Article directory
xss cross-site scripting attack
Take "Article Publishing System" as an example
-
After inputting the string into the input box, use v-html to render it into HTML and display it on the current page.
-
When inputting a script (the js in sc will not be executed)
<script>alert(document.cookie)</script> -
When input enters the onerror callback of the img tag (pops up cookie)
<img src="test" onerror="alert(document.cookie)"> -
After the article is published, it is saved in the database. When others browse this article, their own cookie will pop up (the user ID may be stored in it)
-
If it is a malicious ajax request, the user's information will be leaked to a third-party website.
-
Solution: Escape special characters (<transferred to <, >escaped to >)->xss package->use xss(htmlString)
-
However, XSS attacks are ever-changing. If you want to completely eliminate them, it is very troublesome to rely solely on programming hack methods. Therefore, browsers have proposed a method to fundamentally solve XSS attacks: CSP.
The full name of csp is content security policy. It is the abbreviation of Content Security Policy.
The csp strategy is similar to the whitelist strategy we mentioned above. Developers must clearly tell the client which scripts can be executed. Its parsing and execution are determined by the client, and all the developer needs to do is tell the browser the executable script rules.
csrf->xsrf cross-site request forgery attack
- The src of the img tag can cross domains
<img src="https://www.baidu.com/img/PCtm_d9c8750bed0b3c7d089fa7d55720d6cf.png">
At this time, accessing Baidu's pictures will also request the cookie below Baidu.
-
CSRF is the acronym for Cross-site request forgery. It is generally called cross-site request forgery in Chinese. It refers to using the victim’s identity authentication information (cookies, sessions, etc.) that has not expired to trick them into clicking on malicious links or accessing websites containing attack code. Page, without the victim's knowledge, sending a request to the server (corresponding to the identity authentication information) as the victim, thereby completing illegal operations (such as transfers, password changes, etc.).
-
The difference between CSRF and XSS
- Many people will wonder how this is different from XSS attacks? Regarding this point, we will talk about it in terms of attack methods and response methods.
- CSRF and XSS can be understood as classifications in two different dimensions. XSS is one way to implement CSRF. It is usually customary to refer to CSRF implemented through XSS as XSRF.
-
Examples of CSRF attack principles
- CSRF attacks can forge requests in the name of the victim and send them to the attacked site without the victim's knowledge, thereby performing operations protected by permissions without authorization.
- For example, the victim Zhang San has a deposit in the bank. By sending a request to the bank's website http://bank.example/withdraw?account=张三&amount=1000000&for=张三2, Zhang San can transfer the 1,000,000 deposit to Go to Zhang San 2’s account.
- Normally, after the request is sent to the website, the server will first verify whether the request comes from a legal session and whether the user Zhang San of the session has successfully logged in.
- Hacker Li Si himself also has an account in the bank, and he knows that the URL above can transfer money.
- John Doe can send a request to the bank himself: http://bank.example/withdraw?account=张三&amount=1000000&for=李思.
- But this request comes from John Doe, not John Doe. He cannot pass the security authentication, so the request will not work. At this time, Li Si thought of using CSRF attack method. He first made a website by himself and put the following code in the website: src="http://bank.example/withdraw?account=张三&amount=1000000&for=李思", and induced Zhang San to visit his website through advertisements.
- When Zhang San visits the website, the above URL will be sent from Zhang San's browser to the bank, and this request will be sent to the bank server along with the cookie in Zhang San's browser. In most cases, the request will fail because it requires John's authentication information. However, if John happens to have just visited his bank shortly after, the session between his browser and the bank's website has not expired, and the browser's cookie contains John's authentication information.
- At this time, tragedy happened, the URL request would be responded to, and the money would be transferred from Zhang San's account to Li Si's account, but Zhang San had no idea at the time. Later, Zhang San discovered that there was less money in his account. Even if he went to the bank to check the logs, he could only find that there was indeed a legitimate request from himself to transfer the funds, without any trace of being attacked. And John Doe can get the money and get away with it.
-
solve
- Confirm repeatedly by adding SMS verification code etc.
- Use post
SSRF server request structure
The external network forwards certain intranet resources through web services
-
Request web service interface: www.xxx.com/test?url=dict://10.1.10.2
-
Backend business logic: return getUrlContent(url)
-
The web service and the intranet are both in the same network environment. Customers can bypass the firewall and access intranet resources by modifying the public network web service parameters.
-
Typically, SSRF attacks target internal systems that are inaccessible from the external network. Most of the reasons for the formation of SSRF are that the server provides the function of obtaining data from other server applications and does not filter or restrict the target address. For example, obtain web page text content from a specified URL address, load images from a specified address, download, etc.
-
Read files using the file protocol
-
Use dict protocol to view open ports
-
Common filters
- Filter all links that do not start with http://xxx.com
- Filter links in the format of IP, such as 127.0.0.1
- must end with a suffix
Clickjacking
-
ClickJacking is a form of visual deception. There are probably two ways,
- One is that the attacker uses a transparent iframe to cover it on a web page, and then induces users to operate on the page. At this time, the user will click on the transparent iframe page without knowing it; eg Tieba deception attention
- The second is that the attacker uses an image to cover the web page, blocking the original location of the web page;
- Image overlay attack (Cross Site Image Overlaying), the attacker uses one or more images, and uses the image's style or controllable CSS to overlay the image on the web page, forming click hijacking. Of course, the information contained in the picture itself may have deceptive meanings, so the purpose of deception can be achieved without the user having to click.
<a href="http://tieba.baidu.com/f?kw=%C3%C0%C5%AE"> <img src="XXXXXX" style="position:absolute;top:90px;left:320px;" /> </a> - Third-party websites are referenced through iframes
- One is that the attacker uses a transparent iframe to cover it on a web page, and then induces users to operate on the page. At this time, the user will click on the transparent iframe page without knowing it; eg Tieba deception attention
-
Clickjacking is an attack that many people don't pay much attention to. It needs to induce users to interact with the page, and the attack cost is higher. In addition, developers may think that users are stupid and do not pay attention to this attack method.
-
I often click on the next chapter while reading novels and always jump to the xxx website
-
solution:
- Modify the web server configuration iframe and add the X-Frame-Options response header. There are three types of assignments:
- DENY: cannot be embedded in any iframe or frame.
- SAMEORIGIN: The page can only be embedded in an iframe or frame by this website's page
- ALLOW-FROM uri: can only be embedded in the frame of the specified domain name
sql injection
-
Introduction to SQL Injection
SQL injection is the most common and simplest vulnerability in websites. The main reason is that programmers do not filter, escape, limit or process strings entered by users when developing systems for users and databases to interact, causing users to Data in the database can be illegally obtained by entering carefully constructed strings. -
Principle of SQL Injection
The SQL statement used by general user login is:
SELECT * FROM user WHERE username='admin' AND password='passwd',
Here admin and passwd are the username and password entered by the user respectively. If the programmer does not process the username and password entered by the user, they can construct a universal password to successfully bypass login verification. If the user enters it, the SQL statement will become ''or 1#:
SELECT * FROM user WHERE username=''or 1#' AND password='',
''or 1 is TRUE, #comment out the following content, so the query statement can be executed correctly.
- solve
- Check variable data type and format
- sql precompilation
- The difference between # and $ in mybatis:
- #Treat the incoming data as a string, and add double quotes to the automatically incoming data.
- $ will directly display and generate the incoming data in sql.
- The # method can prevent SQL injection to a great extent, but the $ method cannot prevent SQL injection.