Front-end security (1) file upload vulnerability attack and defense

Others 2019-07-03 07:53:29 views: null

reference:

Front-end security - XSS attacks

Large front-end development in some common web security issues

1 cross-site scripting (XSS attacks)

XSS (Cross Site Script): Enter the attackers to have an XSS vulnerability (incoming) malicious HTML or JS code, when other users browse the site, this code will be executed automatically, so as to achieve the purpose of the attack. Such as steal user Cookie, destruction of the page structure, redirected to other websites.

In the same origin policy to protect modern browser, cross-domain behavior of the browser is limited, and attacked in principle from XSS vulnerabilities, cross-site that the word is actually no need.

XSS attacks classification

XSS attacks are common Web attacks, which focused on "cross-site" and "client performs." Some people XSS attacks are divided into three types, namely:

  1. The REFLECTED XSS (reflection-based XSS attacks)

  2. Stored XSS (storage-based XSS attacks)

  3. DOM-based or local XSS (DOM-based XSS attacks or local)

The REFLECTED XSS (reflection-based XSS attacks)

Rely mainly on the site returned from the server script, the client trigger to initiate the implementation of Web attacks.

For example:

1, in the search box to search the content, fill in the "<script> alert ( 'I want to attack') </ script>", and click Search. 
2 , no page-end filtering the returned data is displayed directly on the page, then it will alert the string out.
3, if the alert is replaced with malicious code, access to a user's cookie address, account passwords, or redirected to phishing sites and so on.

Security measures:

1. In the front end of the display data when the server is not only the need to filter the content of the label, to escape, even property values also may be required. 

2. When the rear end receives a request, authentication request is a request to attack, attack the shield. 

Tag: 
< span > < Script > Alert ( ' Handsome Boy ' ) </ Script > </ span > 

escape 
< span > & lt; Script & gt; Alert (& # 39; Handsome Boy & # 39;) & lt; / Script & gt </ span >

 

Stored XSS

Based on the stored XSS attack, who is published by Post / articles with malicious cross-domain scripting, so the server, each access to the post / article storage will trigger the execution of malicious scripts.

Prevention:

  1. If the server to be filtered, since the front end of the check can be bypassed.

  2. The server does not check the time, there may be filtered distal malicious scripts in various ways, e.g. script tag, converts special characters to HTML encoding.

DOM-based or local XSS

WiFi traffic hijacking - JS script cache poisoning

Middleman data is acquired it, and since HTTP is transmitted in the clear, it is very likely to be stolen.

Prevention: Use HTTPS

 

2 cross-site request forgery (CSRF attack)

Web safety of CSRF attacks

3 SQL Injection Attacks

Prevent SQL injection attacks - study notes

4 file upload vulnerability

File upload vulnerability attack and defense

 

 

Guess you like

Origin www.cnblogs.com/houfee/p/11123442.html
Recommended
Ranking
SpringBoot-integrate redis
[Sword pointing to offer] Interview question 03: Repeated numbers in an array
Arrangement "Offer Penalty for prove safety" string
Browser prevent the automatic generation of fill and Echo have been saved account solutions
Work hard and never slacken——2022 Yinmai Information Year-End Summary
Install jdk7 on Linux system
App common dependency management tools
EduCoder-Web程序设计基础-html5— 给表单组件添加说明-第1关:label标签相关概念
Machine learning - clustering - density clustering algorithm notes
Ant's large model is exposed, AI+ finance enters the "big model" era
Daily
More
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)

Code World

© 2018 codetd.com