This article is a reading summary, from the white hat about Web security —- Wu Hanqing interested students can go to read.
1. A brief introduction
The Internet used to be safe, but since there are people who study security, the Internet has become unsafe.
1.1 What is Security?
The dictionary definition means to be free from danger, danger, harm or loss.
1.2 Under what circumstances will security problems arise?
Similar to what we do in airports and train stations, before passengers get on the bus, there will be a necessary procedure: security check. If we don’t have security checks we have what we call security problems. During the security check, we will check whether passengers are carrying lighters, flammable liquids and other dangerous items.
Why do we have security checks? It comes down to trust. Because our trust relationship is broken, there are security issues.
1.3 How to conduct an effective safety assessment?
A security assessment process can be easily divided into four stages: asset rating, threat analysis, risk analysis, and solution validation.
Asset class delineation: define what our goals are and what we are protecting. The core of Internet security is actually data security. The user’s data is what we need to protect.
Threat analysis: find all possible sources of harm, usually using brainstorming to list all situations.
Risk analysis: estimate the size of the damage caused.
Identify the security solution: The outcome of a security assessment is to identify the security solution. The solution must be targeted by asset rating, threat analysis, risk analysis, and identification of solutions.
2. Browser security
In recent years, with the development of the Internet, people find that the browser is the biggest entrance to the Internet, and the vast majority of users use the Internet through the browser. Therefore, competition in the browser market is becoming increasingly heated. More and more people attach importance to browser security in such a competitive environment.
2.1 Same Origin Policy
Security of the browser is based on the same origin. It is the core and most basic security function of the browser. If the same origin policy is absent, the normal functions of the browser may be affected.
The browser’s same-origin policy restricts document or scripts from reading or setting certain properties on the current document from different sources.
This policy is very important. If there is no same-origin policy, maybe a JS script of a.com can be altered at will on b.com even if b.com has not loaded this script. In order not to let the browser page behavior chaos, the browser proposed the concept of “Origin”, objects from different Origin can not interfere with each other.
The factors that affect the source are host, subdomain name, port, and protocol.
2.2 Malicious URL blocking
The working principle of malicious WEB address blocking is very simple. Generally, the browser periodically obtains a latest blacklist of malicious WEB addresses from the server. If a user visits a WEBSITE in the blacklist, the browser will pop up a warning page.
3. Cross-site scripting attacks
Cross-site scripting attacks (XSS) are the number one enemy in client-side scripting security.
XSS: Cross Site Script attack, English name is Cross Site Script, originally abbreviated CSS, in order to distinguish with cascading style CSS, so in the security field called “XSS”.
3.1 XSS attacks
An XSS attack is an attack in which a hacker tampers with an accessible web page through “HTML injection” and inserts malicious scripts to gain control of a user’s browser while they browse the page. For example, a hacker publishes an article containing malicious JS code that will be executed by everyone accessing the article, thus completing an XSS attack.
3.2 Reflective XSS
Reflective XSS simply reflects user input data back to the browser. In other words, hackers often need to entice users to click on a link in order to succeed
3.3 Storage XSS
The storage type “stores” the data entered by the user on the server. This XSS is very stable. Hackers save malicious scripts to the user’s server, so this type of attack is storage type, theoretically, it exists for a long time.
3.4 XSS Defense
XSS defense is complex.
3.4.1 track HttpOnly
HttpOnly was first proposed by Microsoft and implemented in Internet Explorer 6, and has gradually become a standard. The browser will prohibit the JS of the page from accessing the Cookie with the HttpOnly attribute.
In fact, HttpOnly is not strictly designed to counter XSS — HttpOnly addresses post-XSS cookiehijacking attacks. HttpOnly now supports a broad range of browsers, but it only helps mitigate XSS attacks, but other solutions are still needed to address XSS vulnerabilities.
3.4.2 Input Check
On the defense of XSS, input checking is generally to check whether the data entered by the user contains special characters, such as <,>, etc. If these characters are found, the characters are filtered or encoded. This input check method can be called “XSS Filter”. There are many open source implementations of “XSS Filter” on the Internet.
XSS Filter retrieves variables when users submit data and performs XSS checks; However, at this time, the user data is not combined with the HTML code rendering the page, so XSS Filter’s understanding of the context is incomplete. It is even possible that the < symbol will be filtered out when the user enters 1<3, so a good XSSFilter is important.
3.4.3 Output Check
In general, with the exception of rich text books, you can defend against XSS attacks by using code fire transfer when variables are output to HTML pages. Similar to the input check.
4.CSRF
4.1 What is CSRF
CSRF: Cross-site request forgery, which is a common Web attack.
For example, we have a blogging system where a user logs in to a blog and simply requests the URL to delete the blog with the number “1”.
Blog.com/manage/dele…
This URL also has CSRF vulnerability. First, the attacker constructs a page in his domain:
www.a.com/csrf.html
Its contents are as follows:
< img SRC = “blog.com/manage/dele…” />
Using aTag, whose address points to a link to delete the blog post.
The attacker lured the target user, the blogger, to visit this page:
The blog will be deleted after you visit it.
4.2 CSRF defense
CSRF attacks mainly involve sending requests without the user’s knowledge.
2 verification code
Captchas are considered to be the simplest and most effective defense against CSRF attacks.
Because in the process of CSRF attack, the network request is often constructed without the user’s knowledge. Captcha essentially forces the user to interact with our current application in order to complete the request.
4.2.2 referer Check
Determine whether it is a CSRF attack by checking the Referer for the source of the current request. Determine the current RE
Holdings anti CSRF token
The essential reason why CSRF can be attacked successfully is that the parameters of important operations can be guessed by the attacker, and a new parameter token needs to be added. The Token is stored in the Cookie by the client. Each time the same-origin page sends a request, the Token read in the Cookie is added to the request header or parameter to complete the authentication. CSRF can only bring the Cookie by the browser, but cannot manipulate the Cookie to obtain the Token and add it to the parameters of the HTTP request. Because tokens are encrypted and stored through cookies, only same-origin pages can read tokens as important authentication parameters. CSRF cannot obtain tokens and put them in the parameters, nor can it fake the correct tokens, so it is prevented.
5. The last
This article is a reading summary, from the white hat about Web security —- Wu Hanqing interested students can go to read.
For more information, please follow my official account
Finally, this article was included in JGrowing, a comprehensive and excellent Java learning path co-built by the community. If you want to participate in the maintenance of open source projects, you can co-build it. The address on Github is github.com/javagrowing… A little star, please.
If you feel that this article is helpful to you, or want to get the subsequent chapters in advance, or you have any questions to provide 1V1 free VIP service, you can pay attention to my public number, your attention and forwarding is the biggest support for me, O(∩_∩)O: