JavascriptThe data type

Basic types of Role that Reference data type Role that
String string Object object
Number digital Function function
Boolean Boolean value Array An array of
Null null
Undefined A variable that is not assigned a value has a default valueundefined
Symbol The symbol type is unique and unmodifiable, and can also be used as the key value of Object
BigInt Represent integers with arbitrary precision to exceed the safe integer limit for numbers by appending to the end of integersn Or by calling the constructor

Web security issues and solutions

reference

xssCross Sites Script

An attack in which a hacker tampers with a web page through “HTML injection” and inserts malicious scripts (mainly JavaScript scripts) to gain control of a user’s browser while browsing the page

  1. Reflective XSS- also known as HTML injection

    Reflective XSS, also known as "non-persistent XSS", simply" reflects "the user's input data back to the browser. That is, hackers often need to trick the user into" clicking "on a malicious link in order to succeed in an attack. By clicking on the malicious link, the attacker can successfully obtain the user's private data. For example, "steal user Cookie information", "destroy page structure", "redirect to other websites", steal Intranet IP, etc.Copy the code

    Since reflective XSS can also be HTML injection, the key to its injection starts with the front-end HTML page:

    1. The user can interact with the browser page (enter a search term, click a button, click a link, etc.), but it is easier said than done to induce the user to do so. 2. The data input by the user will be spliced into appropriate HTML by the attacker to execute malicious JS scripts, which is like a "reflection".Copy the code

  2. Type stored XSS

    Stored XSS, also known as "persistent XSS", differs from reflective XSS in that it "stores" the data entered by the user on the attacker's server and has strong "stability". For example, access a blog post written by a hacker that contains malicious JavaScript code that the hacker saves to the server.Copy the code

  3. DOM based XSS

    In effect, it is also "reflective XSS", separate out because it is formed by modifying the page's "DOM node" to form an XSS. For example, by modifying the binding method on the DOM node, the user unintentionally performs these methods to obtain information about the user by clicking, typing, etcCopy the code

  4. How do I detect the presence of XSS

    The general method is that the user can input <script>alert(123)</script> in the place where the keyword is entered and then click search. If the pop-up box shows 123, it indicates that there is XSS vulnerability, which indicates that the front-end does not filter the content entered by the user.Copy the code

  5. XSS attack mode

    • Cookie hijacked
    By disguising some 'pictures and buttons' and so on, induce the user to operate on it, so that the webpage executed the malicious script of the attacker, so that the attacker can obtain the Cookie information of the current userCopy the code
    • Construct GET and POST requests
    If an attacker wants to remove an article from a site, first GET the id of the current article, then send a 'GET request' using the script 'Insert image', or 'construct form', and 'XMLHTTPRequest' sends a 'POST request' to remove the articleCopy the code
    • XSS fishing
    The term 'phishing' is commonly known to have its origins in 'social engineering', where hackers use the idea to trick people into giving them their names, ages, email accounts and even bank card passwords without their permission or knowledge. For example: "a user operates a fake login box on a website (which has been attacked). After the user enters a user name and password in the login box, the user uploads his information to the hacker's server (the user's information has been leaked from the website).Copy the code
    • Obtain the real IP address of the user
    For example, if the Java environment (JRE) is installed on the client, you can obtain the local IP address of the client by invoking the Java Applet interfaceCopy the code

  6. XSS defense mode

    1. HttpOnly
    How it works: Browsers prohibit the page's Javascript from accessing cookies with HttpOnly attributes. It is now a "standard" approach: JavaEE adds HttpOnly to cookies as follows:  response.setHeader("Set-Cookie","cookiename=value; Path=/; Domain=domainvalue; Max-Age=seconds; HTTPOnly");Copy the code
    1. Input check (XSS Filter)
    How it works: Disables some special character-based attacks. (Common Web vulnerabilities such as XSS and SQLInjection require the attacker to construct some special characters.) * The logic of the input check must be implemented on the server side, because the check on the client side is also easy to be bypassed by the attacker. The existing common practice is to do the same check on both ends. The check on the client can prevent most normal users from misperforming operations, saving server resources. Solution: Check for sensitive characters such as "JavaScript", "<script></script>". And special characters such as <>:"&/' in the stringCopy the code
    1. Output check
    How it works: In general, in addition to rich text output, use encoding or escaping to defend against XSS attacks when exporting variables to HTML pages. Htmlentities () and htmlspecialchars() functions * Javascript: JavascriptEncode ("" is used to escape special characters, and the output variable must be inside quotes) * outputs in the PATH or search of the URL, using URLEncodeCopy the code
    1. Stricter practices
    All characters except numbers and letters are encoded in hexadecimalCopy the code

CSRFCross Sites Request Forgery

Cross-site request forgery, the use of user identity operation user account a way of attack, the attacker to lure users to access a page, with the user identity in third-party harmful site perform an operation, let the cat out of the user’s identity information, then the attacker can use the fake, but real identity information, To some website impersonates the user to execute malicious operation.

However, an attacker can successfully forge a request only if he can predict all the parameters and their values of the URL (of course, he can actually act as himself on a secure site and still get the parameters). Otherwise, the attacker cannot attack successfully

What is **CSRF** and how does it harm users

P9-juejin.byteimg.com/tos-cn-i-k3…

Referring to the figure above, we can conclude that two conditions must be met to complete a CSRF attack

  • The user logs in to trusted site A and generates cookies locally
  • Visit harmful site B without logging out of Site A

  1. CSRF principle

    CSRF attack is an attack method in which attackers operate user accounts by using ** 'user identity' **. For example, In the movie Fast and Furious 5, Giselle uses her underwear to obtain the fingerprints of Brazilian bosses, and finally successfully opens the safe by forging fingerprints. CSRF is just the implementation of this method on the network.Copy the code

  2. CSRF attack mode

    • Cookie policy of the browser

      Browsers generally hold two types of policies: Session cookies and temporary cookies. It is stored in the memory of the browser process and becomes invalid after the browser is closed. Third-party cookies, local cookies. The server specifies the Expire Time in set-cookie. If the local Cookie expires, the website asks the user to log in again.Copy the code

      The Session Cookie is valid even when the browser opens a Tab page while browsing the website, so it is feasible to launch a CSRF attack.

    • Side effects of P3P head

      "P3P Header" is a W3C standard on Privacy. It is called "The Platform for Privacy Preference". If a web site returns an HTTP Header containing a P3P Header to The browser, To some extent, it will allow browsers to send third-party cookies. In IE, even "<iframe>", "< script> "and other tags will no longer intercept the sending of third-party cookies. It is mainly used in pages that require cross-domain access, such as ads.Copy the code

    • GET, POST request

      <img> <iframe> <script> <img> <iframe> <script> <img> <iframe> <script> <img> This leads to the misconception that CSRF attacks can only be initiated by GET requests. To construct a POST request, simply construct a form in an invisible iframe window and use JavaScript to automatically submit the form. The entire automatic form submission process is invisible to the user.Copy the code

  3. CSRF defense mode

  • Verification code

    Principle: During CSRF attacks, users create network requests without their knowledge. After adding verification codes, users are forced to interact with the application. * Advantages: simple and effective * Disadvantages: Websites cannot add verification codes to all operationsCopy the code

  • Referer Check

    Principle: * The Referer header contains the address of the source page of the current request page. In general, the source page of the request is the page that initiated the request. If the request is made in an IFrame, The corresponding page URL is the SRC of iframe * Advantages: easy to use (just add an interceptor at the end of all security-sensitive requests to check the value of the Referer) * Disadvantages: the server does not always fetch the Referer 1. Many restrict Referer's distribution because of concerns about user privacy. 2. For example, when switching from HTTPS to HTTP, browsers do not send Referer for security reasonsCopy the code

  • The Anti CSRF Token is used

    How it works: Encrypt the parameters, or use some random number, so that the attacker cannot guess the parameter value, and thus cannot construct the requested URL, and thus cannot launch a CSRF attack. Example (add token) : * For example, a delete operation URL is: 'http://host/path/delete? Uesrname =abc&item=123 '* Keep the original parameter unchanged, add a Token, Token value is random, unpredictable * http://host/path/delete? Username =abc&item=123&token=[random(seed)] * Advantages: More secure than checking Referer method, and does not involve user privacy * Disadvantages: Encryption 1. The encrypted URL is very difficult to read and unfriendly to users. 2. The encryption parameters change every time, so that users cannot search the page. Common parameters can also be encrypted or hashed, which will bring great trouble to DBA's work, because data analysis often needs to use the plain-text token of the parameter 1. It is difficult to add tokens to all requestsCopy the code

    Points to be aware of

    1. The Token needs to be sufficiently random and must be generated using a sufficiently secure random number algorithm
    2. The Token should be jointly held by the user and the server and cannot be known by any third party
    3. Tokens can be placed in a user’s Session or in a browser Cookie
    4. Put tokens in forms as much as possible, change sensitive actions from GET to POST, and submit them as form forms to avoid Token disclosure (e.g. a page:http://host/path/manage?username=abc&token=[random]In this scenario, if the page contains an image whose address the attacker can specify, the address of the page will be sent to the evil.com server as an HTTP request. Thus resulting in Token disclosure)

  • XSRF

When the website has both XSS and CSRF vulnerabilities, XSS can simulate the client browser to perform any operation. Under THE XSS attack, the attacker can request the page, read the Token value in the page content, and then construct a legitimate requestCopy the code

Click on the hijacked

Clickjacking is a form of visual deception. The attacker uses a transparent, invisible IFrame to overlay a web page and then trick the user into doing something on the page, where the user unknowingly clicks on the transparent IFrame page. By adjusting the position of the iframe page, you can trick the user into hitting some functional buttons on the iframe page.

For example, when programmer Wang visited webpage A, he clicked the blank area, but the browser accidentally opened the page of XX New Lisboa Casino. Then he opened the console in webpage A and found A transparent IFrame in the blank area, which embedded the URL of A third party webpageCopy the code

  1. Click hijack Defense mode

    The 'x-frame-options' HTTP response header is used to indicate to the browser whether to allow a page to be displayed in' < Frame >, <iframe>, <object> '#### has three optional values. The browser will not ALLOW the current page to load any frame pages, even if the page has the same domain name. SAMEORIGIN allows the frame page to be loaded, but the address of the frame page must be the same as that of the same domain name. Can load a frame page from a specified source (can define the address of the frame page) 2. Disallow nesting of iframe if(window.top.location! == window.loaction){window.top.location === window.self.location}Copy the code

Other Security Issues

1 Cross-domain fault Handling When the server is set to 'access-Control-allow-origin', the wildcard character "*" is used to Allow cross-domain requests from any domain. PostMessage allows each window (current window, popup window, iframes, etc.) object to send text messages to other Windows, thus implementing cross-window messaging. This function is not restricted by the same origin policy. If necessary, validate the Domain in the accept window and even validate the URL to prevent messages from illegitimate pages. This is actually a validation process that implements the same origin policy on the code. The receiving window performs security checks on the interface information. 3 'Web Storage' Web Storage is divided into Session Storage and Local Storage. Although restricted by the same origin policy, sensitive information may also be the target of attack.Copy the code

conclusion

  1. Be careful of user input and perform input checks (both client and server checks)
  2. Whenever a variable is output to an HTML page, it should be encoded or escaped to prevent XSS attacks
  3. Always add a captcha when you need one
  4. Add Token parameters to important requests as much as possible. Ensure that tokens are sufficiently random and use secure random number generation algorithms

Related Technology blog

  1. Js precision calculation plug-in
  2. Principles of browsers
  3. Single sign-on (sso)
  4. The front security
  5. Vue engineering optimization
  6. Vue diff algorithm
  7. Hand tear front-end interview code questions
  8. Vue multilingual package configuration
  9. Centos7 installation gogs
  10. TCP/IPThe principle of
  11. TCP principle
  12. AST JS abstract tree