The security journey of web development
A look at web security
Security issues 'very common' and can harm
- user
- company
- Programmer (sacrifice to heaven)
Web security from two perspectives
- If you are a hacker - attack
- If you are a developer - Defense
Attack
Cross-Site Scripting(XXS)
Features
- Often difficult to detect from the UI (executing scripts secretly)
- Steal user information (cookie/token)
- Draw UI (such as pop-up window) to trick users into clicking/filling in the form
demo
Srored XSS (database attack)
- Malicious scripts are stored in the database
- Access the page → read data—under attack
- The most harmful, visible to all users
Reflected XSS (database attack)
- No database involved
- Attack from URL
Mutation-based XSS (database attack)
- Utilizes the browser's ability to render DOM (unique optimization)
- Different browsers will have differences (attack based on browser)
Cross-site request forgery(CSRF)
- Without the user’s knowledge
- Taking advantage of user permissions (cookies)
- Construct specified HTTP requests to steal or modify user sensitive information
demo
GET
SQL Injection
demo
- Read request fields
- Directly concatenate SQL statements in the form of strings
Injection is more than just SQL
- CLI
- os command
- Server-Side Request Forgery (SSRF), server-side forged request
- Strictly speaking, SSRF is not injection, but the principle is similar
SSRF
- Request [user-defined] callback URL
- The web server usually has intranet access rights
Denial of Service(DoS)
Through a certain method (constructing specific requests), server resources are significantly consumed, leaving no time to respond to more requests, resulting in request squeeze, and then an avalanche effect.
Interlude: Regular Expressions - Greedy Mode
Distributed DoS(DDoS)
In a short period of time, due to the request traffic from a large number of zombie devices, the server cannot complete all requests in time, resulting in a pile-up of requests, resulting in an avalanche effect and the inability to respond to new requests.
Defense
XSS
in principle
- Never trust user submissions
- Don't convert user submissions directly to DOM
off-the-shelf tools
Special case:
String->DOM
new DOMParser()
CSP
CSRF Defense
token
The page comes first, then the request
Prevent user information from being carried: SameSite Cookie
SameSite
Injection
- Find the place in the project where SQL is queried
- Use prepared statement
Injection beyond SQL
HTTP Strict-Transport-Security (HSTS)
HTTPS features
Proactively upgrade HTTP to HTTPS
https://bytedance.feishu.cn/file/boxcn9L4YzmTK3mwE3tIBL2UVme