Article Directory
In this paper, a reference from "large-scale Web Site Technology Framework: Core Principles and Case Studies," a book eighth chapter and other online articles, if any omission or mistake, forgive us and pointed. Thank you!
This world there is no absolute security, just as there is no absolute freedom. The relative safety of the site is attacked by raising the threshold to achieve. To allow an attacker to obtain limited benefits must pay a higher price, resulting in more harm than good, stay away.
- "large-scale Web Site Technology Framework: Core Principles and Case Studies"
A .Web attack techniques
1.DDos attack
DDos attack Chinese called distributed denial of service attack, attack the core of this technology is the use of distributed servers to send forged a large number of requests to the target server, the target server is flooded with a large amount of information required to reply, consume network bandwidth or system resources, leading to overload the system or network that normal paralysis and stop providing network services.
In order to prevent the impact of DDos attacks generally take the following measures:
- System Backup
- IP specific request interceptor (the Nginx)
- Increase the bandwidth
- Request load balancing across multiple servers
2.XSS attack
Cross-Site Scripting (XSS) referred to as XSS, it is a code injection attack. By attackers to inject malicious script on the destination site, make it run on the user's browser. With these malicious scripts, an attacker can obtain sensitive information about users, such as Cookie, SessionID, etc., and thus endanger data security.
Imagine a search page, determine keywords based on the content of the URL parameter. code show as below:
<input type="text" value="<%= getParameter("keyword") %>">
<button>搜索</button>
<div>
您搜索的关键词是:<%= getParameter("keyword") %>
</div>
At this time, if the keyword set "><script>alert('XSS');</script>,
HTTP Get request is sent following to the server:
http://xxx/search?keyword="><script>alert('XSS');</script>
When you get this keyword in the next, the browser will "><script>alert('XSS');</script>fill the response as a parameter to the HTML page:
<input type="text" value=""><script>alert('XSS');</script>">
<button>搜索</button>
<div>
您搜索的关键词是:"><script>alert('XSS');</script>
</div>
The browser can not distinguish between <script>alert('XSS');</script>malicious code and therefore its execution. Outputs XSS words in the user's browser.
This is a classic example of XSS attacks, in general, XSS attacks can be divided into the following two categories:
1. Durable attack
Hacker XSS script will be submitted to the server to be attacked, then was taken out when rendered in the browser, such as the example above, such attacks often appear in the Web blog or forum.
2. The reflective-type attack
Reflective XSS malicious script exists in the URL.
Reflective XSS vulnerabilities common in function to pass parameters through URL, such as site search, jump and so on.
Since the initiative requires the user to open a malicious URL, to take effect, the attacker will often combine various means to induce users to click. URL will then get to malicious scripts, and rendering to the server for execution.
For XSS attacks, the preventive measures are what categories:
1. The input filter
Front and rear ends done filtering the input parameters, e.g. <... Such parameters <and> be escaped.
2. pure front-end rendering
In a pure front-end rendering, we will explicitly tell the browser: The following content is to be set text (.innerText), or property (.setAttribute), or style (.style) and so on. The browser will not be easily deceived, executing code outside of the expected.
3.SQL injection attacks
SQL injection attacks are the most common type of Web attacks, and if not prevent, it may lead to collapse of the entire database to be able to lead to external services.
A simple example of SQL injection: ignoring Password
Assuming that the front end of a landing page, login only usernameand password, to determine whether the backend can visit the SQL statement:
select count(*) from user_table where username = ? and password = ?
If the query is recorded, then that user account and password are correct, but, if we look at the input username and password:
username = 'ARong';#
password = 'SQL注入'
Then the back-end receives splicing parameters will be the following SQL
select count(*) from user_table where username = 'ARong';# and password = 'SQL注入'
As can be seen, password conditions this SQL statement is essentially commented out, as long as there is this username you can visit a success.
If you know the name of the user table (for example, some of the error message prompts), Genghen some of the conditions are changed:
username = 'ARong';drop table user_table;#
password = 'SQL注入'
So this SQL will be spliced into:
select count(*) from user_table where username = 'ARong';drop table user_table;# and password = 'SQL注入'
This will result in the user table structure and data is deleted! The most frightening thing is, if the backup does not exist, drop DDL statement itself is a statement, and logs are not recorded, so can not be restored on the line.
The method of preventing SQL injection attacks is to do preprocessing parameters, such as JDBC PreparedStatement class in there teaching and research and packaging parameters, MyBatis may also be used to replace in # $ {} {}, in order to achieve the pretreatment avoid SQL injection the effect, if you use a pre-treatment, then the above SQL would become:
select count(*) from user_table where username = "'ARong';drop table user_table;#" and password = "'SQL注入'";
By the way quotation marks at both ends of parameters SQL parameters can avoid becoming part of the SQL statement.
4.CSRF attack
CSRF (Cross-site request forgery), Chinese name: cross-site request forgery, also called: one click attack / session riding, abbreviated: CSRF / XSRF.
The core idea of CSRF attacks is to steal your identity (Cookie and Session), in your name to send malicious requests.
1. Verify field HTTP Referer
According to the HTTP protocol, there is a field called Referer HTTP header, it records the source address of the HTTP request. Under normal circumstances, a request to access a security-restricted pages from the same site.
2. Token request additional
Since CSRF attacks by multiplexing Cookie and Session forged to achieve the purpose of the request, it may request each Token are added, and the rear end for receiving a request for a Token verified to ensure that the request from the client indeed, this can also prevent CSRF attacks.
3. Code
In the key operation, the user must go through the authentication request to send verification codes, thus avoiding spurious request is submitted automatically.
2. The information encryption technology
1. The one-way cryptographic hashing
It refers to a one-way hash encryption information different lengths by hash calculation to obtain the output of the same length.
Since the one-way hash function to generate the same data to the same data will be encrypted, but can not reverse the original data generated by the data is encrypted.
Encryption Algorithm application of this technology has MD5 and SHA.
In the one-way hash using encryption technology, even if the original data has minor changes will result in the encrypted data generated by the big difference, the encryption and as a one-way hash digest information is determined.
The one-way cryptographic hashing are irreversible, it can often be used to encrypt the user password, password and other secret data bank card, it can not be reverse to generate ciphertext. When a user logs in, the data can be input to do the same as a one-way hash encryption, then you can know by comparing the user input is correct. This was also a very important reason is that if a data breach occurs, nor will these private data exposed.
Note that the one-way hash encryption technology is not completely irreversible. By collecting and analyzing a large amount of data can be constructed rainbow table [], the original data can be acquired relatively simple ciphertext corresponding with rainbow tables.
2. symmetric encryption
The so-called symmetrical encryption, may refer to encrypt and decrypt data on the same key.
Symmetric encryption is advantageous in that encryption and decryption of high efficiency, suitable for use in encryption and decryption of large amounts of data. The disadvantage is all the same key, then the key is not how to ensure that leaks and theft is a top priority encryption and decryption, and key if leaked, then the data there is no privacy at all.
Common symmetric encryption algorithms AES, DES and the like.
Data encryption as occasion demands may be generally used symmetric encryption.
3. asymmetric encryption
Asymmetric encryption feature is the encryption and decryption use different keys, which open to the outside world called public key and another key that only the owners, known as the private key.
The public key can only unlock the data encrypted by the private key, the private key is encrypted by the public key data can only be solved. And the outside world are not able to figure out the key public key, or else the entire encryption process is meaningless.
Lower asymmetric encryption encryption and decryption efficiency, but since the separate public and private keys, the security will be higher, suitable for a small amount of private data (such as the key is transmitted) secure transmission.
Using asymmetric encryption two scenarios:
1. The client information transmitted to the security of the server:
When the client to the server data transmission, data encryption using the public key, when the server receives data, using the private key to decrypt the data. Even though the data being intercepted during transmission, but also because there is no private key can not obtain the original data.
2. The server sends a digital signature to the client
When the client sends to the server through the encrypted private data, since there is only one private key and others are not known, so that the data is non-repudiation, unforgeable client using the public key can decrypt it, so He has a signature role.
Commonly used asymmetric encryption algorithms are RSA algorithm.
4. Key Management
Whether it is for one-way hash encryption, symmetric encryption or asymmetric encryption, encryption and decryption upon use stolen key, then the encryption process will be completely ineffective, when the key management approach is to prevent adhesion key is stolen.
The following key management from lower levels promoted to senior, and increasing security:
1. The key hardcoded in the program code
This is the most common and most unsafe practices, once get to the source file, then the key will be acquired Road. And when the key is to be replaced, it is necessary to modify hard-coded code.
2. Obtain key from the configuration file
Security of this approach is very low, but is hard-coded with respect to the profile can be used to facilitate the replacement key.
3. The key is stored separately in a special server
This approach can significantly improve the security of the key, the key is stored on a specific server, and the server only provides key access to services for a particular server, so that you can largely prevent the problem key is stolen.
4. The encrypted storage key fragment
The key is stored in a server, or there may be a hacker acquires sign server directly, then the time slice may be the key, and each one is encrypted separately and stored in different databases or file system, when the key needs to get all of the keys are acquired slices, and through a specific encryption process to form a complete key.
5. The use of encryption technology HTTPS
A process HTTPS request contains the various encryption techniques such as the following illustration:
- Client happen HTTPS request to the server
- Server (have configured a digital certificate) returns the first public key certificate to the client
- The client uses SSL / TLS public key certificate parsing, viewing expiration time is valid, etc., if the invalid pop prompt dangerous
- The client generates a random value, with the public key and asymmetric encryption into ciphertext string back to the server
Key = 公钥 【非对称加密】 随机值 = 私钥 【解密】 随机值
- After obtaining a random value to the server through the Key asymmetric private key to decrypt the ciphertext
- The server then uses this value as a random symmetric encryption key, the encrypted data transmission
随机值 【对称加密】报文 = 随机值 【对称解密】密文
- After receiving the encrypted data, decrypts the data using a symmetric random values
HTTPS using asymmetric encryption is to ensure a random value [] of security, ensuring that a random value will not be stolen, then because of the higher performance of symmetric encryption, so that a random value will be used as symmetric encryption keys together.
III. Information filtering technology
1. Text match
Text matching is the most common information filtering technology, there are usually two implementations:
1. Double-Array TrieTree
Since TrieTree This data structure has the characteristics of natural string matching, can greatly improve the efficiency of the matching string, it will match the text-based matching count typically do text prefix tree or prefix tree bis array.
2. Multi-stage Hashtable
may be used to construct a multi-stage Hashtable fewer matching keywords to filter the tree, since the multi-level hash table, so that the space occupied by a lot more than double array TrieTree.
2. Classification Algorithm
For small amounts of data, such as user speech problems in posting pornography, violence, etc., can be screened by hand under such circumstances. However, if large amounts of data, such as tens of millions of messages sent every day in mind, how do screening and intercepting spam messages yet.
At this method is to use machine learning, culture classification algorithms allow automatic classification algorithm to complete the match and block spam:
Now commonly used classification algorithm is a Bayesian classification algorithm. Bayesian algorithm itself can solve the classic problem is the probability conditional probability problems, such as a white ball out from two boxes of red ball and white ball, white ball from the first box of probability is how much?
Bayesian formula, provided that the probability of a ball from the first box is P (A), is the probability that the white ball sphere is P (B) ,, then the probability can be expressed as:
P(A | B) = P(AB) / P(B) = P(A) * P(B | A) / P(AB)
So based on Bayesian classification algorithm can be screened from the perspective of probability theory to meet the conditions of spam, but there will be some false positives.
3. blacklist
For users already complained of, we can be on the blacklist, the IP address of the user's without its IP address or account name when the next message in memory, we can be intercepted.
Blacklist can be implemented using a hash table, but when too many IP addresses, for example, there are one billion IP addresses need to put in the blacklist, then use a hash table will take up a lot of space, and produce large amounts of hash collision, this when the approach is employed to store the Bloom filter data blacklist, it can greatly reduce the use of space. However, note that, with the change in the size of the underlying array Bloom filter, which will change the rate of false positives. Bloom filter can accurately determine this case [absence], [presence] and for this case is that a false determination.
