Super front-end engineers should know something about Web security

Web security

• classification
  • Privacy: not to be illegally obtained and used
  • Reliability: not lost, not damaged, not tampered with
• Attack types
  • XSS(Cross Site Script)
  • CSRF(Cross-site request Forgery)
  • SQL injection
  • Click on the hijacked
  • Man-in-the-middle attack
• WEB Security Issues
  • User identity theft
  • The user password is leaked
  • User data is stolen
  • Website database leak

Cross-site scripting attacks

• define
  • Malicious attackers take advantage of the site’s failure to escape data submitted by users or insufficient filtering, and then add some code, embedded in the Web page. Make any other user access to execute the corresponding embedded code.
  • In order to steal user information, the use of user identity for a certain action or visitors to the virus invasion of an attack.
• Attack types
  • reflective
    • The “reflection” of user input to the browser requires the attacker to trick the user into clicking on a malicious link, or submitting a form or entering a malicious website, injecting a script into the target website that can obtain user privacy data (such as cookies).
  • Storage type
    • The data entered by the user is stored on the server side, and when the browser requests the data, the script is returned from the server and executed. This XSS attack is very stable.
    • Scenario: An attacker writes an article or comment containing malicious JavaScript on a forum. After the article or comment is published, all users accessing the article or comment will execute the malicious JavaScript code in their browsers.
  • Based on DOM
    • Modifying the DOM structure of a page with malicious scripts is a pure client-side attack.
• XSS defenses
  • Escape character
    • HttpOnly prevents Cookie hijacking
    • Input inspection
      • Don’t trust any input from the user. Any user input should be checked, filtered, and escaped. Creates a trusted whitelist of characters and HTML tags, and filters or encodes characters or tags that are not in the whitelist.
    • Input inspection
  • CSP content security policy

Cross-site request forgery

• Attack principle
  • The user logs in to website A
  • A website confirms the identity and gives cookies to the client
  • Users access website B without logging out of website A
  • Web page B makes A request to web site A
  • Upon B’s request, the browser accesses A with the Cookie it generates
• defense
  • GET requests do not modify the data
  • Do not allow third-party websites to access users’ cookies
    • SameSite
      • You can set the SameSite property on cookies. This property sets cookies not to be sent along with cross-domain requests. This property can greatly reduce the application’s cross-site request forgery, but this property is not currently compatible with all browsers.
  • Prevent third-party web sites from requesting interfaces
    • Refere to verify
      • Verify Refere to determine whether the request is initiated by a third-party website. When receiving a request in the background, the source of the request can be determined by the Refere request header in the request header.
      • Usage scenario: not only prevent cross-site request forgery, but also prevent image theft
  • The request is accompanied by authentication information, such as a captcha or Token
    • Verification code
      • Cross-site request forgery attacks often construct network requests without the user’s knowledge, and captcha forces the user to interact with the application in order to complete the final request.
    • Adding Token Authentication
      • The server sends a random Token and carries the Token with it each time it initiates a request. The server establishes an interceptor to verify whether the Token is valid.
• harm
  • Use user login state to complete business requests without user knowledge
    • Steal users’ funds
    • Pretend to be user post back pot
    • Defamation of the website

In contrast to cross-site scripting (XSS), which exploits the user’s trust in a given site, CSRF exploits the site’s trust in the user’s Web browser.

SQL injection

• Definition: by inserting THE SQL command into the query string of WEB form submission or input domain name or page request, the background execution of SQL statement directly takes the field passed in front of the SQL query.
• SQL injection attack method
  • Different classifications of injection points
    • Digital injection
    • Character injection
  • Different categories of submission methods
    • GET into the
    • POST injection
    • COOKIE injection
    • HTTP injection
  • There are different kinds of ways to get information
    • Blind note based on Boolean
    • Time – based blind notes
    • Error based injection
• defense
  • Do not use dynamic SQL
    • Avoid putting user-supplied input directly into SQL statements
    • It is safer to use prepared statements and parameterized queries.
  • Don’t keep sensitive data in plain text
    • Encrypts private/confidential data stored in a database
    • This provides another level of protection in case an attacker successfully expels sensitive data.
  • Restrict database permissions and privileges
    • Set database user functions to minimum requirements
    • This limits what an attacker can do when trying to gain access
  • Avoid displaying database errors directly to the user
    • An attacker can use these error messages to obtain information about the database
  • Using a WEB Application Firewall (WAF) for WEB applications that access the database
    • This provides protection for Web-oriented applications, which can help identify SQL injection attempts
    • Depending on your Settings, it can also help prevent SQL injection attempts into the application (and the database)
  • Periodically test Web applications that interact with data
    • Doing so helps catch new errors or regressions for SQL injection that may be allowed
  • Update the database to the latest available fixes
    • This prevents attackers from exploiting known weaknesses/bugs in older versions

Click on the hijacked

• Principle: Click hijacking is a kind of visual deception attack method, the attacker will attack the website through the way of iframe nesting embedded in their own web pages, and set the IFrame transparent, in the page to reveal a button to induce users to click.
• Code implementation

  <! DOCTYPE html> <html> <meta http-equiv="Content-Type" content="text/html; < span style> HTML, body, img {width: 100%; height: 100%; margin: 0; padding: 0; } iframe { width: 100%; height: 100%; position: absolute; top: -0px; left: -0px; z-index: 2; Opacity: 0.3; } button { position: absolute; top: 270px; left: 1150px; z-index: 1; width: 90px; height: 40px; </style> </head> <body> </button> <img SRC = "https://ss0.bdstatic.com/70cFuHSh_Q1YnxGkpoWK1HF6hhy/it/u=1456290144, & FM = 26 & gp = 0. 154203946 JPG" > < iframe src="https://www.baidu.com/" scrolling="no"></iframe> </body> </html>Copy the code

• defense
  • X-FRAME-OPTIONS
    • Is an HTTP response header that is well supported in modern browsers. This HTTP response header is designed to defend against clickjacking attacks nested with iframe.
    • DENY: indicates that the page is allowed to be displayed in iframe mode
    • SAMEOPTIION: indicates that the page can be displayed under the same domain name using an IFrame
    • Allow-from: indicates that the page can be displayed in the iframe of the specified source
  • JS defense
    • Code implementation

      <! DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, <meta http-equiv=" x-UA-compatible "content="ie=edge"> <title>Document</title> <style> body { display: none ! important; } </style> </head> <body> <script> // console.log(self == top); If (self = = top) {/ / the window. The top is to read the reference window window. The top is the top-level window document. The getElementsByTagName (' body ') [0]. Style.css. Display = 'block'; }else { top.location = self.location; / /; } </script> </body> </ HTML >Copy the code

Man-in-the-middle attack

• Principle:
  • In a man-in-the-middle attack, an attacker establishes a connection with both a server and a client and makes both sides think the connection is secure, but in fact the attacker controls the entire communication.
  • Attackers can not only gain access to communications between the two sides, but also modify them.
• attacks
  • DNS cheat
    • DNS is used to resolve domain names into IP addresses so that users can find the correct target server for network requests.
    • An attacker can intercept requests sent by users by invading the DNS server or tampering with local hosts files. After intercepting the request, depending on the purpose, the attacker can either “mislead” the user to a fake site or simply forward the request to the target server for the purpose of listening.
  • APR deception
    • If DNS spoofing is the interception of user requests on a wan, APR spoofing is the interception of user requests on a LAN. Address Resolution Protocol (APR) is a protocol that translates IP addresses into physical addresses.
      • If host A wants to communicate with host B (assume that the IP address is 123) on the LAN, it needs to know both the IP address and MAC address of the peer. If host A’s local ARP cache table does not contain host B’s address, host A broadcasts to all hosts on the LAN to request host 123.
      • Host B receives the broadcast message, checks that the IP address of the host is the same as the IP address in host A’s request, and sends its MAC address to host A. After receiving the feedback, host A saves host B’s MAC address into the local APR cache table for direct use next time.
    • How do you implement APR spoofing?
      • The attacker takes advantage of the vulnerability of APR protocol and sends its MAC address to host A through A host (IP address is not 123) in the LAN, posing as host B. After receiving the message, host A cannot identify whether the message is really from host B or an impostor, so it can only store the new MAC address into the APR cache table to replace the original record.
      • The next time host A wants to send A request to host B, it queries the host’S APR cache table and finds that host B’s MAC address is DEF (which should have been ABC), and sends the request to host D. Thus intercepting the request message from the attacker.
  • Proxy server
    • It’s the various agents that users use when they visit websites, such as wifi, VPN, and wall climbing tools. These tools are not always reliable, some can be hacked, some have problems of their own, and when a user sends a request through these agents, the request information is automatically hijacked.
• defense
  • Use the DNSSEC mechanism
    • Domain Name System Security Extensions(DNSSEC) is a series of DNS Security authentication mechanisms to verify the validity of site addresses accessed by users and resolve DNS spoofing problems.
  • Use firewalls and anti-virus software
    • On a local network, the host that initiates ARP spoofing is usually infected with viruses and is controlled by hackers. Therefore, you need to periodically check and kill viruses. The firewall can effectively block messages suspected of APR fraud.
  • HTTPS
    • HTTPS is the SSL layer added to HTTP. The SSL layer relies on certificates to verify the identity of the server and encrypt the communication between the browser and the server. In this way, even if an attacker intercepts a user’s request, it cannot decrypt the information, let alone tamper with it.
    • However, using HTTPS is not a safe bet. If you haven’t completely turned off HTTP access, there are ways in which an attacker can degrade HTTPS to HTTP for man-in-the-middle attacks.

For additional

• The difference between wan and LAN

  • They are different in scope
    • A local area network (LAN) is a closed computing unit built by more than two computers using network cables and other network devices in a fixed geographical area, within several thousand meters.
    • Wan is a collection of networks with a very large regional span, ranging from tens of kilometers to thousands of kilometers.
  • The IP address Settings are different
    • In a LAN, there must be a unique IP address on the network. This IP address is unique and can still be used on another LAN.
    • Each computer (or other network device) on a WAN has one or more WAN IP addresses that cannot be repeated.
  • They are connected in different ways
    • Lans are connected by switches
    • Wans rely on routers to connect multiple Lans.

• The difference between MAC addresses and IP addresses

  • Address length difference
    • The LENGTH of a MAC address is 48 bits (6 bytes). It is usually represented as 12 hexadecimal digits, and two hexadecimal digits are separated by colons. For example, 00:50:29:55:8h :1E is a MAC address.
    • An IP address is a 32-bit IP address consisting of four 8-bit groups separated by dots. For example, 192.168.0.1 is an IP address in dotted decimal notation.
  • The difference at the addressing protocol layer
    • MAC addresses are applied to the OSI layer 2 data link layer. The Data link layer protocol allows data to be passed from one node to another node on the same link (i.e., a MAC address).
    • IP addresses are applied to the OSI layer 3, or network layer. The network layer protocol allows data to be transmitted from one network to another (APR finds the MAC address of the intermediate node based on the destination IP address and transmits it through the intermediate node to reach the final destination network).
  • Different distribution basis
    • MAC addresses are assigned based on the manufacturer
      • The MAC address is written inside the hardware during production by the network device manufacturer. This address has nothing to do with the network, that is, no matter where the hardware with this address (such as hubs, network cards, routers, etc.) is connected to the network, it has the same MAC address, is immutable.
    • IP addresses are assigned based on the network topology
      • An IP address consists of A network address and A host address. The number of bits allocated to these two parts varies with the number of types of IP addresses (A, B, and C).

Reference: mp.weixin.qq.com/s?__biz=MzI…