This is the 10th day of my participation in the November Gwen Challenge. Check out the event details: The last Gwen Challenge 2021

What about front-end security? What nouns are there?

Browser related:

  1. XSS
  2. CSRF
  3. HTTPS
  4. CSP (content security policy that can prohibit loading of outdomain code and submission of outdomain)
  5. HSTS (forces the client to use HTTPS to connect to the server)
  6. X-frame-options (controls whether the current page can be embedded in an IFrame)
  7. SRI (Integrity of subresource intergrity sub-resources)
    1. The index.js file in index.html is stored on the CDN
    2. When requested, the user dehydrogenates the file according to index.js, which may be tampered with
    3. Generate a hash value from the contents of the js file during packaging and inject the hash value into the script as an intergrity property
  8. Referer-policy (Control the carrying Policy of Referer)

Node(server) related:

  1. Local file operation is related, and file leakage is caused by path stitching
  2. ReDos regular expression
  3. Timing attacks
  4. ip origin referrer request headers

Can you tell us more about XSS?

  1. concept
  2. Attack types
  3. How to prevent
  4. Have you encountered them at work? How is it solved?

Cross – site scripting, XSS

Attackers do everything they can to inject executable malicious code into web pages

Externally, what are the attack scenarios?

  1. Embed JS code in the comments area (where it can be typed)
  2. Concatenate JS code on url

Technically, what are the types of XSS attacks?

  1. Type storage Server

Forum posts, product reviews, user messages, etc. These are the sites where users save their data.

Attack steps:

  • The attacker submits malicious code to the database of the target website
  • When a user targets a website, the server takes the malicious code out of the database, splices it into HTML and sends it back to the browser.
  • When the user’s browser receives the HTML, the malicious code mixed in is executed
  • Steal user data and send it to the attacker’s site
  1. Reflective server

Attackers combine various means to induce users to click malicious URLS.

The ability to send parameters through a URL, such as a search or jump to a website.

Attack steps:

  • Attackers construct their own malicious urls
  • Execute executable malicious code directly
  1. The Dom model Browser

Removing and ordering malicious code is done by the browser

Attack steps:

The url parameterCopy the code

How to plan an XSS attack

Main idea: prevent attackers from submitting malicious code, and prevent browsers from executing malicious code

  1. Strict input encoding of data, such as HTML elements, JS, CSS, urls

  2. CSP COntent Security Policy (X-xss-protectx-xss-protection)

Default-src ‘self’ All loaded content must come from the same source on the site

  1. Input validation
  2. Start the browser’s XSS defense: Http Only cookies
  3. Verification code

File operation correlation

Path splicing causes files that should not be accessed to be accessed

Configure the root path and verify the path validity using the third-party package resolve-path

Can you talk a little bit more about CSRF?

Cross-size request forgery

Attack steps

  1. The victim logged on to a.com and kept the login credentials cookie
  2. The attacker induced the victim to visit b.com
  3. B.com sends a request to a.com/xxxx, and the browser directly brings the cookie of a.com
  4. A.com received the request and performed the corresponding operation
  5. Unbeknownst to the victim, the attacker impersonated the victim to get A.com to perform its own defined operation

Attack types

  • GET type: the IMG on the page initiates a GET request

<img src="xxxxxxxxx" />

  • Post type: automatically submits forms to malicious sites

  • Get users to click on links

How do I defend against CSRF attacks

Half of CSRF takes place in third-party domain names, and attackers cannot obtain cookie information.

Block third-party domain name access

  1. Homologous detection

request header origin referer

Referer-Policy

  1. Cookie SameSite

Strict: third-party cookies are completely disabled Lax: Post img Iframe does not carry cookies

Submit requests with additional information

  1. CSRF Token
  • When the user opens the page, the server uses an encryption algorithm to generate a token
  • Each time the page loads, the front-end bar obtains the token and adds it to the requested header
  • Each JS request also carries a token
  • The server verifies the token’s validity each time it accepts a request
  1. Double cookies
  • When a user visits a website, the server injects an extra cookie into the browser
  • Each time the front end makes a request, a parameter is spelled
  • Check whether parameter A is correct