This article describes various types of security attacks and mitigating them.
Clickjacking
performance
Clickjacking attacks allow malicious pages to click on “victimized sites” in the user’s name.
implementation
- After the user logs in to weibo,
weibo.comthecookiesContains login information. - A user visits a malicious page (perhaps clicking on an AD or otherwise);
- Malicious pages embedded in a transparent
<iframe>, itssrcFrom theweibo.com; - The page seduces the user to click on one
<button>In fact, the user is clicking on the overlay from<iframe>The “like” button of weibo 👍;
defense
useSamesite cookiefeatures
Cookies with the SameSite feature are only sent to a web site if the web site is opened directly (not by iframe or other means). If the site has the Samesite feature in the cookie, it looks like this: set-cookie: authorization=secret; SameSite =Lax, this kind of cookie will not be sent when you open a Tweet in another website’s iframe, the tweet fails to log in, and the attack fails.
XSS(Cross-Site Scripts)
Cross-site scripting attacks: XSS because CSS is easily confused with style sheet abbreviations;
performance
The attacker injects malicious JS code into the website.
source
- The information generated from the user is not cleaned at the back end. It is directly spliced into HTML and returned to the client.
- From URL: front-end or back-end from
url query,url hashConcatenate directly read parameters into HTML.
classification
XSS attacks fall into three categories: stored (also known as persistent), reflective (also known as non-persistent), and DOM-based.
-
Stored XSS attack
- The attack code comes from user input, such as comments and message functions.
- Injected scripts are permanently stored on the target server. Then, when the browser sends a data request, the victim retrieves the malicious script from the server.
-
Reflex XSS attack
- The attack code comes from the URL
- When a user opens a URL with malicious code, the server takes the malicious code out of the URL, splices it into HTML and returns it to the browser.
-
DOM based XSS attack
- The attack code comes from the URL
- When a user opens a URL with malicious code, the front-end JavaScript picks up the malicious code in the URL and executes it.
- Obtaining and executing malicious code is completed by the browser, which is a security vulnerability of front-end JS code itself.
defense
- Switch to pure front-end rendering, separating code from data;
- Fully escape HTML;
- Do not concatenate untrusted data into a string and pass it to JS execution;
- use
CSPSecurity policy; - use
Samesite Cookies,HttpOnlyEven if it is injected with malicious code, the attacker cannot get itCookie;
CSRF(Cross-Site Request Forgery)
performance
- The user logs in to the bank’s website
bank.com.bank.comUnder thecookiesThe user login is storedtoken; - Users visited malicious sites
evil.com.evil.comThe form is set up in the web page evil.comtobank.comA request was sent:bank.com?payfor=22000&to=xoyimi. Browsers carry it by defaultbank.comthecookies.bank.comUpon receipt of the request, the request is validated and identified as the victim’s credentials, mistaking it for a request sent by the victim himself.bank.comExecuted on behalf of the victimpayfor=22000&to=xoyimi.
way
Requests can be sent through image urls, hyperlinks, CORS, Form submissions, and everything else.
defense
- Verify the HTTP
RefererandOriginRequest header; - Customize attributes in HTTP headers and validate or use them
CSRF-TokenTechnology (because third-party sites only send cookies, not custom headers); - in
CookieSet in thesameSite=[Lax|Strict], Chrome 51 and above can enable this feature; - Instead of adding, deleting, or modifying a GET request,
sameSite=LaxThe form GET request is sent by defaultCookie;
Tips: plan 1,2: prevent hackers from cooperating with XSS attacks to obtain same-origin script execution permission;
Here’s a look at SameSite Cookies
Chrome 80 defaults to SameSite=None. SameSite=Lax is enabled by default for Chrome 80 and later. Writing SameSite alone equals SameSite=Strict. It’s worth noting that Firefox and Safari don’t have SameSite=Lax on by default and still need to set it manually.
| Cross-site request type | The sample | None | Lax | Strict |
|---|---|---|---|---|
| Page jump | <a href="..." ></a> |
Send a Cookie | Send a Cookie | Don’t send |
| Page jump | window.open() |
Send a Cookie | Send a Cookie | Don’t send |
| Page jump | Change the location |
Send a Cookie | Send a Cookie | Don’t send |
| Page jump | <form method="GET" action="..." > |
Send a Cookie | Send a Cookie | Don’t send |
| Page jump | <form method="POST" action="..." > |
Send a Cookie | Don’t send | Don’t send |
| Preload (prejump) | <link rel="prerender" href="..." /> |
Send a Cookie | Send a Cookie | Don’t send |
| In-page cross-site request | <iframe src="..." > |
Send a Cookie | Don’t send | Don’t send |
| In-page cross-site request | <img src="..." > |
Send a Cookie | Don’t send | Don’t send |
| In-page cross-site request | ajax (withCredentials:true) |
Send a Cookie | Don’t send | Don’t send |
| In-page cross-site request | fetch (credentials:include) |
Send a Cookie | Don’t send | Don’t send |
It is worth noting that even though the Ajax/FETCH declaration carries credentials, cookies are not sent under SameSite=[Lax/Strict].
And CSRF wordy ~
All of these are cross-station situations.
Citation:
- Developers.google.com/search/blog…
- SameSite Updates (chromium.org)
- “SameSite” | Can I use… Support tables for HTML5, CSS3, etc