In the age of the Internet, while the Web brings us convenience, some people are also staring at these conveniences, so there are attacks on websites. So when we develop, we should pay attention to these easy to be attacked, and do a good job of defense measures, the following will introduce some of these common attacks and solutions.

1. XSS attacks

The full name for XSS is Cross Site Scripting, shortened to XSS so as not to confuse it with Cascading Style Sheets (CSS). XSS is one of the most common attacks in Web applications. Cross-site scripting attacks mean that attackers embed malicious scripts in web pages. When users open the web pages, the scripts start to execute on the browser of the client, so as to steal the client’s cookies, user names and passwords, download and execute virus Trojan horses, and even obtain the client’s admin permission.

The principle of XSS

Suppose there is a form on the page named Nick that is used to submit the user’s nickname information to the server:

<input type= "text" name= "nick" value= "xiaomaon>
Copy the code

The content of the form Nick comes from user input when, instead of a normal nickname string, the user enters the following:

<script>alert("I'm a troll. I'm doing XSS vulnerability testing, and I suspect your site has an XSS attack security vulnerability.")</script><! -Copy the code

For some reason, for example, the Nick server fails to pass the verification, the server redirects back to this page with the Nick parameter entered by the user before, and the page becomes the following:

<input type="text" name="nick" value=""/><script>alert ("I'm a troll. I'm doing XSS vulnerability testing, and I suspect your site has an XSS attack security vulnerability.") </script><! -/>Copy the code

The back of the input in the input box with a script, of course, the script just pop up a message “I am a little strange, I’m doing an XSS vulnerability testing, I suspect that your site has a XSS attacks security holes”, attack power depends on what kind of script, the user input as long as a little modification, can make the attack extremely dangerous.

To prevent XSS

XSS happens because the data entered by the user becomes code. Therefore, we need to escape the data entered by the user with HTML, and escape and encode special characters such as Angle brackets, single quotes, and quotation marks:

<c:out value= "${nick}" escapeXml="true" </c:out>
Copy the code

Simply set the escapeXml to true and JSTL will escape the HTML code in the variable.

2. CSRF attacks

CSRF (Cross-site request Forgery), also known as one Click Attack or session riding, commonly abbreviated CSRF or XSRF, is a malicious exploitation of a website.

CSRF attack mechanism

The principle of CSRF attack is simple, as shown in Figure 1. Web A is A website with CSRF vulnerability, Web B is A malicious website constructed by an attacker, and User C is A legitimate User of Web A.

CSRF vulnerability defense

CSRF vulnerability defense can be implemented at three levels, namely, server defense, client defense, and security device defense.

1. Set the cookie to HttpOnly

response.setHeader("Set-Cookie"."cookiename=value; Path=/; Domain=domainvalue; Max-Age=seconds; HTTPOnly");
Copy the code

2. Add the token to the request address and verify it

3. Verify the Referer field in the HTTP header

3. SQL injection

The so-called SQL injection is to disguise SQL commands as normal HTTP request parameters and pass them to the server to deceive the server into executing malicious SQL commands to achieve the purpose of intrusion. Attackers can use SQL injection vulnerability to query unauthorized information, modify the data of the database server, change the table structure, and even obtain the root permission of the server.

attacks

A cryptosystem using a SQL database might run queries like this:

SELECT * FROM users WHERE 'username' = '$USER' AND 'password'='$PASS';
Copy the code

\$USER and $PASS will be replaced with the username and password provided by the USER. So if the user enters’ Bob ‘and’ 1234 ‘, the resulting query is:

SELECT * FROM users WHERE 'username' = 'bob' AND 'password' = '1234';
Copy the code

The return value from the database will be all the tuples with Bob as the user name and 1234 as the password. If the hacker types admin and << ‘hi’ or 1=1>> -, then the query is:

SELECT * FROM users WHERE 'username' = 'admin' and `password` = 'hi' OR 1=1--'
Copy the code

Notice how the quote entered by the user matches the third quote in the original query. The database now returns all tuples with the user name admin and unchecks the password because ‘password’ = ‘hi’ OR 1=1 commands the database to look for tuples with passwords of hi OR 1=1, and since 1 is always 1, each row is a candidate. — is the SQL comment flag that unquotes other quotes in the original query, and will also uncheck any additional checks, so if there are additional credentials (that is, keyFOB or CAPTCHA) it will also be ignored. Hackers can now gain access to systems as administrators without having to give a legitimate password. By leveraging increasingly complex queries, hackers can change, add, or query data. For the database, this gives the hacker the same privileges as the application.

Precautions against COMMON SQL injection attacks

A. Use precompiled statements

Precompiled statements use parameter placeholders instead of parameters that need to be passed in dynamically, so that an attacker cannot change the structure of the SQL statement. The semantics of the SQL statement do not change. Even if a user passes in a string like ‘or’ 1 ‘=’ 1 ‘, the database will treat it as a normal string. Special characters in precompiled SQL statements are escaped.

B. Use ORM framework

Common ORM frameworks, such as MYBATIS and HIBERNATE, support the escape of corresponding keywords or special symbols. MYBATIS is able to escape some keywords of input variables via # tokens to prevent SQL injection attacks.

Special note: MYBATIS interprets #{} as a parameter marker and ${} as a string substitution. It is important to know this difference between parameter markers and string substitution because parameter markers cannot be used in certain parts of SQL statements. For example, you cannot use parameter markers to specify table names.

A code example is as follows:

Map<String, Object> parms = new HashMap<String, Object>();
parms.put("table"."foo");
parms.put("criteria"And 37); List<Object> rows = mapper.generalSelect(parms);Copy the code

<select id="generalSelect" parameterType="map">
  select * from ${table} where col1 = #{criteria}
</select>
Copy the code

MYBATIS will generate the following precompiled statement:

select * from foo where col1 = ?
Copy the code

Important: ${… } (string substitution) carries the risk of SQL injection attacks. In addition, string substitution can be problematic for complex types such as dates. For these reasons, we recommend using #{… } (parameter marker) format.

C. Do not store plaintext passwords in the database

For example, MD5 is used to digest passwords instead of storing plaintext passwords. In this way, hackers cannot directly obtain user passwords in case user information is leaked, which is called “dragged database” in the industry. However, MD5 has also become less secure. In recent years, there has been a popular crack method using rainbow table, which can quickly reverse the original text of the password (or the collision string) according to the Hash code of the user password. Hash+Salt solves this problem to some extent. Salting is creating a Hash with a perturbation that makes the Hash value different from the standard Hash result.

D. Handle corresponding exceptions

Background system exceptions are likely to contain some information, such as server version, database version, programming language, and even the database connection address and user name and password. Attackers can follow the map to find the corresponding version of server vulnerabilities or database vulnerabilities to attack. Therefore, you must handle background exceptions and redirect them to the appropriate error handling interface rather than allowing them to be printed directly to the page.

4. The DDos attack

A distributed denial of service (DDoS) attack is a malicious attempt to disrupt normal traffic to a target server, service, or network by overwhelming the target or its surrounding infrastructure with a large amount of Internet traffic. DDoS attacks are effective by using multiple compromised computer systems as sources of attack traffic.

Attack mode:

A.S YN Flood attack

That is, TCP is used to forge the IP address of the victim and keep the victim connected to the server. As a result, the victim denies service when connecting to the server.

b.DNS Query Flood:

DNS Query Flood is actually a variant of UDP Flood attack. As THE DNS service plays an irreplaceable role on the Internet, once the DNS server breaks down, the impact is severe. The DNS Query Flood attack sends massive domain name resolution requests to the attacked server. Usually, the domain names to be resolved are randomly generated and most of them do not exist. In addition, it forges ports and client IP addresses to prevent Query requests from being filtered by ACLs. After receiving a domain name resolution request, the attacked DNS server checks whether the corresponding cache exists on the server. Since domain names are randomly generated, it is almost impossible to have corresponding cache information. If no cache exists and the domain name cannot be directly resolved by the DNS server, The DNS server recursively queries domain name information from its upper-layer DNS server to the 13 root DNS servers on the global Internet. A large number of non-existent domain name resolution requests bring a heavy load to the server. When the number of resolution requests exceeds a certain amount, the DNS server will time out resolving domain names. In this way, the attacker achieves the purpose of attack.

C. CC attack:

Challenge Collapsar (CC) attack is an application-layer HTTP attack, also known as HTTP Flood. CC attacks work like this: Attackers simulate normal users to make requests to a website until the site refuses service by controlling a large number of “chickens” or by using a large number of anonymous HTTP proxies searched from the Internet. Most of the sites will be through the CDN and distributed cache to speed up the server response, improve throughput, and these carefully constructed HTTP requests often managed to avoid these caches, the need for multiple DB queries or is a request to return a large amount of data, accelerate the system resource consumption, so as to bring down the back-end business processing system, Even the associated storage and log collection systems are not immune. There are also a large number of free IP sites on the Internet that attackers can accumulate in large numbers.

D.P ing Flood attack

The ping command is used to continuously send data packets to the server.

E. Other means of attack

Solution:

Configure security configurations for routers and switches, that is, firewalls.

5. File upload attacks

In the process of the Internet, we often will some, like pictures, package files uploaded to the remote server to save, file upload attacks refers to a malicious attacker using some sites don’t have the type of the file for a good check such loopholes, upload the executable files or scripts, and obtain the corresponding rights on the server through the script, Or by inducing external users to access or download uploaded viruses or Trojan files, to achieve the purpose of attack.

In order to prevent users upload malicious executable files and scripts, and will file upload server as a free file storage server use, need to upload the file type for white list (not the blacklist, this is very important) check, and limit the size of uploaded files, upload files, need to be renamed, The attacker cannot guess the access path of the uploaded file.

For uploaded files, you cannot simply determine the file type based on the suffix name, because malicious attacks can change the suffix name of executable files to pictures or other suffix types to induce users to execute the files. Therefore, a more secure way to determine file types is required.

In many types of files, the first few bytes are fixed. Therefore, the file type can be determined based on the contents of these few bytes, which are also known as the Magic number.

For a file of the image type, you can scale the image to destroy the structure of the binary executable file uploaded by malicious users to avoid the execution of malicious codes.

Imagemagick is a powerful, stable and open source development kit for image processing, can handle a variety of formats of image files, you can use Imagemagick to scale images.

Note: this article refers to the following information

Common Web attacks

Common attacks on WEB sites and solutions

What are common Web attacks

Brief introduction to several common Web attacks

XSS attack and defense

CSRF attack and Defense