XSS (cross-site scription)
An overview of the
Using the loopholes left by the web development, through the clever method to inject malicious instructions to the web page, users load and execute the attack installed malicious web page program; After a successful attack, you may get higher permissions, private web content, sessions, cookies and other content
attacks
- Reflection type: the attacker forms a URL link with malicious code to induce normal users to click, and the server receives the request corresponding to the URL to read out the parameters and then sends them to the browser without filtering by means of THE HTML page, and the browser interprets them.
- Stored type: the attacker sends the content with malicious code to the server. The server stores the data in the database without any filtering. The next time the server requests this page, the server directly takes out the relevant content from the database and splices it into HTML, and the browser parses it.
- Dom: DOM XSS tools are js that take the attacker’s input and insert it into HTML.
Analysis of the
Method: Malicious content is injected. Purpose: Obtain users’ private information or perform malicious operations
case
One, through URL injection
http://test.com/static/shareLink/index.html?shareUserName=<script>alert(document.cookie)</script>
Copy the code
<html>
<head>
<script>
let $referer = document.querySelectorAll('.referer');
referer.innerHtml = shareUserName;
</script>
</head>
<body>
<p>
<span class='referer'></span>Share with you</p>
</body>
</html>
Copy the code
For example, the NPM package with up to 8 million downloads has been tampered with code by hackers, and your device may be turning into a mining machine.
Event-stream, a JavaScript NPM package used to process node.js stream data, was suddenly discovered to contain a dependency called flatmap-stream, which was built into a backdoor to steal bitcoin, This means that for developers using this module, your device may already be turning into a mining machine without knowing it.
Third, through form injection through form submission permanent injection, in other users, after loading the content directly executed malicious scripts
//Form
<input userName value="<script>alert(documemt.cookie)</sctipt>" />
//Html
<p>Security And Defense -- Author:<script>alert(documemt.cookie)</sctipt></p>
Copy the code
SELECT * FROM accounts WHERE username=’admin’ and pasword=’password’; SELECT * FROM accounts WHERE username=’admin’;
/ / user name<input name="username" />/ / password<input name="psw" type="password" />
Copy the code
When the user enters “admin’ and 1=1 /*”, the system will verify the SQL statement like this
SELECT * FROM accounts WHERE username='admin' and 1=1 /*' and password = ''
Copy the code
Since the statements after /* are ignored as comments, the user logged in successfully
defense
Special symbol escape
const escapeHTML = (str) = >{
return str.replace(/[&<>'"]/g.(tag) = >({'&': '& '.'<': '< '.'>': '> '."'": '& # 39; '.'"': '" '
}[tag] || tag
));
}
Copy the code
Second, before referencing third-party packages, assess the risk in advance, try to use more people use NPM package, NPM package version plus Lock
Third, when designing the application program, the data access function is fully designed by using Parameterized Query
set @userName := xxx;
set @passowrd := xxx;
UPDATE myTable SET c1 = @c1, c2 = @c2, c3 = @c3 WHERE c4 = @c4
SELECT * FROM accounts WHERE username=@userName and password = @passowrd
Copy the code
4. The Content-Security Policy of the HTTP respone header of the site resource controls the loading of the specified resource on the specified page
CSRF (Cross-site request Forgery)
An overview of the
Cross-site request forgery is an attack that impersonates a trusted user to send an unexpected request to the server. For example, these unexpected requests may be completed by adding malicious parameters to the url after the jump link.
attacks
- A malicious operation request can be sent without the user’s knowledge by taking advantage of the feature that the user’s credentials stored in the cookie will carry when the host of set-cookie sends the request.
case
The user logs in to site A of forum and publishes A post. Then the user visits site B, which has the following content
<img src="http://www.a.com/delete?id=112312313" />
Copy the code
After the user visits, B site in the user’s knowledge, deleted A user in A site of A post
defense
When the browser sends a request, there is a referer attribute in the request header, which identifies the source site of the request. The backend can verify this attribute to determine whether the site sending the request is a trusted site.
After a user logs in, the server returns a token to the user, and the subsequent login authentication is verified by the token. The user submits the request with the token from requestData or requestHeader.
Cookie set SameSite.
CSP (Content Security Policy)
An overview of the
Content security policies are an additional layer of security to detect and weaken certain types of attacks, including cross-site scripting XSS and data injection attacks.
Open means
Response header == content-security-policy == Response header ==<meta />==
Content-Security-Policy
HTTP response headers, which allow the site manager to control which resources the user agent can load for a given page, protect against XSS attacks.
Set mode
Content-Security-Policy:<policy-directive>(directive value); <policy-directive>(directive value);
Copy the code
For details about directive, see the MDN documentation
case
Unsecure content is prohibited. Only resources can be loaded using HTTPS
//header
Content-Security-Policy: defalut-src https:
//meta tag
<meta http-equiv="Content-Security-Policy" content="default-src https:">
Copy the code
The relevant QA
A message is displayed indicating that the CONTENT security policy is violated when the HTTPS site loads the HTTP site using iframe
Refer to the link
Github.com/YvetteLau/S…