Front-end security issues and prevention - 7 common website attacks

    1. XSS attack

    The full name of XSS is Cross Site Scripting. In order to distinguish it from CSS, it is called XSS. XSS attack refers to the execution of malicious scripts (whether cross-domain or same-domain) in the browser to obtain user information and perform operations.

    These operations generally accomplish the following things:
    1. Steal cookies.
    2. Monitor user behavior, such as entering the account password and sending it directly to the hacker server
    3. Modify DOM to fake login form
    4. Generate floating window ads on the page

    XSS attack means that the attacker wants your browser to execute the JS code he wrote. How? There are generally two types of XSS:

    Reflected XSS

    Principle:
    Reflective XSS, also called non-persistent XSS, means that when a request occurs, the XSS code appears in the request URL and is submitted to the server as a parameter, and the server parses and responds. The response result contains XSS code, and finally the browser parses and executes it

    Implementation:
    The attacker sends the URL with malicious script code parameters to the user. When the URL address is opened, the unique malicious code parameters are parsed and executed by HTML.

    1. The attacker puts the JS code in the URL as a request parameter to induce the user to click http://localhost:8080/test?username=<script>alert("you are under attack!")</script>
    2. After the user clicks, the JS is passed to the backend of the Web server as a request parameter
    3. The back-end server does not check and filter. After simple processing, put it into the body of the web page and return it to the browser
    4. The webpage returned by the browser parses, and you are recruited!


    Stored XSS

    The attack script in the above method is directly transferred from the server and then returned to the browser to trigger execution. The difference between the storage type is that the attack script can be stored on the server side, and the attack script will be rendered into the web page when querying later, and returned to the browser to trigger execution. The malicious code will be executed only when the victim browses the page containing this malicious code. Examples of common routines are as follows:

    1. The attacker’s webpage replies, and the post contains JS scripts
    2. After the reply is submitted to the server, it will be stored in the database
    3. Other netizens view the post, query the reply content of the post in the background, build a complete web page, and return to the browser
    4. The netizen's browser renders the returned webpage, and he is recruited!

    Prevent XSS attacks

    1. A belief: Don't trust the user's input, escape or replace special characters such as "<", ">" to make them unexecutable.
    2. Two uses: use CSP, use the HttpOnly attribute of Cookie.


    2. DDoS attack

    DDOS is the abbreviation of Distributed Denial of Service in English. Any behavior that can prevent legitimate users from accessing normal network services is a denial of service attack. Denial of service attack is also called "flood attack". Common DDOS attack methods include SYNFlood, ACK Flood, UDP Flood, ICMP Flood, TCP Flood, Connections Flood.ScriptFlood, Proxy Flood, etc.

    • SYN/ACKFloodG master: This attack method is the classic and most effective DDOS method, which can kill the network services of various systems, mainly by sending a large number of SYN or ACK packets with forged source IP and source port to the victim host, causing the host Most of the Jintong firewalls are unable to defend against such attacks due to exhaustion of cache resources or busy sending response packets, resulting in denial of service.
    • TCP full connection attack: TCP full connection attack is to use many zombie hosts to continuously establish a large number of TCP connections with the victim server until the memory and other resources of the server are exhausted and dragged, resulting in denial of service. The characteristics of this attack It can bypass the protection of general firewalls to achieve the attack purpose. The disadvantage is that many zombie hosts need to be found, and since the IPs of zombie hosts are exposed, they are easy to be tracked.


    Prevent DDoS attacks

    1. Close unnecessary services or ports:
      This is also the most common practice of server operation and maintenance personnel. In the server firewall, only the used ports are opened, such as port 80 of the website web service, port 3306 of the database, port 22 of the SSH service, etc. Close unnecessary services or ports, filter fake IPs on the router
    2. Bandwidth expansion (provide margin bandwidth):
      Through server performance testing, evaluate the bandwidth and number of requests that can be tolerated under normal business conditions. When purchasing bandwidth, ensure that there is a certain amount of surplus bandwidth, which can avoid the situation that the bandwidth is greater than the normal usage and affect normal users when attacked.


    3. CORS attacks

    risk point:
    (1). Set Access-Control-Allow-Origin to *, and do not carry session authentication, which means that the information is published on the whole network.
    (2). The http header can be forged. HTTP can be forged, which means that the domain name (origin) in the HTTP header can be fake, so cross-domain needs to cooperate with authentication, so remember to bring session id when cross-domain.
    (3). Even if the session id is used, the third party may be hacked, which will lead to information leakage of the source site
    (4). Internal information leakage, internal members open an evil website, resulting in leakage of personal session information, then the data of the internal website will be leaked
    (5). In addition, if Access-Control-Allow-Origin is not set, and permission control is done on the request site, information leakage can be prevented. When the permission error is returned, the requested information has actually reached the client.
    (6). CORS cannot carry session information by default, but if withCredentials is set to true, it can be carried, so it is best to set this attribute to false. In case it needs to be set to true, please set it on Access-Control-Allow-Origin Set a specific domain name do not use *


    Prevent CORS attacks

    • Do not use * for Access Control-Allow-Origin
    • To verify session information for cross-domain requests.
    • Strictly review request information, such as request parameters and http header information.


    4. CSRF attack

    The full English name of CSRF is Cross-site request forgery. Phenomenon: There is a website that is the same as the official website, and the submission path of the official website is changed, or cookies are submitted together, causing the submitted data to flow into external websites and leak secrets.

    There are three necessary conditions for launching a CSRF attack:

    • First, the target site must have a CSRF vulnerability
    • Second, the user has to log in to the target site and maintain a login status of the site on the browser
    • The third one requires users to open a third-party site, which can be a hacker's site or some forums.

    That is to use the verification vulnerability of the server and the user's previous login status to simulate the user's operation
    key point:
    1. The user logs in to trusted website A and generates a cookie locally
    2. Visit dangerous website B without logging out of website A

    Prevent CSRF attacks

    • To prevent CSRF attacks, we can set some key cookies to Strict or Lax mode according to the actual situation, so that these key cookies will not be sent to the server during cross-site requests, thus making the hacker's CSRF attack invalid.
    • Using CSRF-token: the user must enter the verification code, mobile phone verification code, Add token for secondary verification to enhance security


    5. SQL injection attack

    The core of the SQL injection attack is to let the web server execute the SQL statement expected by the attacker in order to obtain the interested data in the database or perform operations such as reading, modifying, deleting, and inserting the database.

    The conventional routine of SQL injection is to place the SQL statement in the form or request parameters and submit it to the back-end server. If the back-end server does not check the input security and directly takes out the variables for database query, it is very easy to be tricked.

    Examples

    For an interface that obtains user information based on user ID, the SQL statement at the back end is generally as follows:

    select name,[...] from t_user whereid=$id

    Among them, $id is the user id submitted by the front end, and if the front end request is like this

    GET xx/userinfo?id=1%20or%201=1

    Among them, after the request parameter id is escaped, it is 1 or 1=1. If the backend directly submits the database query without security filtering, the SQL statement becomes

    select name,[...] from t_user whereid=1or1=1

    As a result, all the data in the user table are found out, which achieves the hacker's goal of leaking data.

    The above is just a very simple example. In real SQL injection attacks, parameter construction and SQL statements are much more complicated than this, but the principle is the same


    Prevent SQL injection attack

    1. Add black and white list verification White: data type, length, value range (js regular verification) Black: Contains malicious content to reject the request
    2. Security monitoring, relying on tools for various security vulnerabilities to monitor security
    3. Prevent leakage of sensitive information —> reduce user permissions


    6. JSON hijacking

    JSON is a lightweight data exchange format, and hijacking is the theft of data. Malicious attackers intercept the JSON data that should be returned to the user through certain specific means, and then send the data back to the malicious attacker. This is the general meaning of JSON hijacking. Generally speaking, the JSON data for hijacking contains sensitive information or valuable data


    7. HTTP Header Tracking Vulnerability

    The HTTP/1.1 (RFC2616) specification defines the HTTP TRACE method, which is mainly used by the client to test or obtain diagnostic information by submitting a TRACE request to the Web server.

    When the web server enables TRACE, the submitted request header will be completely returned in the body of the server response, where the HTTP header is likely to include Session Token, Cookies or other authentication information. An attacker could exploit this vulnerability to deceive legitimate users and obtain their private information.

    solution:
    Disable HTTP TRACE method

    Popular posts from this blog

    大学资料分享——广工计院各个科目实验报告、课设及期末复习资料!!

    各位师弟师妹,我今年即将从广工毕业,因工作毕设都已差不多完成,整理资料时最终还是决定分享自己大学期间积累的各科资料。本人是广工计院一名本科生,在校绩点四年综合4.0左右,我相信这些资料对你们的学习和实验有非常大的实用性和价值。也真心希望大家能做好时间效率管理,一些不必要的课程不用浪费很多时间,把时间多留给自己所走的方向,希望各位师弟师妹好好利用我的资料,提升自己。如果本篇文章对你有帮助,请多来网站阅览并点击下页面的谷歌广告支持一下,十分感谢~~ 本博客除资源分享外还会 定期发布前端相关的行业动态、前端面试题系列等,后续也会逐步将自己的秋招总结发到谷歌博客上,同方向的师弟师妹们可以关注下,毕竟我也是在最寒冬秋招中获得好几个知名厂offer的,相信对你们将来的工作和面试也会非常实用 。 University special design: Specialised design IPV6 Experiment Report: GDUT IPV6 GDUT matlab digital signal processing experiment report: Matlab Experiment Report The latest operating system experiment and course design report: OS Experiment Report Virtualization and Cloud Computing-Hadoop Deployment Experiment Report: Hadoop Report GDUT C language programming experiment report 1-4: C language programming experiment report Summary of Physics Data of GDUT : Physics GDUT DEA experiment + big assessment (source code, waveform diagram) + test paper information: EDA Data summary of GDUT Electrician: University Ele
    Read more

    Win10 远程计算机或设备将不接受连接

    Image
    Table Of Contents 错误详情 当晚如平常一样开着clash,但谷歌浏览器显示此网站无法提供安全连接,按网上说的方法改https为http、清除SSL状态缓存、还原浏览器默认设置三个方法后还是没能解决,想起重启能解决99%的问题后果断重启电脑,这也是后面悲剧的开始。 电脑重启后,发现打开浏览器依然无法上网,且火狐浏览器等都出现了一样的问题,通过网络诊断得出原因:远程计算机或设备将不接受连接 百度后发现网上的解决方法千篇一律,都是通过Internet——属性——连接——局域网设置——为LAN使用代理服务器的选项去掉勾选就可恢复(也有说将所有复选框都取消勾选) 我满怀希望的尝试后发现然并卵,虽然提示网络状态已连接Internet但是上不了网。。。后来想了想,可能是因为自己用了翻墙上网然后没有退出就重启的关系(如果没用梯子的兄弟姐妹们可以先尝试我上述的方法,行不通的话再试试我后面的方法) 解决方法 可先尝试重新连接关机时使用的翻墙软件 并正常退出,即可访问网络,如果不行再按以下方法 。 非校园网 重置网络:Internet属性——高级——重置 用了科学上网的同学可能I nternet属性 的常规里主页地址会被篡改,可以手动输入成百度地址 设置完成后点确定,然后重启电脑,此时就能恢复访问了。但出错时如果是用着校园网没有退出科学上网就重启的话,此时用校园网还是上不了网,只能用手机开热点的网络上网,于是进一步摸索 校园网 1.先按非校园网方法重置网络 2.删除电脑科学上网的软件 3.重新认证校园网(可以改个密码重新登录) 呜呜,孩子终于又通网了 总结 科学上网时一定要正常进出网络,不能直接关电脑或者断网,否则IP地址还挂在外面网络回不来,所以记得科学上网时 正常退出后再重启电脑 。
    Read more

    JAVA Traffic Signal Light Course Design (Source Code + Report + Video Demonstration)

    Image
    Table Of Contents topic details Simulate the logic of the traffic light management system at the intersection. 1. Randomly generate vehicles traveling along each route 2. Signal lights ignore yellow lights and only consider red and green lights. 3. It should be considered that vehicles turning left are controlled by signal lights, and vehicles turning right are not controlled by signal lights. 4. The specific signal light control logic is the same as that of ordinary traffic light control logic in real life, regardless of the control logic in special cases: North-south vehicles and east-west vehicles are released alternately. Vehicles waiting in the same direction should pass through vehicles first, and then vehicles turning left. 5. The time for each vehicle to pass through the intersection is 1 second (reminder: it can be simulated by thread sleep). 6. The time interval for randomly generating vehicles and the time interval for exchanging traffic lights i
    Read more