Web security is very important in today’s network developed background, now whether life, social or other aspects are closely related to the network, such as restaurant ordering is scanning two-dimensional code order, if the occurrence of security problems will be very serious. In addition, I interviewed Tencent two days ago. On the one hand, the interviewer also asked some questions about Web security, but the answers were rather rough, so I searched for relevant information and summarized.
classification
XSS (cross-site scripting attack), Clickjacking (Clickjacking), CSRF (cross-site forged request attack), man-in-the-middle attack
First, XSS attack
1. What is it
XSS stands for Cross Site Scripting, so it is called XSS to differentiate it from CSS
2, the principle of
An attacker inserts malicious HTML tags or javascript code into a Web page so that the malicious script can be executed directly in the browser
3, the purpose,
-
Stealing cookies
-
Monitor user behavior, such as entering the account password and sending it directly to the hacker server
-
Modify DOM forgery login form
-
Generate floating window ads in the page
4. Attack mode
-
Stored: The script is stored in the server database and executed on the client. A common scenario is to submit a script code in the comment area
-
Reflexive: refers to malicious scripts as part of network requests, such as http://liben.com?q=
-
Document type: not through the server, but as a middleman, in the process of data transmission hijacked network packet, and then modify the HTML document inside, hijacking methods include WIFI router hijacking or local malware
5. How to solve it
- The ‘<‘ and ‘>’, ‘; ‘, ‘/’ and other characters to transcode or filter
<script>alert('You're screwed.') < / script > to & lt; script> alert(' You're screwed39;) < /script>Copy the code- Leverage CSP, or content security policies in browsers (restrict resource loading in other domains, prohibit data submission to other domains, provide reporting mechanisms to help us detect XSS attacks in time)
<meta http-equiv="Content-Security-Policy" content="script-src 'self' *.guojiang.tv *.guojiang.info *.tuho.tv *.tuho.tv *.efeizao.com cdn.staticfile.org *.cnzz.com *.geetest.com 'unsafe-inline' 'unsafe-eval'">
Copy the code- With HttpOnly, many XSS attack scripts are used to steal cookies. After the server sets the HttpOnly attribute of cookies, JavaScript cannot read the value of cookies
document.cookie = name+"="+value+expires+"; domain=my.domain.com; path=/; HttpOnly;";
Copy the codeCSRF attack
1. What is it
CSRF stands for Cross-site request forgery
2, the principle of
Forge a back-end request address, induce the user to click the link, open the hacker’s website, and then the hacker uses the user’s current login status to initiate cross-site request, using the server’s authentication vulnerability and the user’s previous login status to simulate the user to operate
3. Attack mode
-
Automatically initiates a GET request:
Automatically sends a GET request to obtain information such as cookies
-
Automatic POST request: An attacker may write a form and then make an automatic submission script with the corresponding user cookie information to fool the server into thinking that a normal user is operating
Automatically sends a GET request to obtain information such as cookies4. How to solve it
-
Make use of the SameSite property of the Cookie (Strict, Lax, None)
-
The Origin and Referer fields in the request header are used to validate the source, but the request header can be forged and is less secure
-
Requests sent using the CSRF Token must carry this string to the server for validation
Clickjacking attack
1. What is it
Clickjacking
2, the principle of
It’s a visual trick
3. Attack mode
-
Use a transparent IFrame, overlay it on a web page, and then trick the user into doing something on that page, where the user unknowingly clicks on the transparent IFrame page
-
Use an image to cover a web page, blocking out the meaning of the original location of the web page
4. How to solve it
Set the HTTP response header x-frame-options. The values can be deny, sameOrigin, and allow-from, indicating that iframes are not allowed to be displayed, only same-domain IFrames are allowed to be displayed, and iframes from the specified source are allowed to be displayed
4. Man-in-the-middle attack
1. What is it
In a man-in-the-middle attack, an attacker establishes a connection with both the server and the client and makes the other party think the connection is secure, but in fact the whole communication process is controlled by the attacker
2, the principle of
Can obtain the communication information of both parties, and modify the communication information
3. Attack mode
The client sends a request to the server. The request is intercepted by the middleman. The server sends the public key to the client. Then, the client generates a forged public key and sends it to the client. After receiving the forged public key, the client generates an encrypted hash value and sends it to the server. The middleman obtains the encrypted hash value and decrypts the key using his own private key to obtain the real secret key. At the same time, the server generates a fake encrypted hash value and sends it to the server. The server decrypts the fake key with the private key and then transmits the encrypted data to the client
4. How to solve it
HTTPS protocol can effectively prevent man-in-the-middle attack
This article is the author summarizes the compilation, if there is bias, welcome to leave a message correction, if you think this article is useful to you, might as well point a thumbs-up ~
About the author: GitHub Jane Book Nuggets