the customer does not depend on Script. Although the verification of input data on the client side such as JavaScript is more convenient, it cannot be used for security reasons. Scripts are unsafe and users may block scripts. We can send user data to the server and verify the legality of the string on the server.

2. Input identifier of HTML Remove all input sprite brackets '& lt;' '' & gt; ',

## 3. HTML to bury the data (' & lt ;' '>' ' and ' '"' ' ' ' → 'is<' '>' 'is μ"' ' &39;' is replaced every other). (2) (3) Caused by cross-site scripting (css), the solution is to avoid the appearance of script symbols.

URLでPermissionされる字

Alphanumeric「;」「/」「?」「:」「@」「&」「=」「+」「$」「,」 「-」「_」「.」「!」「~」「*」「'」「(」「)」「%」

4. All web pages that need to be protected must have a user certification authority.

After logging in, save the userID in the SESSION and add a script to each page that needs to be protected for verification. If the session is empty, the verification fails and you need to log in again.

<%
If Len(Session("ID")) = 0 Then
Response.Redirect "index.html"
End If
%>
Copy after login

The following information is subject to special processing:

*Password

*Personal data such as email content of Web mail

*Name, age, address Personal information

*Data structure inside the Web application system

*Various system information such as the maximum time ticket inside the Web server

→[1-3 .]

5. The sessionID that can be inferred in advance cannot be defined, →[1-3.]

6. The key and important data parameters should not appear in the URL when sending

Use post to pass parameters. And countermeasures:

*Encrypted communication based on SSL

*Interference strategy.

*Hijacking Countermeasures During Conversation

7. The data in the hidden field cannot be modified and transferred (the value of the hidden field cannot be displayed, but it will be transferred and the value can be viewed in the html source file to prevent it from being The value is modified and passed) Do not use hidden to retrieve data. The improvement method is to use session to save hidden data →[1-5.]

8. The