Common Web attack modes

  1.  -XSS
  2.  – CSRF
  3. – Clickjacking
  4. – SQL injection
  5. – OS injection
  6. – Request hijacking
  7.  – DDOS

XSS

Reference: juejin. Cn/post / 684490…

Cross-site scripting is a cross-site scripting attack, changed to XSS because it has the same name as CSS.

For example, if the Nuggets write an article, assuming the nuggets don’t have a script for XSS attack, I write <script>alert(” attack “)<script> in my article, then there will be an alert when the user clicks on my article. Go too far and repeat the alert wirelessly with a while loop. It is also possible to write some JS code to obtain the user’s cookie, to help hackers malicious operation of the website.

This is a stored XSS attack. The main use of restorage to the database of this kind of website attack.

There is also a reflex XSS attack,

<input type="text" value="<%= getParameter("keyword") % >"<%= getParameter() </button> <div>"keyword") % > < / div author: Meituan technical team links: https://juejin.cn/post/6844903685122703367 source: the nuggets copyright owned by the author. Commercial reprint please contact the author for authorization, non-commercial reprint please indicate the source.Copy the code

For example, if we type malicious code <script>alert(” attack “)<script> in an input field, it will produce the following code.

<input type="text" value=""><script>alert('XSS'); </script> 
      
><script>alert('XSS'); < / script > < / div > author: Meituan technical team links: https://juejin.cn/post/6844903685122703367 source: the nuggets copyright owned by the author. Commercial reprint please contact the author for authorization, non-commercial reprint please indicate the source.Copy the code

When the browser requests http://xxx/search? keyword=”> is not distinguishable.

Reflexive XSS attacks operate on urls, such as site searches, jumps, and so on

DOM XSS attack steps:

  1. The attacker constructs a special URL that contains malicious code.
  2. The user opens a URL with malicious code.
  3. When the user’s browser receives the response, it parses it and executes it. The front-end JavaScript picks up the malicious code in the URL and executes it.
  4. Malicious code steals user data and sends it to the attacker’s website, or impersonates the user’s behavior and calls the target website interface to perform the operations specified by the attacker.

DOM XSS differs from the previous two types of XSS: DOM XSS attacks, in which malicious code is extracted and executed by the browser side, are security vulnerabilities of the front-end JavaScript itself, while the other two types of XSS are security vulnerabilities of the server side.

The essence of XSS is that malicious code is unfiltered and mixed in with the site’s normal code; Browsers cannot tell which scripts are trusted, causing malicious scripts to be executed.

Hot topics of extracurricular knowledge:

Once there is a XSS holes in the mop hodgepodge, when users to reply, application for users to post content to do the strict filtering, but I don’t know why, when the user to edit content reply again at the time of publication, but he used a different way of filtering, and this way of filtering is obviously not tight, This leads to the emergence of XSS vulnerabilities. Imagine, large communities such as mop, if in a top posts, use an XSS vulnerability to all users browsing this post in imperceptible in access to another site, if the site is also a large site is good, but if it is small and medium-sized site that tragedy, which will attract much traffic! What’s more, all this traffic is real and valid!

Solution:

Escape special symbols like < >,

The best way is to configure whitelists and blacklists.

CSRF

Reference: www.bilibili.com/video/BV1iW…

(Cross Site Request Forgery) 
Cross-site request forgery.

An attacker steals your identity and sends malicious requests on your behalf.



Let’s say you log into a page and go to the transfer page



Instead of closing the page, which retained your login information, you went to a hacker’s site. The following site source code, his picture of the road strength is your transfer road strength. So at this point your account will be transferred.



The solution is to change the GET request to a POST request so you can’t see your path

But hackers also have a way to do it: submit the interface via the form from

1. Add a captcha, because it only constructs a request and does not operate on our page.

2. Verify that the Refer is the same origin policy and does not reject requests using the same domain name, port, and protocol.

3. Pass the token in the form or header, and the token is stored on the server. The server verifies the validity through the interceptor and rejects the failed request.


Click on the hijacked

Click hijacking is an attack method of visual deception. The attacker will embed the website to be attacked into its own web page by nesting iframe. Iframe should be set as transparent, and a button is revealed in the page to induce users to click. Like the movie Heaven website, when I click on a movie.



The result is a different page (TvT).



This is classic clickjacking. Pages use iframe elements to make iframe transparent. That’s the jump transparency.



Solutions:

1. X-frame-options is an HTTP response header to defend against nested iframe clickjacking attacks
DENY pages cannot be displayed in iframe mode
The SAPMEORIGIN page can be displayed in iframe mode under the same domain name
Allow-from pages can be displayed in the iframe of the specified source

SQL injection

SQL injection is used by the hacker to determine whether your password is the same as the password in my data class when you enter the password. The hacker says 1’or’1’=’1 your previous password may not be the same, but the following 1=1 returns true, so the system will determine whether your password is correct.

Solutions:

1. You are advised to use the parameterized query interface provided by the database for all query statements. Parameterized statements use parameters instead of nested variables entered by users in SQL statements

2. Escape special characters (‘,”,\,<,>,&) that enter the database

OS injection

The same principle as SQL injection, but it is for the operating system, through the shell secretly open your terminal, operating your computer.

Solution: Same as SQL solution

The request was hijacked

DNS hijacking: When the DNS server (each step of DNS resolution) is modified, the result of domain name resolution is modified, so that the IP address accessed is not the expected one.

HTTP hijacking: Carrier hijacking. Upgrade to the HTTPS

DDOS

Distributed denial of service

DDOS is not a name for an attack but a group of attacks. For example, a restaurant can only accommodate 300 people for dinner at a time, but the hacker ordered 3000 people to eat in the restaurant at a time, the restaurant could not accommodate so many people, so it crashed. This is how DDOS works. I send requests to 100 IP addresses at the same time. Your website can’t handle such a large number of hits.

The solution

1. Have an alternate website (an entirely static website). If it’s down, go to this site for a while.

2. HTTP request interception, if the same IP has been malicious requests, directly to the IP to block.

3 there is also that KIND of IP you can not find, then you can expand the bandwidth, simple point is your hotel originally only 300 people, now I decorate 3000 people can also sit, but the cost is large, how to add capacity to the server, this IP attack, the cost of hackers is also large.


The above is the front end of the common interview often asked network security test points. We also talked briefly about GET and POST, HTTP and HTTPS. I’m going to talk about them in passing, because they are also frequently tested.

Get and POST

Get and POST: Idempotence and side effects.

Side effect: Whether the resources on the server change. For example, the resource resources on the search server are not changed, and there are no side effects. Registering accounts, resource changes are a side effect.

Idempotent: refers to whether the resource state on the server changes when M and N requests are sent (M and N are not equal and both greater than 1). For example, 10 and 11 changes to a text are idempotent. And registering 10 times is the same thing as registering 11 times, it’s not idempotent.

Get is generally used for idempotent without side effects. That is, the resource and its state remain unchanged.

Post is generally used when the side effects are not idempotent. That is, the resource and its state have changed.

  • As mentioned earlier, the parameters of a GET request are carried in the URL and can be easily exploited, whereas post is not, so POST is a bit more secure than GET.
  • Post supports more encoding types and is not limited by data types.
  • Get requests can be cached, but POST requests cannot

HTTP and HTTPS

HTTP is based on TCP/IP to transfer hypertext data.

HTTPS is based on HTTP plus a TLS protocol.

TLS uses two types of encryption:

Symmetric and asymmetric encryption

Symmetric encryption: Both parties have the same key and use the same set of encryption rules to encrypt and decrypt the key.

Asymmetric encryption: I announce my data encryption method to the public, and then decrypt the method only to me.

Generally, TLS encryption is a combination of two methods, I first use asymmetric encryption, release my encryption method to the public, and then other people use this encryption method, encrypt its key to me, and then I have its key, and then we have the same key, and then use symmetric encryption.

——————————————————————————————-

Update: read some big guy’s article, feel oneself HTTP and HTTPS still do not realize, tidy up here.

TLS is a transport layer encryption protocol. It is the predecessor of SSL and was released by Netscape in 1995

HTTP is used to transmit data in clear text without providing any encryption, so it is possible for someone to steal and read the data, so HTTP cannot be used to transmit important information, such as passwords.

The HTTPS protocol is based on HTTP to transfer data, but it adds a layer of SSL to encrypt the transferred data.

HTTPS uses port 443 and HTTP uses port 80.

How HTTPS works:

HTTPS requires a certificate, which is a pair of private keys and keys. The client will check whether the certificate of the other party is secure. If it is not secure, a warning will pop up about the security of the certificate. If it is secure, it will use its public key to encrypt your private key, which is a random value, and send it to the server, and the server and client can carry out the symmetric encryption mentioned above.

————————————————————————————-

HTTP1.0, HTTP1.1, HTTP2.0

http1.0

Features: stateless, connectionless

Stateless means that the login record and status of the user cannot be saved each time, and can only be saved through cookie session (the server does not track and does not record the requested state)

Connectionless means that the TCP three-way handshake is required for each request to be sent, which is inefficient and the next request cannot be sent until the response of the previous one arrives. If the previous one is blocked, the subsequent one will be blocked.

http1.1

To address http1.0’s problems, HTTP1.1 added some new features: long connections, pipelining, caching, breakpoint transmission.

Long connection: Do not close the TCP connection after data transmission and continue to transfer data through this channel.

Pipelining: when there is no pipelining and long connection, we should respond to request one = “response to request two =” response to request two = “response to request three =” response to request three. With pipelining and long connections, we don’t have to wait until the last request has responded to the second request, but even if you complete request two before request one, the responses still have to be in order.

Cache processing: Some of the data received on the first request is cached so that it can be retrieved from the local cache on the next request.

http2.0

  • Binary framing
  • Multiplexing: Sending requests and responses simultaneously over a shared TCP connection
  • The head of compression
  • Server push: The server can push additional resources to the client without an explicit request from the client

Binary framing:

Divide all transmitted information into smaller messages and frames and encode them in binary format

Multiplexing:

Based on binary framing, where all access under the same domain name is routed through the same TCP connection, HTTP messages are broken up into separate frames, sent out of order, and the server reassembles the messages based on identifiers and headers

The difference between:

  1. The main difference between HTTP1.0 and HTTP1.1 is the transition from no connection to long connection
  2. The main difference between Http2.0 and 1.x is multiplexing

Finally:

Have time to add the cookie,token which kinds of storage methods together here.