Hackers and Security

In today’s Internet, there are always some “Internet underground workers” we can’t see or touch, that is, hackers. Hacker attacks can be divided into many ways, including non-destructive attacks and destructive attacks. A non-destructive attack, such as a notorious DDoS attack, disrupts system execution and temporarily disables the system from providing services to the outside world. Destructive attacks mainly cause two kinds of results: system data is damaged or information is stolen, such as CSRF attacks. The attacks used by hackers can be roughly divided into three types: virus implantation, flood (large-scale attack) and system vulnerability.

The characteristics of their attack mainly focus on: distributed, high traffic, deep anonymity. For example, DDoS attacks, the use of a large number of foreign “chicken” computer information is not registered, so hackers use “chicken” Internet attacks, it is difficult to trace the address of the attack, can not effectively resist their attacks. Although cloud server vendors begin to rise now and can provide a complete set of security solutions, such as Tencent Cloud, Ali Cloud and so on, can provide high defense server to resist most DDoS attacks on the market, but the cost is slightly higher, it is a little unbearable for most small and medium-sized enterprises.

Even so, if Internet companies want to establish a complete information security system, they need to abide by CIA principles, including Confidentiality, Integrity and Availability.

Confidentiality: The security of user data and related resources should be ensured whether information is stored or transmitted in the process of confidentiality operation involving user privacy and valuable data. It is worth mentioning that sometimes data encryption is not only to prevent external hackers, but also to avoid data managers in the interests of some of the information tampering or disclosure of the database, which further lead to hackers using these data to carry out website attacks, causing huge losses to enterprises.

Integrity: The data accessed by the user must be complete, not missing or tampered with. Otherwise, the data accessed by the user will be incorrect. In actual coding, in order to ensure the integrity of data, we usually use the method of signature verification, encryption and salt value of data (such as MD5/SHA and data signature, etc.).

Availability: Services are guaranteed to be available, and data security is impossible if the service can’t be used properly. One of the factors that may lead to service unavailability is high concurrency. In view of this situation, we usually restrict the incoming requests, such as web operation time limit, request flow limiting, data cleaning and so on.

SQL injection

SQL injection is more common in injection attacks, but with the security awareness of developers generally improve, began to pay attention to these problems, coupled with MyBatis and other frameworks to promote, SQL injection attacks than before to a lot less. The principle of SQL injection attacks is that the program side of the code and data are not strictly isolated, resulting in data nested in a part of the code to execute when the data is requested, resulting in some unexpected problems. For example, when modifying user data, directly use unescaped data as a variable.

updatet_usersetnick_name =”\”# — ! #(@ ” where user_id = 123;

select*fromt_userwhere(user_name=’1’OR’1’=’1′)and(password=’1’OR’1’=’1′);

SQL > alter table nick_name; The second case, will ignore the account password situation, directly get user information; There are many other SQL injection scenarios, which I will not cover here. Here’s how to defend against it:

Filter out special characters that users insert into web pages to avoid the risk of escaping data.

When encoding services, avoid SQL statements with string concatenation and use parameter binding to incoming SQL parameters.

Make proper use of anti-injection mechanisms provided by database access frameworks. Dynamic parameters such as #{} provided by MyBatis, thus effectively preventing SQL injection. It is also important to note that the use of {}, the use of {} is a placeholder, equivalent to the use of string concatenation SQL.

XSS

XSS attacks, also known as cross-site Scripting attacks, are also called XSS attacks. In order to avoid abbreviation conflicts with CSS, XSS is also called XSS attacks. XSS refers to that hackers provide some technical means to implant malicious scripts to the web pages requested by normal users, and then execute arbitrary scripts on this basis. XSS is mainly used for information theft and destruction. XSS is mainly divided into reflective XSS, storage XSS and DOM XSS.

In the defense of XSS attack, mainly through the user input data filtering or escape efforts. Back end: You can use the Jsoup framework for XSS filtering of input strings or the HtmlUtils utility class provided by the Spring framework for HTML escape of strings. Front end: Use innerText instead of innerHTML whenever possible.

CSRF

CSRF Attack, also known as cross-site Request Forgery, also known as one-click Attack, which is to simulate the operation of the user without the user’s knowledge, malicious operation on the webpage that has been successfully logged in. Such as malicious posts, modify personal information, group messages and even modify passwords and so on.

CSRF is different from XSS, although there are many similarities at the attack level. Technically, XSS is when a hacker implants his or her own malicious script on a web page requested by the user. CSRF means impersonating a user who has logged in successfully to do whatever they want.

The focus of XSS is that user data is not filtered or escaped

The focus of CSRF is that the HTTP interface is not protected against untrusted calls.

You can use the following two methods to defend against CSRF attacks:

(1) CSRF Token authentication: Using the same origin policy of the browser (client scripts from different sources cannot directly read the resources of the other party without authorization), verify the Token set in the page or Cookie before the HTTP interface is executed, and continue to execute the request only after the authentication succeeds.

(2) Man-machine interface, it is common to verify SMS verification codes when users are performing relevant important operations (such as changing passwords)

For those of you who are ready to become a good programmer, if you want to improve your core programming ability (internal work) and become a good programmer with real material, you might as well start now! C/C++, the timeless programming language

Wechat official account: C language programming Learning base

Organize and share (years of learning source code, project actual combat video, project notes, basic introduction tutorial)

Welcome to change careers and learn programming partners, use more information to learn and grow faster than their own thinking oh!

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

Computer network: common network attack way! That’s what hackers do

Hackers and Security

SQL injection

XSS

CSRF

Computer network: common network attack way! That’s what hackers do

Hackers and Security

SQL injection

XSS

CSRF

Related Posts

Effective Java Note-01 replaces constructors with static factory methods

How to install in macOS 10.9 JDK | Java Debug notes

Kubernetes(K8s)