This is the fourth day of my participation in the August Text Challenge.More challenges in August

This note documents web development security knowledge from both attack and defense perspectives.

Attack the article

XSS

XSS Cross Site Scripting (XSS) is called Cross Site Scripting (XSS) for short to differentiate it from CSS. XSS attack refers to a method by which hackers inject malicious scripts into HTML files or DOM to attack users when they browse pages.

Some features of XSS:

  • It’s often hard to sense from the UI (execute scripts secretly)
  • Stealing user information (Cookie/Token)
  • Draw the UI (such as a popover) and trick the user into clicking/filling out a form

A simple example: An XSS attack occurs when a hacker submits a malicious script when we expect the user to enter normal content in the content.

    <div>${content}</div>
    content:`<script>alert("XSS")</script>`
Copy the code

The original code becomes:

    <div>
        <script>alert("XSS")</script>
    </div>
Copy the code

XSS can be divided into storage TYPE XSS, reflection type XSS, DOM based XSS attack and mutation-based XSS

Type stored XSS

This attack is a malicious script stored in the database and when the user accesses the page, the server reads the data from the client. A malicious script can upload the user’s Cookie data to the hacker’s server using XMLHttpRequest or Fetch. This TYPE of XSS is harmful and globally visible.

Reflective XSS

This approach does not involve the database, from the URL attack. For example, add malicious code to the REQUEST URL sent to the server, and the server sends the malicious code back to the client. Therefore, do not click on links from unknown sources.

DOM based XSS

In this way, the server is not required to participate in the launch and execution of malicious attacks are completed in the browser, generally by hijacking HTML files for tampering.

mutation-based XSS

Take advantage of the browser rendering DOM feature (unique optimization), by browser attack

CSRF

Cross-site Request Forgery (CSRF) : Cross-site request forgery. It refers to the cross-site request initiated by hackers using the user’s login status when they open unidentified websites with us. Without the knowledge of the user, the user authority, that is, cookie and other information is used to construct specified HTTP requests to steal or modify sensitive user information.

Injection attack

SQL injection

SQL injection is one of the most common network attacks. The background receives data entered by users and uses the data in SQL statements. If the filtering is not strict, malicious code will be injected into your SQL language.

For example, in common password verification, SQL statements like this

    Select id From users Where user_id=' ' And password=' '
Copy the code

When the password is 1’or’1’=’1 ‘, the SQL statement becomes

    Select id From users Where user_id=' ' And password='1'or'1'='1'
Copy the code

If the query result of the SQL statement is always true, functions such as login without an account can be implemented. Even worse, delete the database directly.

In addition, there are other injection methods, such as CLI, OS Command, and SSRF(Server-side Request Forgery). Strictly speaking, this SSRF is not an injection attack, but the principle is similar and is generally used to attack Intranet systems.

DoS

Denial of Service (DoS) is to prevent the computer or network from providing normal services. Somehow, the server becomes too depleted to respond to any more requests, leading to a request squeeze and an avalanche effect.

ReDoS: DoS based on regular expressions

Regular expressions use greedy mode, not applicable? When the number matches the number, the attacker can construct special strings to consume a lot of system resources of the server, causing service interruption or stop of the server.

Distributed DoS(DDoS)

In a flood attack, a large number of zombie devices receive requests in a short period of time. As a result, the server cannot complete all requests in a timely manner, resulting in the accumulation of requests and the avalanche effect, and the server cannot respond to new requests. Features direct access to IP, use arbitrary apis, and consume a lot of bandwidth.

Man-in-the-middle attack

For example, when HTTP is used for plaintext transmission, the attacker can easily hijack and tamper with the data. In this case, neither the client nor the server can verify the identity of the other party, but they believe that the middleman is the other party. Hence the introduction of HTTPS protocol.

Defense article

Defense XSS

The first rule is never trust a user’s submission and never convert it directly into the DOM. There are a number of tools in the field to help us defend against XSS attacks. The main front-end frameworks defend against XSS by default. Google also provides a javascript library to defend against XSS attacks, Google – Closure – Library. A server (Node) can use DOMPurify. DOMPurify removes all content that contains dangerous HTML to prevent XSS attacks and other malicious behavior.

There are several situations to avoid:

  • You have to generate the DOM dynamically, so string generates the DOM
  • Allow users to upload SVG because SVG can have script tags embedded
  • Allows users to customize jump links, also can be embedded code
  • Allows users to customize styles

If you must use it, filter it.

The same-origin policy

Same-origin indicates that the protocol, domain name, and port of two urls are the same.

At the DOM level, the same-origin policy restricts how JavaScript scripts from different sources can read and write to the current DOM object.

At the data level, the same origin policy restricts the sites of different sources to read the Cookie, IndexDB, and LocalStorage data of the current site.

At the network level, the same origin policy restricts the sending of a site’s data to a site from a different source through methods such as XMLHttpRequest.

CSP

The simplest solution to cross-site attacks would have been to ban cross-site resource requests altogether, but this would have made web applications difficult to develop, so the browser made a partial concession and allowed third-party resources to be embedded in the page. This, of course, raises security issues, hence the INTRODUCTION of CSPS.

Content-security-policy (CSP) is an additional Security layer used to detect and weaken certain types of attacks, including cross-site scripting and data injection attacks.

The core idea of CSP is to let the server decide what resources the browser can load and whether the browser can execute inline JavaScript code.

We can add CSP to the server’s response header, introducing the self tag:

Browser meta tags introduced:

Defense CSRF

Due to CSRF attack, CSRF vulnerability must exist on the website and the user must have the login status of the website. Hackers need to launch attacks through third-party sites. So we have three kinds of defense:

  • Limit the source of the request and validate the origin and referrer
  • Use the token to authenticate users
  • Take full advantage of the SameSite property of cookies by disallowing certain critical Cookie data to be sent to the server.

Set the user binding at this point because the user can be an attacker himself. There is also an expiration date to prevent hackers from using previous data.

Defends against IFrame attacks

You can useX-Frame-Options. This type of attack involves nesting a transparent and invisible page with an iframe, allowing the user to unknowingly click where the attacker wants to trick the user into clicking.

Defends against anti-pattern attacks, preventing post and GET from being written together.

Defense against the DoS

Conduct code review with less greedy mode regex. Code scan, re performance test, and refuse to use regular expressions provided by users. Common methods are:

  • Traffic management
  • Load balancing
  • API gateway
  • CDN
  • Rapid automatic capacity expansion
  • Non-core services are degraded

Defending against man-in-the-middle attacks

HTTPS is used for TLS security authentication. Symmetric encryption is used to encrypt transmitted data and asymmetric encryption is used to transfer keys. In order to verify the server, CA certificate and digital signature are introduced.

Make a note of recommended readings for the class:

  • Amazon.com: Web Application Security:Exploitation and Countermeasures for Modern Web Applications (9781492053118): Hoffman, Andrew: Books

  • SameSite those things | grace red compound (imnerd.org)

  • Something that popped into my head about Web security. Issue #32. AngusFu/diary (github.com)

  • What_ is_ a_ DDoS_ Attack?