In the Internet era, data security and personal privacy has always been a concern of everyone. How can we better protect our data? As the saying goes, only by knowing yourself and knowing your opponent can you win a hundred battles. So let’s first understand the types and principles of various attacks in Web security. 🤗

preface

After reading this article you will harvest (a little bit more content, suggested collection ⭐ to see)

• Front-end security most attack types and prototype analysis

See 👇 for details.

Cross-Site Scripting(XSS)

Cross-site scripting (XSS) attacks, where attackers maliciously insert their scripts into our pages for execution

Some features of XSS

• It’s often hard to sense from the UI (execute scripts covertly)
• Steal users’ information (cookie/token) and send malicious requests to users without their knowledge.
• Draw the UI (such as a popover) and trick the user into clicking/filling out a form

XSS principle

An attacker inserts malicious executable script codes into a Web page, and the malicious script is executed when the user browses the page, thus stealing user information or violating other security privacy of the user

Stored XSS

Stored attack

• Malicious scripts are stored in the database
• Access page → Read data == attack
• Maximum damage, visible to all users

It usually exists in interactive functions such as Form submission, such as article message and text information submission, etc. Attackers take advantage of XSS vulnerability to submit content to the database for persistent storage through normal functions. When the front end page gets the injection code read from the database by the back end, it just renders it for execution.

Take nuggets comments for example. If it has a stored XSS vulnerability, I type the following comments under an article and the site will display what I typed. If the comment text contains HTML tags, they are added to the source code of the page; In particular, any script tags will run when the page loads.

This way, when someone else loads a page with my comment, my script tag runs and steals another user’s authorization cookie, sending it to the server I specify for collection. (Obviously the Nuggets were defensive, so nothing happened. 🧐)

This is just a simple example, XSS attacks are not easy to succeed, it needs to be satisfied

• POST request to submit the form without escaping it directly into the library.

• The back-end retrieves data from the database without escaping it and outputs it directly to the front-end.

• The front-end takes the back-end data and renders it directly into the DOM without escaping it.

Reflected XSS

Reflexive attacks (aka non-persistent)

• No database involved
• Attack from the URL

Let’s look at an example,

The page now has an input box for submitting the name, which is immediately parsed and rendered directly to the page when submitted to the server.

Without any protection, we can inject the script directly through this input box and complete an XSS attack

Currently I directly input the script script, submit the time, the script is executed, only this looks like did not see what harm 🤔

So let’s write it another way, and now we know that this address accepts name and has no protection, if we inject name with this code

And then the user clicks on this link that we’ve modified and what happens?

It takes all of the user’s cookies and sends them to www.cgisecurity.com/cgi-bin/cookie.cgi, so that all of that user’s information has been stolen.

If you test script directly in the browser, script may not work, because most browsers now block and filter the insertion of dangerous tags such as script

Since you are inserting an image, the browser will not normally filter the blocking, and then nullify SRC to trigger onError, and the malicious script will be executed indirectly.

A reflection attack is an attack that the injected script reflects off the Web server, such as an error message, search results, or any other response that includes some or all of the input sent to the server as part of the request. Reflex attacks take another route to the victim, for example in an email or on other web sites. When a user is tricked into clicking a malicious link, submitting a special form, or even just browsing a malicious site, the injected code spreads to a vulnerable site and reflects the attack back to the user’s browser. The browser then executes the code because it comes from a “trusted” server.

Reflective XSS attacks are characterized by their immediacy. They do not need to be stored on the server. They can be attacked by cleverly constructing a URL with malicious code and then directing the user to click to visit

DOM-based XSS

Based on DOM

• No server is required
• The launch of malicious attacks + execution, all completed in the browser

To start with an example, suppose the following code is used to create a form that lets users choose their preferred language. The default language is also provided in the query string as the parameter “default”.

The page is invoked using a URL, such as:

A DOM-based XSS attack on the page can be done by sending the victim the following URL:

When the victim clicks on the link, the browser sends a request:

To www.some.site. The server responds with a page containing the above Javascript code. The browser creates a DOM object for the page, where the document.location object contains the string:

The original Javascript code in the page does not want the default parameters to contain HTML tags, so it simply decodes them at run time and echoes them into the page (DOM). The browser then renders the resulting page and executes the attacker’s script:

And if you look at this, isn’t this the same kind of reflexivity as up here? 🤨

First of all, from the link between the two examples, the structure is exactly the same, but what if we changed it this way? Change the number to #

When you try to do this, you find that Reflected XSS does not work, but DOM-based XSS attacks still work.

The browser does not send URI fragments (the part of the URI after the “#”) to the server

Differences between Reflected XSS and DOM-based XSS

The difference between Reflected XSS and DOM-based XSS is where the injection script is done. In A DOM-based XSS attack, malicious data does not touch the Web server. Instead, it is fully reflected in the client side by JavaScript code.

Mutation-based XSS

Mutant XSS, also known as mXSS

Mutation, a word from genetics, gene mutation.

• Takes advantage of the browser’s DOM rendering feature (unique optimization)

• Different browser, will be different (attack by browser)

Both server-side and client-side XSS filters assume that the filtered HTML source code should be the same as the HTML code rendered by the browser, or at least not significantly different.

However, if the user-supplied rich text enters the innerHTML attribute through javascript code, some unexpected changes can make this assumption invalid: A seemingly innocuous string of HTML code escapes the XSS filter and ends up in the innerHTML of a DOM node, where the browser’s rendering engine renders innocuous HTML code into potentially dangerous XSS attack code. This attack code may then be output into the DOM by some other process in the JS code or rendered again in some other way, resulting in the execution of XSS.

This attack process, which results in XSS because HTML content unexpectedly changes as it enters innerHTML, is called mutated XSS

There are several types of mXSS. Let’s take a look at some of them. For more information, see this article 👉 fp170.pdf

3.1 Backtick Characters breaking Attribute Delimiter Syntax

MXSS caused by backquotes breaking property boundaries

As you can see, the mutated form becomes an effective XSS attack

3.3 Backslashes in CSS Escapes causing StringBoundary Violation

MXSS caused by backslash escape in CSS

In CSS, characters can be escaped using \, for example: Property :’v \61 lue’ for property:’value’, where 61 is the ASCII (hexadecimal) code of the letter A. Unicode can also be used after \, for example: \20AC for €. Normally, this escape should not be a problem.

However, some modern browsers break the promise of security implied by the correct and standards-driven use of CSS escapes. In particular, this occurs when accessing the innerHTML attribute of the parent element. We observe a behavior that translates an escape into its canonical representation. The sequence attribute: ‘val\27ue’ causes innerHTML to represent the attribute: ‘val’ue’. An attacker can abuse this behavior by injecting arbitrary CSS code hidden in a properly referenced and escaped CSS string. In this way, you can bypass HTML filters that check for valid code that meets the standards

3.4 Misfit Characters in Entity Representation breaking CSS Strings

MXSS caused by double quoted entities or escapes in the CSS

In some browsers, characters in a CSS string are used, and the rendering engine converts them to single quotes, regardless of whether the two characters look unrelated. This means that the sequence of \22, “, “and” characters will be converted to ‘characters when accessed by innerHTML.

The reason for this surprising behavior can only be speculated on. One possible explanation is that \22 was first decoded as “, but the browser rendering engine changed “to” further to avoid this, considering that double quotes close the style attribute. Of course, this also means that, in addition to \22, \0022, HTML entities such as:

" " & # 34;Copy the code

Such double quotation marks can cause this problem.

3.5 CSS Escapes in Property Names standing entire HTML Structure

MXSS caused by escape in CSS property names

These are all cases in CSS property values that, if used in CSS property names, force some browsers into completely different behavior;

As you can see, we have the escaped content embedded in the name of the font-family property. After the mutation, \22 is decoded back into double quotes and the style property is closed, so we can execute javascript code via the onload event. Note that =, parentheses, etc., also need to be escaped. We can also close the img tag by adding \3e after \22 and insert our own HTML tag after that.

Example of Mutation-based XSS attack excerpted from the following document (good English recommended to read the original, if any error in the comment section)

👉 fp170. PDF

👉mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations

Cross Site Request Forgery (CSRF)

Cross-site request forgery

CSRF is an attack designed to trick victims into submitting malicious requests. It inherits the identity and privileges of the victim to perform unwanted functions on behalf of the victim.

CSRF characteristics

• Without the user’s knowledge
• Leverage user permissions (cookies)
• Constructs a specified HTTP request to steal or modify sensitive user information

CSRF attack flow

For example

User received an email, there is A link in the email to users to click on links, jump to the malicious page B, B in the malicious page to A sent A request, the request at this time will be A unique Cookie with A domain name, domain name in A server receives the request, to verify the Cookie, found to be legitimate users, The next request is made and a successful result is returned.

In the whole process

• The user does not access page A
• A specific interface on page A is requested
• Request executed successfully

This is a cross-site forgery request

CSRF of the GET type

For example

If the application is designed to use primarily GET requests to transfer parameters and perform operations, the remittance operation might be simplified to the following request

Hacker 😈 has now decided to exploit this Web application vulnerability using John 😇 as a victim. Hacker first exploits the vulnerability to build the following URL, which transfers $100,000 from Zhang SAN’s account to Hacker’s account. [hacker] uses the original command URL and replaces the payee name with your own, while significantly increasing the amount of the transfer:

When [Joe] logs in to the banking application and induces him to click on a malicious URL, it usually does this

• Send unsolicited E-mail with HTML content
• Planting exploit urls or scripts on pages that victims might visit while doing online banking

The vulnerability exploits urls that can masquerade as a regular link and encourage victims to click on it, such as a raffle link

Or as a false image of 0x0 to [Zhang SAN]

If this image tag is included in the email, Zhang SAN will not see anything. However, the browser still submitted a remittance request to Bank.com, and without Zhang’s knowledge, his money was transferred! 🥶

CSRF of the POST type

The only difference between GET and POST attacks is how the victim performs the attack. Suppose the bank now uses POST and the vulnerable request looks like this:

This type of request cannot be passed via an A tag link or an IMG tag, but can be passed using a FORM tag:

This form will ask the user to click the submit button, but this can also be done automatically using JavaScript:

So the money gets transferred again without the victim knowing! 🥶 🥶 🥶

Different from XSS

• CSRF is generally implemented by XSS, and is often referred to as XSRF (CSRF can also be implemented by direct command line requests, etc.).
• Essentially, XSS is a code injection problem and CSRF is an HTTP problem. XSS is content that is not filtered causing the browser to execute the attacker’s input as code. CSRF is because the browser automatically carries cookies when sending HTTP requests, and most websites’ sessions are stored in cookies.

Injection

injection

SQL Injection

SQL injection is the execution of malicious SQL commands by inserting SQL commands into query strings for Web form submissions or page requests.

For a common login, the form code is as follows

The SQL statement on the back end might look like this

But if there is a malicious attacker input user name is admin’ –, password input freely, you can directly log in to the system, why?

Because the expected SQL statement is

But a malicious attacker with a strange username changes your SQL statement to the following form

In SQL,’ — means close and comment, — means comment after, so the query statement becomes

Injection is not limited to SQL

In addition to SQL injection, there may be some command injection attacks, such as

• CLl
• OS command
• Server-side Request Forgery(SSRF), a Server Forgery Request
  • Strictly speaking, SSRF is not injection, but the principle is similar

A command injection attack can send commands to the Shell to get the Windows or Linux command line to start a program. That is, command injection attacks can execute various programs installed on the operating system.

Suppose you need to implement a requirement that the user submit something to the server, and then execute some system command on the server to return a result to the user

If params repo incoming is https://github.com/admin/admin.github.io.git can really from the specified git repo download on to want the code. But if params. Repo incoming is https://github.com/xx/xx.git && rm – rf / * &&, your service is just with root access on the bad.

Denial of Service(DoS)

Denial of Service (DoS). A Denial of Service caused by a remote server is called a DoS attack. The purpose is to make the computer or network unable to provide normal service

In some way (by constructing a specific request), the server becomes so consumed that it cannot respond to any more requests, resulting in a crush of requests and an avalanche effect.

ReDoS: DoS based on regular expressions

According to the greedy pattern of the regular expression, the response time of the interface becomes longer because the regular expression cannot be matched all the time

Distributed DoS(DDoS)

Distributed Denial of Service (DDOS) attacks are Distributed Denial of Service (DDOS) attacks. Is a method of DoS attack.

It refers to the use of client/server technology to unite multiple computers as an attack platform to launch DDoS attacks on one or more targets, thereby multiplying the power of denial of service attacks. Prevent legitimate users from accessing normal network resources so as to achieve the unspeakable purpose of attackers. DDoS attacks use zombie hosts to send a large number of legitimate network packets to victims. As a result, network congestion or server resource exhaustion result in denial of service.

That is, in a short period of time, a large number of requests from zombie devices, the server cannot complete all the requests in time, resulting in the accumulation of requests, and then the avalanche effect, unable to respond to new requests.

Attack characteristics

• Direct access IP
• Any API
• Consume a lot of bandwidth (run out)

The SYN attack

DDOS attacks are a specific form of DDOS attacks.

In the three-way handshake, after the server sends a SYN-ACK, the TCP connection before it receives an ACK from the client is called half-open connect. The server is in the SYN_RCVD state. The server changes to ESTABLISHED only after receiving the ACK.

In a SYN attack, the attacking client forges a large number of non-existent IP addresses in a short period of time and sends SYN packets repeatedly to the server. The server replies with an acknowledgement packet and waits for the client’s confirmation.

Because the source address does not exist, the server needs to continuously resend until timeout. These forged SYN packets occupy the unconnected queue for a long time, and normal SYN requests are discarded, resulting in slow running of the target system, or even network congestion and system breakdown in serious cases.

For example

What will a group of bullies do to try to shut down a competing store across the street? (For example only, do not imitate)

Bullies, posing as ordinary customers, have been crowding rivals’ shops, hanging on while real shoppers have not been allowed in; Or always and the salesperson have a take a take of the east pull west pull, so that the staff can not normal service customers; It can also provide false information for the operators of shops. After busy up and down the shops, they find that they are all in vain, and finally lose the real big customers and suffer heavy losses.

In addition, bullies sometimes can’t do these things by themselves, so they need a lot of people. DoS and DDoS attacks in network security follow these ideas.

The transport layer (MITMattack)

Man-in-the-middle attacks (MITM attacks).

An attacker creates an independent connection with the two ends of the communication and exchanges the data they receive. The two ends of the communication think they are talking to each other directly through a private connection, but in fact the whole conversation is completely controlled by the attacker. In a man-in-the-middle attack, an attacker can intercept a conversation and insert new content.

To put it bluntly, the browser and the server think they are talking to each other, but in fact a middleman has stepped in to steal information or modify requests.

To use the analogy of writing letters in everyday life:

You write a letter to a friend, and the postman can open every letter you send, even change the content of the letter, and then re-seal it, and send it to your friend.

After a friend receives a letter to reply to you, the postman can open it and read it, and then change it, and then send it to you.

You have no idea that the mail you send and receive is being handled and processed by a “middleman” called the postman

In other words, the postman is invisible to you and your friend.

There are roughly two types of man-in-the-middle attacks

• Wi-fi deception.The attacker creates a fake Wi-Fi access point with the same name as the local free Wi-Fi
• HTTPS to cheat.Attackers trick our browsers into thinking we’re visiting a trusted site
• SSL hijacked.When we try to connect or access insecureWhen you visit HTTP://, the browser redirects itself to the secure HTTPS://. At this point, an attacker can hijack the redirection process and embed a link to a home-built server
• DNS cheat.Make the browser URL conversion anomaly, thus accessing some malicious addresses
• Email hijacking

Why are middlemen allowed to carry out this attack?

1, all the requested information is transmitted in clear text, who can see

2. The recipient is unaware that the requested information has been tampered with

3. The parties have not verified each other’s identity

conclusion

Cross-site scripting (XSS), where attackers maliciously insert their scripts into our pages for execution;

• 1) Stored XSS, that is, malicious scripts will be Stored in the database
• 2) Reflected XSS, also known as non-persistent because they are not stored in the database, but attack from the URL
• 3) DOM-based attacks (DOM-based XSS), do not need the participation of the server, the launch and execution of malicious attacks, all completed in the browser; The launch of malicious attacks + execution, all completed in the browser
• 4) Mutation-based XSS attacks, targeted attacks against browsers based on DOM rendering features of browsers, such as breaking property boundaries with backquotes, escaping property values/property names in CSS, etc

The main difference between reflective and DOM based is where the injection script is done

Cross-site request forgery (CSRF) induces users to open hacker websites, steal users’ login information, and impersonate users’ identities for malicious operations.

• 1) CSRF of GET type
• 2) POST CSRF

The difference between GET and POST attacks is how does the victim perform the attack

The difference between cross-site scripting (XSS) and cross-site request forgery (CSRF) is essentially that XSS is a code injection problem and CSRF is an HTTP problem.

Injection attack Injection

• 1) SQL injection attacks that end up executing malicious SQL commands by inserting SQL commands into query strings for Web form submissions or page requests
• 2) Command injection attack

Denial of Service (DoS) attack. A Denial of Service attack that causes a remote server to fail to provide normal services on the computer or network

Distributed Denial of Service (DDOS) attacks

MITM (man-in-the-middle attack) a Man-in-the-MiddleAttack that targets the transport layer

twitter

Analyzing various kinds of Web attacks is to enable us to better defend against them. W (゚ д ゚) W! (All the above examples are only for example, do not imitate 👻)

References: Cross Site Scripting (XSS) DOM Based XSS XSS Filter Evasion Cheat Sheet Cross-site scripting The Cross-Site Scripting (XSS) Cross-site Request Forgery Cross site Request Forgery (CSRF)

If any of the above is wrong, please point out in the comments section!

---

If there is a harvest, leave a thumbs-up to encourage it! 🍜