As a front-end, you should know the security knowledge of XSS attacks!

The environment

1. npm install
2. The editor I use is VSCode(self-installed Code Runner plug-in for running server.js)

XSS attacks

Reflex XSS attack

1. Go to the XSS directory and run server.js (start the local server)
2. Access it in a browserlocalhost:3000/login.html
3. Logging in with the wrong username/password (for example: 123/123) will jump to:http://localhost:3000/error?type= < script > alert (' malicious content ') < / script >
4. Login with the correct username: Yvette/Yvette will jump to:http://localhost:3000/welcome?type= < script > alert (' malicious content ') < / script >; The URL still contains the malicious script, but we have escaped it and it cannot be attacked again

DOM TYPE XSS attack

1. The browser access localhost: 3000 / after. HTML

2. 2222

   Of course, if the login state, you can also take cookies and other information ~ can also quietly introduce other JS files over, terrible ~

3. We can escape the input content so that it will not be attacked

Stored XSS attack

1. Browser Accesslocalhost:3000/comments.html
2. Comments need to be logged in first, if not logged in will automatically jump to the login page
3. Enter a comment:2222<script>alert(1)</script>
4. Malicious scripts are stored in the background without being converted. Any user visiting this page will execute a malicious script.
5. To prevent stored XSS attacks, we need to add string filtering: front-end input filtering/server filter/front-end output filtering – in a word: don’t trust anyone!
6. Browser Accesslocalhost:3000/comments2.html, enter a comment:2222<script>alert(1)</script>There will be no pop-ups because it is filtered.

CSRF attacks

Steal your money:

1. Go to CSRF directory, run server.js, port 3001 (runcode will do)
2. On the console: Node server2.js, port 3002
3. Browser Accesshttp://localhost:3001/If no login is displayed, the login page is automatically redirected
4. Log in with Loki/Loki and you can see that the Loki account has a 10W balance
5. Loki is logged in, cookie is in, and at this point, someone sends you a link to a phishing site:http://localhost:3002/fish.htmlYou click and your money is stolen
6. Loki’s money was unknowingly transferred to Yvette’s account
7. Don’t scary ~
8. However, the security of the bank website is done very well, do not panic ~

defense

Description: safe1. HTML, safe2. HTML, safe3. HTML. Fish1. HTML/fish2. HTML/fish3. HTML interface not only lies in the difference between a request.

1. Use captcha [Poor user experience]

   Leverage SVG-CAPTCHA (installed dependencies)

   Interface: API/transfer1

• Browser accesshttp://localhost:3001/safe1.htmlVerification code is required after login
• Now, after logging in, I’ll lure you to phishing siteshttp://localhost:3002/fish1.htmlYour money cannot be transferred because the server needs to verify your captcha code. If the captCHA code is wrong, the money will not be transferred.

2. Referer [Referer is not safe, should be able to be modified]

   Interface: API/transfer2

• Browser accesshttp://localhost:3001/safe2.html, the login (Loki/Loki) ~
• Now, after logging in, I’ll lure you to phishing siteshttp://localhost:3002/fish2.htmlYour money cannot be transferred because the server will determine the source of the request and discover that the source of the request islocalhost:3002Will not transfer money.

3. Token [User unaware]

   Interface: API/transfer3

• Browser accesshttp://localhost:3001/safe3.html, the login (Loki/Loki) ~
• Now, after logging in, I’ll lure you to phishing siteshttp://localhost:3002/fish3.htmlYour money cannot be transferred because the server will determine the source of the request and discover that the source of the request islocalhost:3002Will not transfer money.