web application development sites, is currently the most widely used program. But the developers of the level is uneven, resulting in a wide variety of web vulnerabilities. This article standing in a layered architecture perspective, the analysis about how to in a java web program to find the may appear of all sorts of vulnerabilities. This article discusses only web applications on vulnerability and other vulnerabilities, is relatively independent. These words seem nonsense, in fact it illustrates the often overlooked factors, namely:“many people think that as long as I'm developing a web App there is no vulnerability, [the web server]()secure”, in fact, not so. A qualified web application developers should always clearly develop their own program in what environment is used, and once your own program to generate some kind of vulnerabilities, will eventually lead to what consequences. Simply put, the web program is installed on one or more sets of distributed）[web server](), once the installation is successful, it is equal to in for the majority of users to provide services at the same time, the intruder opens the one or N new ideas. If the server administrator just for the safe configuration do not understand, in fact, the domestic of this the administrator mostly, and then had to by our program to keep good the last checkpoint of the last line of Defense. See this article title, a certain part of the people will think,“not is to tell the JSP vulnerability? need it draped so thick packaging?”, the In order to answer this question we first look at JSP and ASP development what's different. In the ASP era, ASP, PHP and other languages, to develop a system more often than to modify someone else has already written the system suffering more, because they put all of the code including the link to the database code, execute the SQL statement in the code, The Control page displays the code, all placed in<%......%& gt;, we often see the following code block: \-----------Code from an ASP Trojan----------- Function GetFileSize(size) Dim FileSize FileSize=size / 1 0 2 4 FileSize=FormatNumber(FileSize,2) If FileSize < 1 0 2 4 and FileSize > 1 then GetFileSize=""& amp; FileSize & " KB" ElseIf FileSize >1 0 2 4 then GetFileSize=""& FormatNumber(FileSize / 1024,2) & " MB" Else GetFileSize=""& Size & " Bytes" End If End Function \---------------------------------------- If the customer needs changed, the required page can't use“”and other labels, all of the applied“CSS”is displayed. Hang up, the programmer calls out a change. Note that the emphasis here, especially“call the programmer”can be modified, if it is to learn the art, only HTML, JS, CSS, and finished, this live also dry not to. And these are just a simple page modification, if a customer said today, the MYSQL server assumes not this amount of data, you want to hang the Oracle, the poor programmers will be in a piece of code in the ocean to find and execute the SQL statement in the code, and each file may be stored in the SQL statements, means that each file may be in a[SQL injection]()threats. And JSP using the MVC pattern a layered architecture for developing, you can put all the files separately, depending on its use, were placed in a different folder under a hierarchical, each folder file is only responsible for their own things. For example, the data access layer of code placed in the data access layer folder, the business logic layer of the code are also placed in their own folder, when the display layer, this layer is in order to put the final calculation results are displayed to the user demand changes, just like the previous customer demand, we just modify this one file, the other layers of code do not need to move, and the modifications also do not need to understand the other layers of code. Code is hierarchical, means that vulnerability is also followed by layered, we are looking for JSP vulnerability ideas have to follow the hierarchical order to advance with the times. In the following about looking for loopholes in the process, this article will take a simple layered architecture example to do model. Model program names of“XX articles system”, The system uses the STRUTS Framework, and security-related layer is divided into: The “DB layer”, this layer holds the link to the database string, as well as the JdbcTemplate class, direct access to the database. As in java, execution of SQL statements the function in accordance with the return value can be divided into three classes, so in this layer defines the JDBC template class JdbcTemplate every time you use the action database to perform this one of the three methods one. “DAO layer Data Access Object the data access object layer”, from a security point of view, this layer holds the SQL statement does not execute the SQL statement, the statement passed to the DB layer. This layer is called the“DB layer”to access the database, it only knows the“DB layer”of the present, don't know the database exists. “SERVICE layer”, business logic layer, as a business, not a database access can be completed, so this layer by N times calls the“DAO layer”that implements the business logic, it only knows the“DAO layer”for the present, don't know the“DB Layer”and the database exists. The “ACTION Layer”, and calls the business logic layer, according to the returned result, the control of the JSP page is displayed. It only knows the business layer there. This one is a Raider attack platform. “Form layer”, the user POST submission information package into a Form object, after the verification submitted to the ACTION layer processing. “JSP”layer(display layer), this layer is eventually displayed to the user to see the page, but also the intruder of attack platform. The user by accessing the ACTION layer, automatically occur:“ACTION calls the SERVICE, the SERVICE calls the DAO, the DAO calls the DB, the DB execute the SQL statement returns the results to the DAO, the DAO is returned to SERVICE, the SERVICE returns to the ACTION, the ACTION of the data display to the JSP returned to the user.” With the model, we have to analyze this set of procedures may appear in a variety of web vulnerabilities. 1, the[SQL injection]()vulnerability From[SQL injection]()vulnerability talking about it on the web vulnerability, [SQL injection]()is the most easy to exploit and the most hazardous. How to quickly find? The first analysis process, take the user to view articles by this process, for example: the user access an action that tells it the user wants to see ID for 7 of the articles, this action will continue to complete the previously mentioned process. If this is the ASP program, which is the most easy to cause problems when ASP is of the weak type, the received parameters do not need to convert the type, and the SQL statement even add up. But the JSP is not the same, the JSP is a strongly typed language, accept harmful parameters: for a GET request directly in the address bar to access the page if here is an int type, even if do not understand the security programmer will also put it, article ID immediately converted into the int, because here after the conversion in the latter process will be more easy to operate, and then the program will error; for a POST request, if here is the int type, the program will put it is encapsulated into a Form object, because the automatically to carry out the type conversion, the same error occurs, two errors occurred, simply will not access the back of flow out out, perhaps this is the JSP innate security. So, usually submitted variable is an int, the problem does not occur, the problem will appear in the string parameter here, if you want to view a user's information, the program may allow you to submit the following parameters: showuser. do? username=kxlzx it. The question is, because here is the string type, so do not understand the safety of the programmers at the most will determine what is not empty, even applied to become an SQL statement. There is the vulnerability of the program would probably be written like this: ACTION code: showuser. do String username = null; username = request. getParameter("username"); Service service = new Service(); service. findByUsername(username); Get the parameters after the call service,the service layer directly to the Dao layer, dao code: public Object findByUsername(String username) { JdbcTemplate jt=new JdbcTemplate(); String sql = "select * from Users where username='"+username"'"; List list = jt. query(sql); ................... } dao calls the DB layer of the JdbcTemplate, the SQL statement after a good fight, passed to the JdbcTemplate to perform. No longer here to see the JdbcTemplate, you can know inside the code, use the Statement's executequery()method executes, LED[SQL injection]( a). Analysis so half of the day, some readers will ask:“do I want to feeSo much effort to find a vulnerability?”on. Indeed, usually in the ASP program for the implantation of the idea is like this, but we are now in the use of the developed model of layered architecture of a JSP application, it should be in accordance with the layered architecture of thinking to find vulnerabilities. Before answering this question, we have about a 弯子 and see how here to prevent[SQL injection]() in java are always so beautiful, it does not directly tell you the answer, but layer by layer, letting you cut through the fog of. Just analysis of the process, from the forward analysis, from the user input to generate a vulnerability, we in defense, might as well pour to come over and see, from DB layer to start with. JdbcTemplate calls to execute SQL statements, you can have two classes for us to choose, one is the Statement, another is to pre-process the Statement, both of which have efficiency and safety on the significant difference. In efficiency, as long as the database supports pre-processing techniques, sqlserver, mysql, oracle, etc. are supported, only a few access, etc. are not supported, you will be in a large number of SQL statements executed when increase in speed; in security, the use of pre-processing, the received parameters are pre-processed, thus not as part of the SQL statement executed, but only as SQL statements in the Parameters section of the contents is performed. Once the DB layer using the pre-processing, DAO layer, SQL statement will change, become like this: public Object findByUsername(String username) { JdbcTemplate jt=new JdbcTemplate(); String sql = "select * from Users where username=?"; List list = jt. query(sql,new Object[1]{username}); ................... } Thus, [SQL injection]()and our program is almost irrelevant, note I said almost, not all. Know how to defense, so everything in here becomes a simple pole, we should go directly to the DB layer found JdbcTemplate, look at the code, once the use of the Statement, well, this system probably has a vulnerability, the following have to do is use Editplus search “request. getParameter”in. Not using the pre-processing system, may be in the action layer for defense, the parameters of the filter, but there are always Defense less than the time, because the front pull too long, each action are likely to accept the parameters and stored in the vulnerability. There is a situation that part of the system utilizes pre-processing, the part is not, such a situation may be because the project rush compare rush, the staff did not go through formal training, and finally difficult to integrate together. This case is also easy to handle, directly in the DAO layer search"'or'", these symbols are used and a string variable link added, spelling the SQL statement that is certainly these statements after the code use a Statement. Then go down to the upper to find, see which action to call this a problem of the dao class, may also occur[SQL injection]( a). Even if the system utilizes pre-processing, don't forget, the program to the customer, the customer has the right to go to the extension. The program to get customers there, customers have a new demand, and this demand in turn is not, it may be reluctant to spend money to re-hire people to achieve the extended functions at this time may also appear problem, the customer used their own programmers to extend the AJAX function, this programmer because afraid of problems, afraid to move the source program, on the web. xml Riga a servlet, this servlet directly to call the conn's. A terrible thing happened. So, our search for vulnerabilities in the rules and plus a strip, in a non-dao layer of the file, search for “select, update, delete”etc string. 2, the exposure program information vulnerability This vulnerability is how come? We need from the exception start. Experienced Raider, can from JSP program exception to obtain a lot of information, such as part of the program architecture, procedures of physical path, [SQL injection]()burst information, etc., this vulnerability is very easy to defense, it is difficult to quickly locate vulnerabilities in the files. The emergence of such vulnerability, usually when we write code, less some of the possibilities of consider caused. Such questions are empirical cause, without looking for loopholes but also by experience plus luck（have a fairy edge.... and, the My personal technology is limited, do not say. Defense of the method is in the program plus the“Exception layer”, the custom exception, the system generates the exception all packaged up, do not let any one may be an exception somewhere. Like Tencent, the exception is the packaging of the good“I'm sorry, today the number of registrants has reached hundreds of thousands, see you tomorrow again...”, the Nonsense, the daily register the amount of thousands of, also let people live it, ironclad is a program exception occurs that is not afraid to let you greatly have to see the real faces. 3, AJAX the exposed vulnerability Speaking in front[SQL injection]()when said example is a typical situation, since most websites are not developed with Ajax technology, is later to see everyone, fads plus. But in the plus at the same time do not realize that on the web add a file, it is equal to spread a little attack surface. Here I will not say more, please refer to the IT168 AJAX security topics: http://www4.it168.com/jtzt/shenlan/safe/ajax 4, business logic vulnerability This word looks quite abstract, and he and the“exposure program information vulnerability”has a lot in common, see the name will know, should be present in the business logic layer is the service layer of vulnerability. Such vulnerabilities are and run the program logic for, and give an example. Wang to Li transfer, in the business layer of the process should be like this, first in a small king on account of the deduction of one hundred dollars, after the small Li on account of increase of a hundred dollars. This process needs to perform at least two SQL statements which is invoked at least twice a dao method, and once called in the middle of problems to produce abnormal, should be immediately rolled back and not jump to the exception handling mechanism. Everyone should think of using the“transaction processing”, Yes, in a large and complex project, be sure to perform a transaction, once the transaction processing control is not good, big trouble. This is it and“exposure program information vulnerabilities” in common, to discover, to experience and luck. 5, the[XSS]()vulnerability This vulnerability also affects the far-reaching, you want to find such a vulnerability, in addition to the page on the test, but also from the process on Start. The user input of harmful information after the information is saved to the database, from the database in the read-out loss to the user when generating vulnerability. That is to say we have two processes can be intercepted, it is saved to the database, and read from the database out to the user. The fastest method is to directly open the database to view data, if the data is not encoded directly into a database, then the possibility to have half. The remaining half of the more simple, in the action layer search transcoding commonly used characters, if not, it is very easy to find vulnerabilities. Even if have, also not in a hurry, in the action layer in the slowly looking for, it may still slip through. Related to[XSS]()vulnerabilities, please refer to the IT168[XSS]()Safety topics: http://www4.it168.com/jtzt/shenlan/safe/xss/index.html 6, Page layer of logic vulnerability This vulnerability covers a lot, including“exposed not exposed Data”,“Access Control is not precise”, and“customer convenience at the same time the existence of security risks”and so on. Such vulnerability can only rely on their own experience, using the system of every small feature to look for. I give a few examples for your reference. In Example 1, The “retrieve password”function, this function is for the convenience of the customers, through some of the customer before to confirm the information and obtain the customer's identity verification. Some of the program logic is like this,“please enter the VIP username” -- to determine the VIP user does not exist--“please enter the hint question answer” - displays the user's password or modify the password of the link. The first step, the intruder can obtain a VIP user name exists, then get the password, the second step, once the user left the problem of comparing mentally, is tantamount to tell anyone your own password. In Example 2, The user list function, imagine, ordinary user idle all right to see the list of users to do? This work clearly in order to facilitate the intruder to collect the user name. Example 3, do not put the guard over to JS, who told us to use JS you can prevent users from doing certain actions? This is simply a trap, the JS only protection ordinary users only, never trust the client submitted the data, I see someone of the system in the limit to upload a file, only the JS in the Done protection, it is not self-deception? Web vulnerability after another, even if there is no more vulnerability, but also don't happy too early, we are now using the technology, the only Guard currently on the table attack, and perhaps today your system impregnable, tomorrow there is a new attack method. Like 0 4 years suddenly appear“file upload”vulnerability, in writing code, who can think here also occurs the problem? In this article, I is only based on some of their own experience, as well as a moment of inspiration, get ideas, give us the topic, the text must have written to the place, and from a layered architecture point of view to see the vulnerability of the thought is only just beginning, I hope every reader in his own heart has a turn Overture. Look forward to everyone of civilization kicked wherever he goes and encouraged.