A, XSS cross site scripting attacks
1, XSS attack has two steps:
(1), an attacker submits malicious code
(2), the browser executing malicious code
2, XSS attacks classification
The source of the attack, the attack can be divided into storage XSS, reflective, DOM type three:
| Types of | Storage area * | The insertion point * | Precautions |
|---|---|---|---|
| Storage-type XSS | Back-end database | HTML | 1, the front end of pure rendering, the code and data into the opening 2, to fully escape html |
| Reflective XSS | URL | HTML | |
| DOM XSS type | Back-end database / front-end storage / URL | JavaScript front-end |
2, inline event listeners in the DOM
The code can be run as a string, when in use need to pay attention |
Storage-type XSS
Storage-type XSS attacks steps:
- An attacker malicious code will be submitted to the destination site's database in.
- When the user opens the target Web site, the site server will remove the malicious code from the database, stitching returned to the browser in HTML.
- The user's browser parses performed after receiving a response, wherein mixed malicious code is also performed.
- Malicious code to steal user data and sent to the attacker's Web site, or impersonate the user's behavior, calling the target site interface to the execution of arbitrary action.
This attack is common in site functionality with a user to save data, such as forum posting, product reviews, user private letters.
Reflective XSS
XSS attacks reflective steps:
- An attacker to construct special the URL of , which contains malicious code.
- When the user opens the URL with malicious code, the website server will remove the malicious code from the URL, stitching returned to the browser in HTML.
- The user's browser parses performed after receiving a response, wherein mixed malicious code is also performed.
- Malicious code to steal user data and sent to the attacker's Web site, or impersonate the user's behavior, calling the target site interface to the execution of arbitrary action.
Reflective XSS difference with the storage type XSS is: storage type XSS malicious code exists in the database, reflective XSS malicious code exists in the URL.
Reflective XSS vulnerabilities common in function to pass parameters through URL, such as site search, jump and so on.
Since the initiative requires the user to open a malicious URL to take effect, the attacker will often combine various means to induce users to click.
POST content can also trigger reflective XSS, but its trigger conditions are harsh (need to construct a form submission page, and guides the user clicks), it is very rare.
DOM XSS type
DOM XSS type attacks steps:
- An attacker to construct special the URL of , which contains malicious code.
- The user opens the URL with malicious code.
- The user's browser parses performed after receiving a response, the front end JavaScript extracted URL and execute malicious code.
- Malicious code to steal user data and sent to the attacker's Web site, or impersonate the user's behavior, calling the target site interface to the execution of arbitrary action.
DOM XSS type XSS in front of two kinds of differences: DOM XSS type attacks, and remove malicious code execution done by the browser, JavaScript front-end part of their own security vulnerabilities, while the other two belong to the server XSS security vulnerabilities.
Other prevention strategies:
Outside the field to avoid loading code domain submitted prohibited, HTTP-only Cookie, codes, the length of the control input, the form data specifies particular types
Two, CSRF (Cross-site request forgery) cross-site request forgery
A typical CSRF attack with the following processes:
- Log victims a.com, and retains the login credentials (Cookie).
- An attacker lured victims visited b.com.
- b.com sends a request to the a.com: a.com/act=xx. A.com default browser will carry the Cookie.
- A.com after receiving the request, the request for verification and confirmation is evidence of the victim, the victim mistaken for a request sent by itself.
- a.com in the name of the victim to perform the act = xx.
- Complete attack, the attacker in the knowledge of the victim, posing as victims, so a.com performed an operation define yourself.
1, common types of attacks:
(1), get request: for example, using pictures to launch a http request, will carry the cookie
<img style="width:0;" src="https://www.test.com/xxx" />
(2), post request: automatically submit the hidden form using e.g.
<form action="https://www.test.com/xxx" method=POST> <input type="hidden" name="account" value="xiaoming" /> <input type="hidden" name="amount" value="10000" /> </form> <script> document.forms[0].submit(); </script>
(3), url attack: the need to induce the user to manually click on
< A href = "https://www.test.com/xxx" taget = "_ blank" > knife 9999, God-class equipment, top pet God, open service there! ! < A />
2. Features
- General attack launched in the third-party site rather than the site of attack. They attacked the website can not prevent attacks.
- Using the login credentials attack victims in the attack site, posing as victims commit operation; instead of directly stealing data.
- The whole process does not get the attacker to the victim's login credentials, only "fraudulent."
- Cross-site request can be used in various ways: picture URL, hyperlinks, CORS, Form submission and so on. Part of the request can be embedded directly in the way of third-party forums, articles, it is difficult to track.
3, protection strategies
According to the characteristics of csrf:
- CSRF (usually) occur in third-party domain.
- CSRF attacks can not get to Cookie and other information, just use.
Develop protection strategies:
- Prevent unknown outside the domain of access
- Homology detection
- In mesite Co okie
- This field requires additional information in order to obtain the time of submission
- CSRF Token
- Cookie double verification
- Verification code
Homogeneous detection: The Origin and Referer request, a request to stop or the request other than the extracellular domain whitelist, html, unless the request
Samesite Cookie: cookie property: Strict addition to this extra-territorial domain can not carry any, will not carry the page jump;Lax:这个请求是(改变了当前页面或者打开了新页面)且同时是个GET请求,则携带;Samesite Cookie不支持子域。
Token: Request carries a random token, this token got to be random, allow an attacker to guess. May be a random number generated by the server, it may be a random string, a timestamp, to generate an encrypted signature the userid
Cookie double verification: request to bring their own cookie, but also on the stitching cookie request parameters, server comparison. (Csrf attacks can carry cookie, but can not get cookie), but subdomains can be modified cookie, an attacker can modify the subdomain cookie, making the double Cookie verification failure
Security Code: Use this code or similar payment password in key positions
Other precautions:
- Posts strict management interfaces, upload content to prevent any unexpected (such as HTML).
- Add Header
X-Content-Type-Options: nosniffprevent hackers uploading HTML content resources (such as images) is resolved to the page. - For users to upload pictures, perform dump or check. Do not directly link the user to fill in the picture.
- When the current user to open another user to fill in the links required to inform risk (which is outside the domain of many forums do not allow direct links in the content of one of the reasons, not just for the user retained, there are safety considerations)