– Check field names to make sure they are what you expect.
If another variable is thrown, ignore it or return an error.
– Always check data in hidden fields
It is preferable to use a hash such as MD5.
– Always check the length of the variables
The length specified in the form is unreliable, so a length check is performed, and if it is longer than expected, an error is returned or the data is truncated.
– Don’t trust the referrer
Because it can be easily faked.
- When using cookies, check the reliability of the cookies.
-Is the cookie format correct?
- Is this cookie being sent from the correct IP address?
・When using cookies, it is preferable to use SSL (because it makes things easier)
– Open the file explicitly in read mode
– Check the characters in the file name
・| or .. or
– Check the input characters. In particular, check that there is no NULL character (%00)
– Don’t trust preprocessing in Javascript
– Be careful when you use GET/POST/COOKIE variables as arguments to System Call and Pipe. Basically, when you use the contents of such variables for something, check in advance whether they are as expected.
– In Perl, when using system(), you can use it as a list
eg system \'wc\', \'-c\', $file;
– Perl: Use fork() + exec() instead of backtick
What to check on the web
13
VIEWS