Attack and defense routines and other policies related to Web security

---

1. Attack and defense routines

1.1 XSS

Cross Site Script is one of the most common attacks. An attacker injects malicious scripts into a user’s page, which are automatically executed when the user views the page. When react or other frameworks are used, injected content is automatically escaped unless special action is taken (such as dangerouslySetInnerHTML). Escaped tags are parsed as strings rather than executed as scripts.

There are two common ones

• Non-persistent XSS, also known as reflective, such as when an element is returned by a back-end interface or retrieved by insecure means such as input input or URL parsing.
• Persistent XSS, through forms and so on the relevant code into the database, and then directly front-end rendering.

You can perform the following operations

• All elements of a page rendered should be retrieved by a controlled server, such as using a CSP
• Escape all dom insertions.

1.2 CSRF

The attack process of cross-site Request Forgery is as follows

• The user logs in to website A and returns authentication information
• The user visits website B again, and B returns some offensive codes, such as pictures. Without the user’s knowledge, the browser automatically carries authentication information to visit WEBSITE A
• If user A does not take precautions, the user will be treated as the user’s access according to the authentication information.

Measures to prevent

• Verify the referrer
• Add related HTTP headers
• Use methods other than cookies for authentication

1.3 SQL injection

SQL Injection is caused by user input not being processed properly

1.4 DDoS attacks

DDoS, also known as Distributed Denial of Service (DDoS), overloads resources with a large number of requests, making services unavailable. Prevention can mitigate but not prevent, for example

• Limit the number of single IP requests
• Shutting down and restricting services open to the outside world
• Add configuration and load balancing

1.5 Traffic Hijacking

DNS hijacking and HTTP hijacking are included. DNS hijacking refers to the DNS server resolving the domain name to a malicious website, which may be the result of computer poisoning and changing the DNS configuration. HTTP hijacking is when a middleman modifies the response page by tampering with the HTTP response, using HTTPS.

2 Other Strategies

2.1 the HTTPS

Add TLS layer encryption on top of HTTP, see here

When an HTTPS page requests HTTP, the page is called a Mixed Content page. In this case, the page can only be partially encrypted, and a script obtained over HTTP can change the behavior of the HTTPS page and leak information, so browsers prevent mixed Content from loading.

2.2 Cookie security Settings

Cookies have some security options when used, see here

2.3 Same-Origin Policy

Reference here

2.4 a CSP

The same-origin policy ensures security by preventing non-same-origin resources from loading, while the CSP ensures security by setting what content can be run on the page.

Content Security Policy allows the server to add content-security-Policy headers to specify how to load different resources, which can effectively resolve XSS.

For example, you can specify where the SRCPT tag is loaded from (Origin, etc.) or how it is used (whether it can be used inline, eval, etc.)