This is the 9th day of my participation in the November Gwen Challenge. Check out the event details: The last Gwen Challenge 2021
With the development of the Internet and browsers, we can do more and more things on browsers, such as watching movies, listening to music, shopping, playing games…. We are enjoying the technology brings us convenience and at the same time, also with more of the risk, because you can do much, so hackers can take advantage of loopholes and even more, means of attack are more diverse, this article is ready to talk to some common attacks now web domain, which allows us to think in the usual development how to avoid these attacks, Without further ado, let’s do it!
The following types of attacks are common in the Web domain today
- XSS(Cross-site scripting attacks)
- CSRF(Cross-site request Forgery)
- Click on the hijacked
- CDN hijacked
- Opener against
- DNS hijacking
- SQL injection
Because XSS and CSRF I plan to write two separate articles to explain them, so next in addition to the two, the other will respectively talk about the ways and harms of various attacks, so as to have a systematic understanding of web attacks, let’s start
Click on the hijacked
The implementation steps are as follows
- Load A target page A with an iframe, which the attacker needs the user to actually operate on
- Prepare A decoy page B that places some interactive elements aimed at the content on Page A to trick the user into interacting
- The iframe transparency is set to 0 and placed on top of the induced page B, so that users do not know that they are actually interacting with page A, thus achieving the purpose of click hijacking
This method is actually a smoke screen, using iframe invisible, so as to achieve the purpose of deception, to avoid this attack, there are the following ways
- The HTTP header of the page is addedX-Frame-OptionsThe response header has three values to choose from
- DENY: indicates that the page is not allowed to be displayed in the IFrame, even if the page is nested in the same domain name
- SAMEORIGIN: indicates that the page can be displayed in the iframe of the same domain name page.
- Allow-from: Origin: indicates that the page can be displayed in the iframe of the specified source. Chrome does not support This page in Firefox
- Determine if top.location is equal to self.location. If not, the current page is loaded by iframe, and you can do something like redirect to avoid being referenced
CDN hijacked
Nowadays, in order to improve the performance, Web applications often put a lot of static resources such as pictures, JS and CSS on the CDN, which can improve the loading speed of websites. However, if hackers attack the CDN server and modify the static resources, users will access the polluted resources, so as to achieve the purpose of hackers
Opener against
There are two ways to jump to a new label on a web page
<a target='_blank' href='http://www.baidu.com'>window.open('http://www.baidu.com')
It looks ok, but the core of opener attack is that the new webpage can be used to access the window object of the original page through window.opener, so that it can do whatever the hacker wants, such as redirecting the original webpage to the hacker’s website without the user’s knowledge. Thus can achieve the purpose of stealing user information
To avoid this attack, the two jumps need to be adjusted as follows
<a target='_blank' href='http://www.baidu.com' rel="noopener noreferrer">The noopener property prevents the new page from accessing the window object of the original page. The Noreferrer property prevents the HTTP request header from containing the referrer fieldvar newTab = window.open(); newTab.opener = null; newTab.location = 'http://www.baidu.com';, the risk can be avoided by manually removing opener
DNS hijacking
DNS is a system that maps domain names to IP addresses. If a hacker hijacks the DNS server, the hacker can change the mapping and resolve a normal domain name to the hacker’s server IP address
SQL injection
SQL injection means that web applications do not judge or filter the validity of user input data strictly. Attackers can add additional SQL statements at the end of predefined query statements in Web applications to achieve illegal operations without the knowledge of administrators. In this way, we can cheat the database server to execute any unauthorized query, so as to further get the corresponding data information
SQL injection is the modification of the original URL of the Web page, the form field or the input parameters of the data package into SQL statements, which are passed to the Web server, and then to the database server to execute the database command. For example, Web application developers directly transfer data or cookies entered by users to the database without filtering or verification (that is, there is an injection point), which may lead to the execution of spliced SQL, the acquisition of database information and rights, and SQL injection attacks
The main defense against SQL injection is to strengthen the verification and filtering of user input. In this way, SQL injection can be avoided to the greatest extent
conclusion
This article has taken a look at some of the types of attacks that are common on the Web today, and in the next article, I’ll talk more about XSS attacks, so stay tuned