Web Security_Common Attack Methods
Common attack methods
1. Cross-site scripting attack XSS
The cause of XSS: too much trust in the data submitted by the client
Malicious attacker inserts malicious script code into the web page, when the user browses the page, the script code embedded in the web Will be executed, so as to achieve the purpose of maliciously attacking users.
Classification of XSS:
1. Reflective type
"reflects" the user's input to the browser. Usually, the attacker needs to induce the user to click a malicious link in order to successfully attack.
2. Storage type
The data entered by the user is "stored on the server side". The common scenario is that the attacker publishes a blog containing malicious code. When other people browse, the malicious code will be executed.
3.
The type of DOM Based is not classified by whether the data is stored in the service, because the reason for this kind of attack is quite special, it is to modify the DOM node of the page to form XSS, so it will be listed as a separate category
Example 1
Send a message normally: http://www.test.com/message.html?send=Hello, World! The receiver will receive the message and display Hello, Word
Sending messages abnormally: (1).http://www.test.com/message.html?send=! When the receiver receives the message, a warning window will pop up, and the attacker is inducing others to click on this link to launch an attack
(2). http://xxx/?redirect_to=javascript:alert('XSS') is
not only a special character, but even a string like javascript: can trigger an XSS attack if it appears in a specific position.
Example 2
There is an input element in the background of the page that can modify the input submitted by the user
. Normal situation: the user enters 123, the label in the background
Abnormal situation:
(1). The user enters "onclick="alert(1), and when the manager clicks the label on the background label, a warning window will pop up
XSS hazards:
1. Steal user cookies data to obtain user privacy information
2. Hijack user browser sessions to perform arbitrary operations, such as illegal transfers, forced publication of logs, sending emails, etc.
XSS defense:
1. Perform input and output Filtering, content encoding
2, HttpOnly prohibit js from operating cookies to steal user cookies data, thereby obtaining user privacy information
What are the injection methods of XSS:
In the text embedded in HTML, malicious content is injected as script tags.
In inline JavaScript, concatenated data breaks through the original limitations (strings, variables, method names, etc.).
In the label attribute, the malicious content contains quotation marks, so as to break through the limitation of the attribute value and inject other attributes or labels.
Include executable codes such as javascript: in the href, src and other attributes of the tag.
Inject uncontrolled code in onload, onerror, onclick and other events.
In the style attributes and tags, include codes like background-image:url(“javascript:…”); (new versions of browsers can already prevent this).
CSS expression codes like expression(…) are included in style attributes and tags (new version browsers can already guard against it).
In short, if the developer inserts the text entered by the user into the HTML without proper filtering, it is easy to cause an injection vulnerability. Attackers can take advantage of vulnerabilities to construct malicious code instructions, and then use malicious code to endanger data security.
2. Cross-site request forgery CSRF
CSRF causes: The parameters of important request operations can be guessed by the attacker. The attacker bypasses the restriction of the same-origin policy and sends out the forged request, and the relevant identity information is also included in the cookie. to send.
The attacker has stolen your identity and sent a malicious request in your name. This request is completely legal to the server, but it has completed an operation expected by the attacker.
Example 1
Bank transfer
1. The user logs in to a bank website, and the bank transfer request url is http://bank.example/withdraw?account=bob&amount=1000000&for=Mallory
2. At this time, the user visits a malicious website
3. Img is used in the malicious website The tag bypasses the same-origin policy and initiates a request to the bank server, and the identity information in the cookie is also sent along with the request, completing the attack.
CSRF defense
1. Referer Check Check the referer header in the request, and if the request is not initiated by a legitimate website, the service will be refused. But the disadvantage is that the server can not always get the Referer.
2. Anti CSRF Token Add Token in the request url or request header, the attacker cannot attack successfully without knowing the Token
3.
The principle of clickjacking ClickJacking: using visual deception
Attack method:
1. The attacker uses a transparent iframe to cover a web page, and then induces the user to operate on the page. At this time, the user will operate the transparent iframe page without knowing it, and the It is not the displayed page
2. The attacker uses a picture to overlay the webpage to block the meaning of the original position of the webpage
Example 1
loads the antd-design page with an iframe, and then covers the logo of the page with an a tag. When the logo is clicked, it will jump to the page pointed to by the a tag
Defense:
X-FRAME-OPTIONS is an http header proposed by Microsoft, which is specially used to defend against clickjacking attacks using iframe nesting.
DENY // Refuse any domain to load
SAMEORIGIN // Allow the same origin domain to load
ALLOW-FROM // You can define the page address that allows frame loading