答：如果系统正在被攻击或利用，我们可以采取以下几种方法及时发现问题：

• 使用流量监测系统，通过对网络流量进行实时监测和分析，可以发现异常的请求模式或流量峰值，从而及时发现可能的攻击行为。

• 设置安全日志和异常检测机制，监控系统的各项指标，包括登录次数、操作次数、请求频率等，以及可能与攻击相关的异常行为，如异常的用户行为、异常的请求参数等。

• 实时监控系统资源的使用情况，如CPU、内存、磁盘等，当资源占用率异常高时，可能意味着系统被攻击或利用。

• 配置安全报警机制，当系统检测到异常行为时，及时发送警报信息给管理员或安全团队，以便能够及时采取应对措施。

• 定期进行安全审计和漏洞扫描，及时发现系统中存在的安全漏洞和弱点，并及时修复和加固。

以上是一些常用的方式来及时发现系统被攻击或利用的问题，但同时也需要结合具体的系统情况和安全要求来选择合适的监控和防护措施。 Answer: For timely detection of system attacks or exploits, monitoring is a better approach, and the key point lies in how to set the alarm threshold. I think we can compare the volume of yesterday and the same time last week, and if the difference reaches a certain percentage, an alarm can be triggered. Moreover, the alarm should have an escalation mechanism. In addition, sometimes if the overall volume is very large, the changes brought about by the activity to the entire volume may not be obvious. If overall monitoring is performed, problems may not be detected in a timely manner. Therefore, it is advisable to consider independent monitoring and alarm for activities.

Regarding question 2: Regular reconciliation is generally carried out for the use of any third-party resources. If it is found during reconciliation that the call volume recorded in our system is lower than the usage volume recorded by the other party’s system, what do you think is the usual cause of this problem?

Answer: In a previous situation I encountered, when calling an external interface within a transaction, if the call times out, there will be no data left locally due to local transaction rollback. A more appropriate approach is:

• Before sending the request, record the request data and commit the transaction, with the status recorded as unknown.
• Send the request to call the external interface. If a definite result can be obtained, update the status recorded in the database as successful or failed. If a timeout or unknown exception occurs, it should not be assumed that the third-party interface call failed; instead, a query interface should be used to obtain a definite result.
• Write a scheduled task to compensate for all records in the database with an unknown status and synchronize the results from the third-party interface.

It is worth noting that during the reconciliation, both sides must be checked. If data is missing from either side, it may be due to a bug in the program logic and should be given attention. In addition, for any interaction involving a third-party system, it is recommended to maintain detailed request/response messages in the database to facilitate troubleshooting when problems occur.

29 | Data and Code: Data Is Just Data, Code Is Just Code #

Regarding question 1: When discussing SQL injection cases, in the last test we saw that sqlmap returned four types of injection methods. Among them, I have introduced boolean-based blind injection, time-based blind injection, and error-based injection. Do you know what union-based SQL injection is?

Answer: Union-based SQL injection is a method of injection that allows us to expose the information we need through the use of UNION. It is generally a type of injection that belongs to echo-based injection. We know that UNION can be used to combine the result sets of two SELECT queries, so we can UNION the injection script to the original SELECT statement. This way, we can query the database metadata and table data we need.

The key points of injection are:

1. The number of columns and the data types of the two SELECT statements in UNION need to be consistent.
2. It is necessary to explore the correspondence between the results after UNION and the data presented in the page.

Regarding question 2: When discussing XSS, we know how to make text escape HTML and display it in Thymeleaf template engine. FreeMarker is also a commonly used template engine in Java. Do you know how to handle escaping in FreeMarker?

Answer: In fact, most template engines now use a blacklist mechanism instead of a whitelist mechanism to perform HTML escaping, which can effectively prevent XSS vulnerabilities. That is, HTML escaping is enabled by default, and if you don’t need escaping in certain situations, you can temporarily disable it.

For example, FreeMarker (version 2.3.24 and above) sets various escape rules for HTML, XHTML, XML, and other file types (output formats) by default. You can use the ?no_esc directive to disable escaping:

<#-- Assuming the default is HTML output -->

${'<b>test</b>'} <#-- Output: &lt;b&gt;test&lt;/b&gt; -->

${'<b>test</b>'?no_esc} <#-- Output: <b>test</b> -->

Using the noautoesc indicator:

${'&'} <#-- Output: &amp; -->

<#noautoesc>

${'&'} <#-- Output: & -->

...

${'&'} <#-- Output: & -->

</#noautoesc>

${'&'} <#-- Output: &amp; -->

To temporarily disable escaping. For example, with the Mustache template engine, you can use three curly braces instead of two to disable automatic variable escaping:

Template:

* {{name}}

* {{company}}

* {{{company}}}

Data:

{

  "name": "Chris",

  "company": "<b>GitHub</b>"

}

Output:

* Chris

*

* &lt;b&gt;GitHub&lt;/b&gt;

* <b>GitHub</b>

30 | How to correctly store and transmit sensitive data? #

Question 1: Although we store the usernames and passwords encrypted in the database, plaintext sensitive data may still exist in the logs. Do you have any ideas on how to desensitize logs at the framework or middleware level?

Answer: If we want to desensitize the logs at the source, we can do it at the logging framework level. For example, with the logback logging framework, we can customize a MessageConverter to desensitize sensitive information using regular expressions.

There are two drawbacks to this approach.

First, the regular expression used to match sensitive information may not be precise and could result in false positives or false negatives. Generally, this is not a serious issue. To achieve precise desensitization, we would need to provide various desensitization utility classes and instruct the business applications to manually call these utility classes to desensitize sensitive information when logging.

Second, if the data volume is large, desensitization operations may increase CPU and memory usage of the business application, and even lead to application unavailability. Considering that most companies now use ELK to centrally collect logs and generally do not allow direct access to log files on servers, one option is to consider using filters in log collection middleware (such as logstash) to perform desensitization. This way, desensitization overhead can be transferred to the ELK system. However, this approach has the same drawback as mentioned earlier—field imprecise matching resulting in false positives or false negatives.

Question 2: Do you know the purpose of HTTPS mutual authentication? What are the differences in the process?

Answer: One-way authentication is typically used for web sites, where the browser only needs to authenticate the server. For mobile apps, if we want higher security, we can introduce HTTPS mutual authentication, which involves not only client authentication of the server, but also server authentication of the client.

The differences in the process between one-way authentication and mutual authentication mainly include the following three aspects.

First, both the server and the client need a CA certificate.

Second, in the process of mutual authentication, after the client verifies the server’s CA certificate, the client sends its own CA certificate to the server, and then the server needs to verify the authenticity of the client’s CA certificate.

Third, the client signs the message sent to the server with its private key, and the server can verify the signature using the public key in the client’s CA certificate.

I would like to add one more point here. For mobile applications, for stronger security, we usually configure the server’s public key on the client side. This method is called SSL pinning. In other words, the client directly verifies the legality of the server certificate, rather than verifying it through the certificate trust chain. With SSL pinning, because the client binds to the server’s public key, we cannot perform packet capture with root certificates on mobile devices. However, the disadvantage of this approach is that we need to be careful not to modify the public key after the server CA certificate expires.

Alright, the above is the answer or solution idea for the exercise questions in Lesson 30 of “100 Common Errors in Java Business Development”.

If you still have any unclear areas regarding these questions or the underlying knowledge points, feel free to leave a comment and ask me. You are also welcome to share today’s content with your friends or colleagues for discussion.