Attack the article
Cross-site Scripting(XSS)(Cross-site Scripting)
Attackers try to insert their malicious scripts into the page to execute and complete the attack.
Mainly by using:
-
Blindly trusting user submissions
-
string -> DOM
- document . write
- element . innerHTML = anyString ;
- SSR(user_ data) // pseudocode
Features:
- It is often difficult to sense from the UI. (execute scripts secretly)
- Stealing user information (Cookie/Token)
- Draw the UI(such as pop-ups) to trick the user into clicking/filling out a form and provide more privacy
Stored XSS attacks
Features:
- Malicious scripts are stored in the database
- Access page -> Read data === attack
- Maximum damage, visible to all users
Example: If you are watching a video and your password is hacked by someone using XSS, then you have an iQiyi shared account on the e-commerce website
Reflective XSS Attack (Reflecied XSS)
Features:
- No database involved
- Attack directly from the URL
The Demo:
Dom-based XSS Attack (DOM-based XSS)
Features:
- No server is required
- Malicious attack period + execution, all in the browser to complete
The Demo:
Reflected vs DOM-based
Differences: The location of the injection script is different
- The former is to inject scripts at the server
- The latter is to inject scripts in the browser
Mutation based XSS Attack (MUTation-based XSS)
Features:
- Takes advantage of the browser’s DOM rendering feature (unique optimization)
- Different browser, will be different (attack by browser)
Demo:
Cross-site Request Forgery (CSRF)
Features:
- Without the user’s knowledge
- Leverage user permissions (cookies)
- Constructs a specified HTTP request to steal or modify sensitive user information
Csrf-get (construct GET request)
Active: the construction of A tag, the user click A tag, will cause A request to complete the attack
Passive: The page is visited and a GET request is issued to complete the attack
CSRF-beyond GET
The attacker uses HTML form forms to construct arbitrary requests, with input type=”hidden” to construct various values
Injection attack
SQL Injection
Demo 1
① Read the request field
(2) Directly concatenate SQL statements in the form of strings
An attacker can construct a request that passes a username as an arbitrary string +; +Drop table: Select -> Drop table. Passive delete library run achievement achieved!
Injection is not SQL
- CL I
- os command
- Server-side Request Forgery(SSRF), a Server Forgery Request
- Strictly speaking, SSRF is not injection, but the principle is similar
Demo 2 — Execute
[root@localhost] [root@localhost] [root@localhost] [root@localhost] [root@localhost] [root@localhost] [root@localhost] [root@localhost]
Read + modify
Denial of Service(DoS)
In some way (by constructing a specific request), the server becomes so consumed that it cannot respond to any more requests, resulting in a crush of requests and an avalanche effect.
Interstitial: Regular expression – greedy mode
Concept: repeated matching of a pattern, will not use a question mark, if used, is to meet a question mark, if there is no question mark, is greedy mode, the more greetings the better
ReDoS: DoS based on regular expressions
Greed: n times no? N minus one and try again? – back
Distributed DoS(DDoS)
In a short period of time, the server is flooded with requests from a large number of zombie devices. As a result, the server cannot complete all the requests in a timely manner, resulting in an avalanche of requests and unable to respond to new requests.
[Don’t get complicated, a large amount of work is done]
Features:
- Direct access IP
- Any API
- Consume a lot of bandwidth (run out)
SYN Flood Flood attacks
The transport layer
Man-in-the-middle attack
Why you are subject to man-in-the-middle attacks:
- Transmission of civilization
- Information tampering is unknowable
- The peer party is not authenticated
Defense article
XSS
Core Defense concepts:
- Never trust user-submitted content
- Do not convert user-submitted content directly into the DOM
Thread framework
The front end
- Mainstream frameworks defend against XSS by default
- google-closure-library
The server (Node)
- DOMPurify
[User requirements] Do not speak martial arts, must dynamically generate DOM
string -> DOM
Be sure to filter strings
Upload the SVG
Filter SVG files as well
Custom jump links
Also filter, preferably not allowing users to jump links
Custom styles
Same-origin Policy
Same-origin: Two urls are called same-origin only when their domain names, protocols, and ports are the same. Otherwise, they are different sources
These three are different from the same domain name, protocol, and port
Content Security Policy(CSP)
Features:
- Which sources (domain names) are considered secure
- Scripts from a secure source can be executed, otherwise an error is thrown
- Say no to eval + inline script
In the response header of the server
Browser meta tags
CSRF defense
If forged request = E Source of exception
Then limit the source of requests → limit bogus requests
-
0rigin
– In the same-origin request, GET + HEAD is not sent
-
A Rerefer
Besides Origin+Rerefer, is there any other way to help us determine whether the request source is legitimate or illegal
- If (request from a legitimate page)
- Then (The server has received a page request)
- Then (Server can identify)
token
① User binding: Attackers can also be registered users === can obtain their own tokens
Expiration time: [Forward confidentiality]
The iframe attacks
CSRF anti-pattern
GET ! == GET + POST
Avoid carrying user information: SameSite Cookie
Only same-origin requests can send the current Cookie, not cross-domain requests.
Three values: None (ancient), Lax (select), Strict (most complex)
True posture to defend against CSRF
Not Case by Case defense, should be handled uniformly in middleware
Injection
- Find the place in the project to query SQL
- Using a prepared statement
njection beyond SQL
-
Principle of least authority
- Can’t sudo | | root
-
Set up the allowed list + filter
- Rm is not allowed to delete statements
-
Restrictions on URL type parameters such as protocol, domain name, and IP address
- Ensure that you cannot access the Intranet.
DDoS
-
Traffic management
- Load Balancing (filtering)
- API Gateway (filtering)
- CDN (anti-dose)
-
Fast automatic capacity expansion (capacity resistance)
-
Non-core service degradation (Resilience)
DDoS attacks are mainly defended by operation and maintenance personnel, we do not have to think too much
Transport layer – Defends against middlemen
The latest HTTP3 has TLS1.3 built in
Some features of HTTPS
- Reliability: encryption integrity
- MAC authentication
- Non-repudiation: digital signature
The TLS handshake
There are two processes: asymmetric encryption and symmetric encryption
Asymmetric encryption
The browser first provides the server with some encryption suite options. The server selects and returns the certificate of the server. After accessing the certificate, the browser verifies the certificate.
Symmetric encryption stage
Both parties will use the sessionKey just generated to encrypt all the content transmitted.
integrity
In stage of symmetric encryption, both sides pass all the information is encrypted information, in addition, will also send an encrypted message hash (hash) value, the receiver to receive after the hash, will remove the encrypted information, in accordance with the agreed upon the hash computation, and passed the hash value after comparison, if both are the same, means that has not been tampered with, Otherwise, the information may be tampered with.
Interrupt: digital signature
Digital signature Executor:
- PrivateKey privateKey
- PublicKey publicKey (publicly visible)
Non-repudiation: digital signature
All certificates are issued by a Certificate Authority (CA)
Digital signatures work in HTTPS
First provided by the service of the original information + public key via the CA private key to sign, signature is the product of the server’s certificate, in asymmetric encryption stage, can be sent to the browser, the browser used for authentication, the browser will use public key to verify this certificate issued by the CA, if passed, the certificate is available, will remove the server’s public key certificate.
Where does a CA get its public key?
The browser has a large number of CA – issued certificates embedded in the local PC. The CA – issued certificate contains the CA’s public key. Therefore, the browser uses the local public key for authentication
Into the certificate, also failed certificate
When the signature algorithm is not robust enough:
HTTP Strict-Transport-Security(HSTS)
Actively upgrade HTTP to HTTPS
The browser requests a resource from the server using HTTPS. After the server receives the request, it returns a Strict transport-Security header with a value max-age= XXXX. The meaning of this header is as follows: In this time range, if the browser requests the resource through HTTP, the browser will upgrade to HTTPS. If the browser accesses the resource through HTTP, the browser will automatically upgrade to HTTPS, ensuring the security of the request.
Subresource Integrity(SRI)
Static files hijacked and tampered with? Compare hash values
Essence: Compares static file hash value, whether tamper
demo
A little bit of filler
Feature Policy/Permission Policy
What functions are available under a source (page)
- camera
- microphone
- autoplay
The end of the
-
Safety is no small matter
-
The dependencies used (NPM packages, or even NodeJS) can be the weakest link
- Left – pad
- Eslint – scope
- The event – stream events
-
Keep a learning mindset
Recommended readings
- Amazon.com: Web Application Security:Exploitation and Countermeasures for Modern Web Applications (9781492053118): Hoffman, Andrew: Books
- SameSite those things | grace red compound (imnerd.org)
- Something that popped into my head about Web security. Issue #32. AngusFu/diary (github.com)
- What_ is_ a_ DDoS_ Attack?
\