“Front-end canteen” want to enter the big factory must know the Web security issues

“🌟🌟🌟🌟🌟“

“Taste: Strawberry puree“

“Cooking time: 15min“

This article has been featured on front Canteen Github github.com/Geekhyt, thanks to Star.

From the length of his beard and the melancholy look in his eyes, I sensed that there was something about the interviewer sitting in front of him, who radiated the air of someone who had had a CTF. As usual, I’m going to spend three minutes introducing myself. Meanwhile, the interviewer listened to bilibala blankly but patiently.

After I smoothly introduced my project experience as planned, the interviewer looked at me with a faint smile and said:

❝

What do you think you are good at?

❞

(I responded faintly: I’m a front-end engineer, but I’m interested in Web security.)

0.CIA triad know?

• Confidentiality (Confidentiality)
• Integrity (Integrity)
• Availability (Availability)

(These three things must be answered neatly and without thinking)

1. How are XSS attacks generated?

A hacker inserts a malicious JavaScript script into your browser, steals your private information and impersonates you. This is called XSS (Cross-site Scripting)

Because the browser can’t tell if the script is maliciously injected or normal, it executes, and HTML is flexible enough to change at any time.

2. Do you know the types of XSS?

(Give points)

• Reflective XSS (also called non-persistent)
• DOM based XSS
• Storage XSS (also known as persistent XSS)

3. Describe how they are implemented

Reflective: As the name suggests, malicious JavaScript scripts are part of a request that the user sends to the web site, which is then returned to the user and executed on the page. This occurs when the server logic changes the final web page code.

Dom-based: Reflective XSS is not useful in projects where the front and back ends are separated. But this attack does not need to go through the server, as we know that the JavaScript of the web page itself can also change the HTML, which is used by hackers to insert malicious scripts.

Storage: Also called persistent XSS, as the name implies, hackers store malicious JavaScript scripts in the server database for a long time. Once users access related page data, malicious scripts will be executed. Common in search, weibo, community post bar comments, etc.

4. Tell the differences

Reflective XSS malicious scripts are stored in URLS, and stored XSS malicious code is stored in databases.

In DOM-based XSS attacks, taking out and executing malicious code is completed by the browser side, which is a security vulnerability of front-end JavaScript itself, while the other two XSS attacks are security vulnerabilities of the server side.

(The interviewer looks up slightly and hands me a piece of paper.)

5. Draw another picture to explain it

(Okay, I’ll give you a dimensionless explanation.)

reflective

Based on DOM type

Storage type

(Interviewer: The young man has a good picture.)

6. What can hackers do with XSS attacks?

• Steal users’ cookies
• Unauthorized operation
• Modify the DOM
• Brush floating window ads
• Start an XSS worm attack
• Hijack user behavior to further infiltrate the Intranet

(… Too much)

7. How to defend against XSS attacks?

• All user input is not trusted,Validate at output time
• willHTML element content, attributes, URL request parameters, CSS values are encoded
• This parameter is used when encoding affects servicesWhitelist rules for detection and filtering
• Use the W3C proposalContent Security Policy (CSP)To whitelist domain names
• Set up theThe HttpOnly cookiesattribute

8. Know what XSS attacks are

(I didn’t know you liked the news.)

• In 2005, Samy Kamkar launched the XSS Worm attack on MySpace.com when he was just 19 years old. Samy Kamkar’s worm infected 1m users in a matter of hours by adding the phrase “but most of all, Samy is my hero” to each user’s self-introduction. This is the first heavyweight XSS Worm in the history of Web security and is a milestone.
• In December 2007, Baidu space received worm attacks, users began to forward spam short messages.
• The domain name of QQ mailbox m.exmail.qq.com was found to reflect XSS vulnerability
• In 2011, Sina Weibo was attacked by hackers called XSS, who induced users to click on an enticing link and automatically sent a tweet with the same enticing link. Expanded attack range, is also a worm attack.

9. What is CSRF attack?

CSRF stands for Cross-site Request Forgery, also known as “cross-site request forgery”.

As the name implies, CSRF attack is the hacker to lure users to open the hacker’s website, using the login status of users to initiate cross-site request.

Dimensionality reduction explanation: the attacker induces the victim to enter the third party website, in the third party website, to send cross-site request to the attacked website. Using the victim in the attacked website has obtained the registration certificate, bypassing the background user authentication, to impersonate the user to perform a certain operation on the attacked website.

10. How are CSRF attacks generally implemented?

• The easiest thing to do isGetRequests generally enter hacker websites after they can be set upimgthesrcProperty to automatically initiate the request
• In hacker’s site, construct hidden forms to initiate automaticallyPostrequest
• By enticing the user to click on a link to trigger the request, exploitaOf the labelhref.

Click to download the beautiful woman video

11. What is the difference between CSRF and XSS attacks?

CSRF attacks do not need to inject malicious code into the user’s page, but only exploit the vulnerability of the server and the user’s login status to carry out the attack.

CSRF attacks also cost less than XSS attacks. Users visit a large number of web pages every day, so the validity of each web page cannot be confirmed. From the perspective of users, CSRF attacks cannot be completely prevented.

12. How do you protect against CSRF attacks?

• According to the actual situation, set the key CookieSameSiteProperties forStrict 或 Lax
• The server verifies the source of the request (Referer, Origin,)
• useCSRF Token, the server randomly generates the Token returned to the browser, and each request carries a different CSRF Token
• Add secondary authentication (separate payment password)

13. What do you know about Web cryptography?

• Symmetric encryption algorithm
  • Symmetric encryption algorithm is encryption and decryption using the same key, simple and crude
  • Common classical symmetric encryption algorithms areDES、AES(AES-128)、IDEA、国密SM1、国密SM4
• Asymmetric encryption algorithm
  • Asymmetric encryption is encryption and decryption using different keys. The sender uses the public key to encrypt the information, and the receiver uses the private key to decrypt the ciphertext.
  • It mainly solves the problem of key distribution
  • The signature we often talk about is private key encryption
  • Common classical asymmetric encryption algorithms areRSA, ECC and SM2
• Hash algorithm
  • Irreversibility, robustness and uniqueness
  • MD5, SHA(SHA-256), national secret SM3
  • Add salt when using

AES is the most recognized cryptography algorithm in the world, and as long as there are no major breakthroughs in computing power, this algorithm will be safe for the foreseeable future.

ECC is currently the asymmetric encryption algorithm with the highest encryption strength in the world.

The uniqueness of MD5 and SHA is solved, but in most cases, it does not pose a security problem. Use SHA-256 with salt to meet most application scenarios.

14. Briefly explain the implementation principle of HTTPS

1. The Client sends theRandom1 + list of symmetric encryption suites + list of asymmetric encryption suites
2. When the Server receives the message, selectSymmetric encryption suite + asymmetric encryption suite with Random2 + certificate (public key in certificate)Back together
3. Client Verifies the validity of the certificate and uses the certificateRandom1 +random2 generate pre-master through server public key encryption + browser confirmationSent to the Server
4. The Server receives the pre-master message.Random1 + Random2 +pre-master (decrypt) generates master-secret according to the agreed encryption algorithm, and then sends the server for confirmation
5. Client receives the same generatedmaster-secertThe symmetric encryption key is transferred

(Basic operation, not 6)

HTTPS adds the SSL/TLS security layer between TCP and HTTP.

• Encrypts the data that initiates the HTTP request
• Decrypt the received HTTP content.

Using symmetric encryption to encrypt the transmitted data and asymmetric encryption to transfer the key can not only solve the problem of transmission efficiency, but also ensure the security of data transmission at both ends. In addition, in order to prove that the server is reliable, digital certificates have been introduced to let the browser verify the reliability of the certificate.

The interviewer took a sip of the chilled oolong tea nearby.

(Young man, something)

“Continuous updates…“

reference

• White Hat talks about Web security
• Working principle and practice of browser
• Security attack and defense skills 30

❤️ Love triple punch

1. Please give me a “like” when you see this. Your “like” is the motivation for my creation.

2. Pay attention to the front canteen of the public account, “your front canteen, remember to eat on time”!

3. This article has been included in the front canteen Github github.com/Geekhyt, for a small Star, thanks to Star.