1. SQL injection
SQL injection, generally by inserting SQL commands into Web forms to submit or enter a domain name or page request query string, ultimately to trick the server into executing malicious SQL commands.
On the login page, the backend authenticates the user in the MySQL database according to the username and password entered by the user.
The user enters the user name [Cedric] and password [123456]. In the back-end processing, the following SQL statement is combined. If the user name and password are verified successfully, the login succeeds.
Username: Cedric; password: 123456 select username from users where username=' Cedric 'and password='123456';Copy the codeHowever, if the user maliciously enters the username [Cedric ‘–] (note the last space) and a random incorrect password [111] in the input box, the following SQL statement will be concatenated in the back end and the login will succeed.
Select username from users where username=' Cedric -- 'and password='111'; select username from users where username=' Cedric --' and password='111';Copy the codeOr, if a user maliciously enters a user name [Cedric ‘;delete from Users; –] and a random incorrect password [111] in the input box, the following SQL statement will be concatenated in the back end, resulting in the deletion of all users in the database.
Select username from users where username=' Cedric '; delete from users; -- ' and password='111';Copy the codeSQL injection prevention
In the Node environment, use mysql’s escape function to process the input and escape the special characters in the argument.
Where all SQL statements are entered, use the escape function, for example:
const login = (username, // Prevent SQL injection username = escape(username) password = escape(password) const SQL = 'select username from' users where username=${username} and password=${password}; '// Then execute the SQL query as above...}Copy the code2. XSS attacks
XSS is a computer security vulnerability in Web applications that allows malicious Web users to insert code (including HTML code and client-side scripts) into pages intended for use by other users.
XSS attack example
XSS attacks are launched against the form’s input/textarea text box, for example, by typing:
<script> alert(1) </script>
Copy the codeIf the front-end commits directly to the back-end (such as Node) without filtering, and the server writes directly to the database library without filtering, the next time (or another user) enters the page, alert(1) is executed and the page pops up 1.
Steal cookie values from web pages
Or, maliciously typed in a text box:
<script> alert(document.cookie) </script>
Copy the codeI can get the user’s cookie.
Hijacking traffic to redirect malicious traffic
Malicious input in the text box:
<script>window.location.href="www.abc.com"; </script>Copy the codeAs a result, the website you visit will automatically redirect to www.abc.com.
XSS attack prevention
The user input data for HTML Entity coding, that is,
In Node environment, install:
$ npm install xss
Copy the codeThen modify:
Const XSS = require(' XSS ') const inputValue = content Const inputValue = XSS (content) // XSS defense is enabledCopy the codeThen if you maliciously type in the input box, it will be converted to the following statement and stored in the database:
< script> alert(1) < /script>
This article from www.cnblogs.com/cckui/p/109…