XSS (Cross-site Scripting)

1, the principle of

Injects a malicious script into the user’s current HTML document

2, which forms

performance

  • Stealing cookies
  • Monitoring user behavior
  • Modify the DOM forgery form
  • Generate floating window ads in the page

2.1 storage type

Submitting malicious scripts to the server’s database (e.g. submitting malicious scripts to message boards, comment sections)

When the client obtains database information, during the page rendering process, it executes malicious code

For example, the Cookie of the current web page is sent to a third-party server to achieve the attack effect

2.2. Reflection type

The malicious script (script tag) is passed to the back end as a parameter as part of the network request

The backend then returns the parameter, and the browser parses it into a script and executes it, which is attacked

2.1 document type

Instead of going through the server, the attack acts as a middleman, hijacking network packets in transit and modifying HTML documents inside

  • WIFI Router hijacking
  • Local malware

3. Solutions

  1. Both the front and back ends need to transcode and filter user input
    1. Transcoding the left and right Angle brackets
    2. Filter script tags
  2. HTTPOnly
    1. A key point of XSS is to steal users’ Cookie information
    2. So you can make cookies inaccessible to JS scripts
  3. CSP
    1. Content security policies for browsers
    2. The server decides which resources the browser loads
      1. Restrict resource downloads for other domains
      2. Submits data to other fields in base
      3. Provide reporting mechanism

CSRF (Cross-site Request Forgery)

1, the principle of

Initiate cross-site request using [server authentication vulnerability] and [user’s previous login status (with cookie information)]

The user has the login information of the bank website locally, so there is a Cookie in the browser that can verify the login information of the user

Malicious websites forge forms to induce users to submit, and browsers bring their own bank website cookies

Such cookies sent by third-party websites are called third-party cookies

2, which forms

2.1. Automatically send GET requests

The hacker site uses the SRC attribute of the IMG element to automatically send GET requests to the attacked site

If the user has local login information for the compromised site, the request is automatically accompanied by the compromised site’s Cookie information

2.2. Automatically send POST requests

Hacker sites automatically send forms to modify user data

2.3 induce click to send GET request

The user is induced to click on the A element to send a GET request via the href attribute

3. Solutions

  1. usingThe SameSite property of the CookieTo restrict the carrying of cookies in requests
    1. Strict: Forbid the browser to carry cookies requested by the third party
    2. Lax: Allow some third-party requests (GET requests that navigate to the target URL) to carry cookies
      • Link: href of the A element
      • Preload request: the href of the link element
      • GET form form
    3. None: All can carry cookies
  2. CSRF Token
    1. When the browser visits the server, the server generates the token and implants it into the returned page
    2. The browser needs to carry this token when accessing the server again
    3. Third-party sites cannot obtain this token
  3. Verify the source site, Origin and Referer in the request header
    • Origin: indicates the domain name information
    • Referer: INDICATES the URL path
    • However, both of these can be forged with Ajax custom request headers and are less secure

Third, HTTPS

HTTPS

  • HTTP over SSL
  • HTTP over TSL
  • HTTP Secure

1. HTTP plaintext transmission

In plaintext transmission between the client and server, data may be intercepted by hackers, resulting in data leakage

2. Use symmetric encryption only

Symmetric encryption requires:

  • Encryption algorithm (a set of encryption and decryption algorithms)
  • A secret key

Through the encryption algorithm, with the secret key to encrypt the data, you can use the same secret key to decrypt the original data with the decryption algorithm

Existing problems

  • If you use the same secret key for all users, there is no encryption
  • It is also impossible for the server to store the secret keys of all users
  • So each user negotiates a secret key with the server before opening a session

So how does this secret key negotiate?

If the client only asks the server and the server gives it, the secret key can be stolen by hackers in transit.

Therefore, only symmetric encryption does not have confidentiality, data may be lost.

3. Use only asymmetric encryption

Asymmetric encryption:

  • The public key is encrypted and the private key is decrypted
  • Encrypt the private key and decrypt the public key

What about just asymmetric encryption?

For asymmetric encryption, the client first needs to get the public key from the server, and then the client has the public key, and the server has the private key, and the data can be transmitted

Existing problems

There are problems

  • If the server’s public key is available to anyone, the data the server encrypts with its private key can be accessed and decrypted by anyone

4, symmetric encryption + asymmetric encryption

So, symmetric encryption and asymmetric encryption alone are not secure, so what about combining the two?

Asymmetric encryption is used to negotiate a key between the client and server, and the key is used for symmetric encryption of subsequent data transmission

Man in the middle problem

The first step is that when a client requests a public key, it can be very dangerous if the hacker intercepts, acting as a middleman between the client and the server.

5. Introduce CA

Purpose: Ensure that the public key obtained by the client in the first step is the public key of the server, not the fake public key of the man-in-the-middle hacker

5.1 Preparatory stage

  1. The server sends its identity information to the CA. The CA generates a pair of public and private keys as the public and private keys of the server, uses the CA private key to sign [server public key and identity information], generates a certificate, and sends [certificate] and [server private key] back to the server
  2. Public key information of the CA delivered with the browser

5.2 Communication process

  1. TCP three-way handshake
  2. SSL handshake: Authenticates the server and negotiates symmetric encryption keys
    • Client => Server: SSL version supported, symmetric encryption algorithm list, random number 1
    • Server => Client: SSL version, symmetric encryption algorithm, random number 2, certificate
      • The client passes the CA certificate. Procedure
        1. Verifying server Identity
        2. Obtaining the Server public Key
    • Client => Server: random number 3, hash (random number 1, random number 2)
      • Encrypt with the server’s public key
    • Server => Server: Hash (random 1, random 2, random 3)
      • The server decrypts with a private key
      • And verify that hash (random number 1, random number 2) is equal to the value that was passed
    • Client: Verifies that hash (random number 1, random number 2, random number 3) is equal to the value passed
  3. Formal process of data communication, symmetric encryption

The resources

sanyuan0704.top/my_blog/

zhuanlan.zhihu.com/p/50692294

www.bilibili.com/video/BV1w4…