“This is the 15th day of my participation in the First Challenge 2022. For details: First Challenge 2022”

introduce

The knowledge about Web security is what we must learn when we enter this industry. After all, web attacks are everywhere. This issue introduces 7 common web attacks, their impact and prevention measures.

The body of the

XSS

XSS (Cross-site Scripting), a cross-site Scripting attack, can only be called XSS because the abbreviation and CSS overlap. Cross-site scripting is an attack that runs illegal HTML tags or JavaScript in the browser of a registered user of a Web site with a security vulnerability.

The following impacts may occur:

  • Use false input forms to defraud users of personal information.
  • Using scripts to steal the user’s Cookie value, the victim unknowingly helps the attacker to send malicious requests.
  • Display a fake article or image.

Prevention measures:

  • The HEAD set X – XSS – Protection
  • Set HttpOnly cookies to prevent clients from stealing cookies
  • CSP (Content Security Policy)
  • Escape character
  • White list
  • The blacklist

CSRF

Cross Site Request Forgery (CSRF) is a common Web attack that exploits a user’s logged in identity to perform illegal operations in the user’s name without the user’s knowledge.

The following effects may occur:

  • Use the user login state to complete some service requests
  • Steal users’ funds
  • Pretend to be user post back pot
  • Damage website reputation

Prevention measures:

  • Prohibit third party sites with cookies – compatibility issues
  • Referer check-https The Referer is not sent
  • Verification code

Click on the hijacked

Clickjacking is an attack of visual deception. The attacker embedded the website to be attacked in its own web page by nesting iframe, and set iframe as transparent, revealing a button in the page to induce users to click.

The following effects may occur:

  • Some service operations are performed without the user’s knowledge

Prevention measures:

  • Set the X – FRAME – the OPTIONS

    • DENY: indicates that the page is not allowed to be displayed in iframe mode
    • SAMEORIGIN: indicates that pages can be displayed in the same domain name using an IFrame
    • Allow-from: indicates that the page can be displayed in the iframe of the specified source

  • Js determines whether an iframe is embedded in an iframe. If so, it directly jumps back to the original link

    <html>
    <head>
        <style id="click-jack">
            html {
            display: none ! important;
            }
        </style>
    </head>
    <body>
        <script>
            if (self == top) {
            var style = document.getElementById('click-jack')
            	document.body.removeChild(style)
            } else {
            	top.location = self.location
            }
        </script>
    </body>
</html>    
Copy the code

SQL injection

The user information is verified by injecting SQL characters (for example, 1’or’1’=’1 ‘) to query password information through SQL, because the back end directly spells SQL to connect string.

The following effects may occur:

  • Log in to any user account and perform all services under the rights of the user
  • Steal users’ funds
  • Pretend to be user post back pot
  • Damage website reputation
  • Endanger the management operation of the entire platform

Prevention measures:

  • You are advised to use the parameterized query interface provided by the database for all query statements. Parameterized statements use parameters instead of embedding user input variables into SQL statements. That is, do not directly concatenate SQL statements.
  • Strict limits on the operation of the Web application database access, provide the user with only able to meet its minimum permissions, so as to minimize injection attacks to the harm of database backend code to check whether the input data is in line with expectations, strictly limit the type of the variable, such as some matching processing using regular expressions.
  • Special characters (‘, “, \, <, >, &, *,; Etc.) for escape processing, or code conversion.

OS injection

OS command injection attacks use Web applications to execute illegal operating system commands to attack. Wherever Shell functions can be called there is a risk of attack. If the Shell is called inadvertently, you can execute the inserted illegal command. In fact, OS command injection is similar to SQL injection, except that SQL injection is for the database, while OS command injection is for the operating system.

The following effects may occur:

  • Affects certain computer operations
  • Jeopardizing the development and operation of the entire project

Prevention measures:

  • Select an implementation method that does not invoke OS commands
  • Does not pass an input string to a command line argument
  • Use secure functions to escape arguments passed to the OS command

The request was hijacked

The DNS server (each step of DNS resolution) is tampered to modify the result of domain name resolution, so that the IP address accessed is not the expected one.

The following effects may occur:

  • Get user information

Prevention measures:

  • HTTP hijacking Carrier hijacking. In this case, you can only upgrade HTTPS

DDOS

DDOS is not a kind of attack, but a general category of attacks. It has dozens of types, and new attacks are being invented all the time. The website runs each link, can be the attack target. Once one link is broken and the whole process cannot run, services are realized.

The following effects may occur:

  • The server breaks down, and all or part of services break down

Prevention measures:

  • Backup Website The backup website may not be fully functional. Static browsing can meet the requirements. At a minimum, it should be able to display an announcement telling users that something is wrong with the site and that it is being fixed.
  • HTTP request interception hardware server firewall
  • Bandwidth expansion + CDN increases crime costs

PS: Please refer to Ruan Yifeng’s DDOS attack Defense tutorial