preface
- Friend says: I heard you made a website
- I said: Yes, become my user
- Friends say: ok, you know SQL injection, XSS attack
- I said, I don’t know
- My friend said to me tomorrow, wow, the administrator account is good, there are a lot of permissions, really fragrant
- I said: how can you log in my administrator account??
- My friend said: You do not know SQL injection, XSS attack, then you certainly did not do these, I use SQL injection, know the administrator account can log in
- Frighten me to do the relevant work quickly, good friend informed
- The following details SQL injection, XSS attacks and their resolution
Four aspects:
1. What is SQL injection
- The so-called SQL injection is to trick the server into executing malicious SQL commands by inserting SQL commands into Web form submission or query string for entering domain names or page requests. SQL injection is the most primitive and simplest attack, since web2.0 has had SQL injection attacks.
2. Example of SQL injection
- For user login, we need to query the users table and compare the username and password.
- The SQL statement:
-
Select * from users WHERE username="zhangsan" and password="524abb53cce35"// SQL injection user name write: zhangsan'-- select * from users WHERE username='zhangsanThe '-' and password='5245'Copy the code
-
-
The above two SQL statements can query the existence of the user, and the second statement in the password verification statement has been logged off, so this time if others know your user name can log in to your account, it is not very dangerous ??????
-
SQL > execute SQL statement ()
-
select id, username, realname from users where username='zhangsan '-- ' and password='696'Copy the code
- Don’t panic, let’s take a look at the previous db/mysql.js file,
-
const mysql = require('mysql') const { MYSQL_CONF } = require('.. /conf/db'Const con.createconnection (MYSQL_CONF) const con = mysql.createconnection (MYSQL_CONF) const con = mysql.createconnection (MYSQL_CONFfunction exec(sql) { const promise = new Promise((resolve, reject) => { con.query(sql, (err, result) => { if (err) { reject(err) return } resolve(result) }) }) return promise } module.exports = { execEscape: mysql.escape // prevent SQL injection encoding special characters}Copy the code
- See this key code??
- Escape: mysql.escape // Prevents SQL injection from encoding special characters
- Let’s change the controller/users.js login method:
-
const { exec, escape } = require('.. /db/mysql') const { genPassword } = require('.. /utils/cryp') const register = async (username, password) => { ... } const userNameFilter = async (username) => { ... } const login = async (username, Password) => {username = escape(username) // Formatting prevent SQL injection password = genPassword(password) // Generate encryption password password = Escape (password) // formatting prevent SQL injection const SQL = 'select ID, username, realname from userswhere username=${username} and password=${password} ` // console.log('sql is', sql) const rows = await exec(sql) return rows[0] || ' ' } const userInfo = async (id) => { ... } module.exports = { login, register, userNameFilter, userInfo }Copy the code
- Let’s log in again and find that the login failed
- SQL statement executed after formatting:
-
select id, username, realname from users where username='zhangsan \'-- ' and password='6996'Copy the code
- From the above comparison, we can see that escape formats the following special characters that can affect the SQL statement, preventing the concatenation of the SQL statement.
- So just in case, we need toAll variables that can be concatenated into SQL statements must be added to escape!
3. What is XSS attack
- XSS attack usually refers to the use of the vulnerabilities left in the development of the web page, through a clever way to inject malicious command code into the web page, the user load and execute the malicious web program made by the attacker. These malicious web programs are usually JavaScript, but can actually include Java, VBScript, ActiveX, Flash, or even plain HTML. After a successful attack, the attacker may gain various contents including but not limited to higher permissions (such as performing some operations), private web content, sessions and cookies.
- Attack mode:
- Stealing cookies to get sensitive information.
- By embedding Flash, obtain higher permissions through crossDomain permission setting; Or use Java, etc., to get similar operations.
- Use iframe, Frame, XMLHttpRequest, or the above Flash method to perform administrative actions as the (attacked) user, or perform general operations such as tweeting, adding friends, and sending private messages.
- By taking advantage of the fact that the domain that can be attacked is trusted by other domains, the trusted source requests some operations that are not normally allowed, such as improper voting activities.
- XSS on heavily visited pages can attack small websites to achieve the effect of DDoS attacks.
4. Nodejs protects against XSS attacks:
- On the home page we install an XSS dependency
-
npm install xss --save-devCopy the code
- Let’s take a simple example. Read the notes!!
-
const xss = require('xss'// import XSS const {exec } = require('.. /db/mysql') const newBlog= async (blogData = {}) => { Contains the title Content author attribute const title = XSS (blogdata.title) // Defend against XSS attacks const Content = XSS (blogdata.content) // Defend against XSS attacks const author = blogData.author const createTime = Date.now() const sql = ` insert into blogs (title, content, createtime, author) values ('${title}'.'${content}'.${createTime}.'${author}'); ` const insertData = await exec(sql) return { id: insertData.insertId } } module.exports = { getList, getDetail, newBlog }Copy the code
- To be brief: The way to protect against XSS attacks is to encode special characters
- What are special characters?
- The data entered by the user is HTML Entity encoded, that is, to
<script>
,<a>
Labels, such as< >
Make the conversion, and then save it to the background database. - Such as:
- Malicious input in the input box
<script>
document.cookie</script>
, will be converted to the following statement and stored in the database: < script>
document.cookie< /script>
Has reached the level of unenforceable<script>
Purpose !!!!
The last
SQL injection: Stealing database content
XSS attack: steal sensitive information such as cookies of the front end
Password encryption: Ensure user information security (Important)
DDOS attacks: Requires hardware and services to support (requires OP support)
The original address
Juejin. Cn/post / 684490…
reference
Chapter 5: nodejs koa2 mysql redis the whole development of stack – security (SQL injection, XSS attacks) : blog.csdn.net/u012878818/…