These two articles take you through several common Web security attacks and defenses, and hopefully help you to understand Web security.

This is the second article, and if you haven’t read common Web security defenses (I), it is recommended that you continue reading this article.

Click hijacking

An attacker overlays a normal web page with one or more transparent IFrames and then induces the user to operate on the web page. When the user unknowingly clicks on the transparent IFrame page, the user’s operation has been hijacked to malicious buttons or links designed by the attacker in advance.

Here’s a simple example:

I want my nuggets’ following to grow. I started by creating a website full of free learning materials that were prominently labeled “Free to download”. The nuggets are then introduced in the form of iframe, and the nuggets’ focus button is transparently overlaid on top of the learning material through some style of operation. When users click download, they click on my nuggets page.

** Click hijacking is characterized by a strong concealment, while the vast majority of the click hijacking is the use of some beauty pictures or yellow video to lure everyone to click. So do not visit bad websites, less click on unknown links can greatly reduce the click hijacking attacks. **

How to defend?

1. X-FRAME-OPTIONS

The X-frame-options HTTP response header is a flag used to indicate to the browser whether to allow a page to be displayed in,,, or. Sites can avoid clickJacking attacks by ensuring that the site is not embedded in someone else’s site.

The response header takes three parameters:

parameter instructions
deny Indicates that the page is not allowed to be displayed in frame, even if it is nested within pages of the same domain name.
sameorigin The page can be displayed in the frame of the same domain name page.
allow-from uri Indicates that the page can be displayed in a frame from the specified source.

2. Browsers and extensions

Try to keep your browser level up to date so you can take advantage of some of the security benefits of browser upgrades. Using some extensions can also help us avoid many attacks. For example, the ClearClick component in NoScript can detect and warn of potential clickjacking attacks, automatically detecting potentially unsafe pages in a page.

Second, URL jump vulnerability

If the server does not check and control the incoming redirect URL variable, any malicious address may be constructed and users may be diverted to malicious websites.

Because it is a jump from a trusted site, users will trust it, so the jump vulnerability is generally used for phishing attacks, by redirecting to malicious sites to deceive users into entering user names and passwords to steal user information, or to deceive users into money transactions.

Hackers use URL redirect vulnerability to induce users with low security awareness to click, resulting in user information leakage or loss of funds. The principle is that hackers build malicious links (links need to be disguised, confusing as far as possible) and post them in QQ groups or post bars/forums with many page views. Users with low security awareness can jump to malicious websites after being parsed by servers or browsers.

How to defend?

1. The referer restriction

If the source of passing URL parameters is determined, we can implement security restrictions in this way to ensure the validity of the URL and avoid malicious users to generate jump links by themselves.

2. Add the validity verification Token

We guarantee that all generated links are from our trust domain. By adding uncontrollable tokens to the generated links to verify the generated links, users can avoid generating their own malicious links and thus being exploited. However, if the function itself is relatively open, there may be certain restrictions.

SQL injection

SQL injection is refers to the legitimacy of the web application to user input data without judgment or filtering is lax, the attacker can be defined in advance in the web application at the end of the query statement to add extra SQL statements, the administrator unwittingly illegal operation, in order to realize deceived any query of the database server to perform unauthorized, Thus further get the corresponding data information.

How to defend?

1. Minimize permissions

Strictly restrict the operation permissions of the Web application database, and provide the user with the minimum permissions that can only meet the requirements of the user’s work, so as to minimize the harm of injection attacks on the database.

2. Escape characters

Special characters (‘, “, <, >, &, *,; Etc.) for escape processing, or code conversion.

3. Test data

The back end can judge whether the data input meets the expectation by means of re. This also largely prevents SQL injection attacks.

Refer to the website

Developer.mozilla.org/zh-CN/docs/…

www.cnblogs.com/fundebug/p/…

Huaidan.org/archives/20…