Security questions in the front-end interview are largely focused on XSS attacks and CSRF attacks, so it is very meaningful to understand these two attacks. Without further words, let’s learn together.
XSS attacks
First let’s take a look at XSS attacks, XSS stands for Cross-site scripting attacks. XSS is the most common vulnerability in Web applications. This kind of attack means that attackers embed client scripts in web pages. When users visit the web page, the scripts will be automatically executed, so as to realize the attack. This kind of attack can easily obtain users’ cookies, navigate to malicious websites or carry virus trojans.
How does an XSS attack occur?
XSS attacks occur mainly because the data entered by the user is converted into code, which needs to use HTML Encode.
XSS attack scenario
Dom – -based XSS holes
The attacked website has XSS vulnerability. The attacker first establishes a website to steal information, then constructs a malicious URL and sends it to the user in a certain way. When the user clicks the link, the malicious JS code in the URL will be automatically executed. Therefore, users’ cookie information and other security data on the attacked website will be sent to the attacker’s information stealing website, resulting in property losses of users.
Stored XSS holes
The site that was attacked had an XSS vulnerability that allowed the attack code to be stored in a database. An attacker uploads the attack script to a Web server, exposing all visitors to the page to the risk of information leakage, which can be triggered by an event such as writing an article or uploading a video. When users visit this article or video page in the attacked website, malicious JS code embedded in the article will be automatically executed, thus stealing important security information such as cookie information.
To sum up, DOM-based XSS vulnerability threatens individual users, while stored XSS vulnerability threatens a large number of users who visit the website.
XSS vulnerability fixed
Rule: Do not trust user input data! Also note that the attack code is not necessarily inside the script tag.
- Mark important cookies as HTTP only so that the document.cookie statement in Javascript cannot fetch cookies.
- Only allow the user to enter the data we expect. For example, the age textBox allows the user to enter only numbers, and all characters other than numbers are filtered out.
- Perform HTML Encode processing on the data
- Filter or remove special HTML tags, such as “script”, “iframe”, “<“; “for <“, “>”; “for >”, “” for”
- Tags that filter JavaScript events. For example, “onclick=”, “onfocus”, etc.
CSRF attacks
Now that we know about XSS attacks, our next task is to understand the CSRF attack, which is called cross-site request forgery and is a more advanced form of Web attack than XSS.
CSRF attack scenario
Simply put, a CSRF attack is when an attacker steals our identity and sends malicious requests on our behalf. CSRF can send Email, log in account, steal account, purchase goods, transfer money and so on in our name.
CSRF attack mechanism
- The user accesses and logs in to the trusted website A
- After the authentication succeeds, the cookies generated by the server of website A are stored in user C’s browser
- The user visits the dangerous website B without logging out of website A
- Dangerous web site B automatically sends A request to access third-party web site A
- As A result of B’s access request, the browser visits Site A with the cookie information generated in step 2
- Since website A does not know whether the request is sent by user C, but there is user C’s cookie in the request, website A will think that the user is visiting. In this case, dangerous website B can simulate the request of the user with the identity of fake C and carry out illegal activities.
According to the above CSRF attack steps, to implement a CSRF attack, two conditions must be met:
- The user logs in to trusted website A and generates A cookie in the local browser and saves it
- The user accesses the dangerous site B while accessing A without logging out of the account
Essentially, the CSRF attack is an implicit authentication mechanism derived from the WEB! The WEB’s authentication mechanism guarantees that a request is from a user’s browser, but it does not guarantee that the request was approved by the user.
CSRF attack defense measures
- The service side
- The client
Server-side defense is one of the most widely used methods. The core idea of server-side defense is to increase pseudo random numbers.
- Cookie Hashing(all forms contain the same pseudo-random value) :
- Verification code
- One-time Tokens(Different forms contain a different pseudo-random value)