XSS Cross Site Scripting

  • XSS (Cross Site Scripting) is only called XSS because its abbreviation overlaps with CSS. The main way to use is to use the website itself design is not rigorous, users inject malicious JS scripts, causing harm to the website itself.
  • XSS classification
    • Reflective (direct injection via URL parameters)
    • Storage type (in the input box, inject attack script, page echo, run this script, you can attack)
    • Bottom line: Reflection and storage can form a chain attack in the absence of XSS defense.
  • XSS hazards
    • Using scripts to steal the user’s cookie value, the victim unknowingly helps the attacker to send malicious requests
    • Display a fake article or image
    • Tamper with web pages using XSS
    • Conclusion: Script changes what it does.
  • defense
    • X-xss-protection is a response header that will stop the browser from loading the page when a cross-site scripting attack (XSS) is detected.
    • CSP
    • HttpOnly Cookie

CSRF Cross Site Request Forgery

  • Cross Site Request Forgery, a common Web attack, takes advantage of a user’s logged identity to perform illegal operations in the user’s name without the user’s knowledge.
  • defense
    • Validate the HTTP Referer field
    • Add token to request address and validate
    • Customize and validate properties in HTTP headers

3.ClickJacking

  • Clickjacking is a form of visual deception. An attacker will embed the website to be attacked in its own web pages by nesting iframe, and set iframe as transparent, exposing a button to the user to induce the user to click.
  • defense
    • X-frame-options is an HTTP response header that is well supported in modern browsers. This HTTP response header is designed to defend against clickjacking attacks nested with iframe
    • DENY: indicates that the page is not allowed to be displayed in the frame, even if the page is nested in the same domain name.
    • SAMEORIGIN: indicates that the page can be displayed in the frame of the same domain name page.
    • Allow-from URI: indicates that the page can be displayed in the frame FROM the specified source
    ctx.set('X-Frame-Options'.'DENY')
Copy the code

4. SQL injection

  • SQL injection is a technology that modifies background SQL statements to attack code execution by manipulating input.
  • example 
    // Enter the special password 1'or'1'='SQL SELECT * FROM test.user WHERE username ='tiankai'
  AND password = '1'or'1'='1'
Copy the code
    // const SQL = 'SELECT * FROM test.user WHERE username ='${ctx.request.body.username}' AND password = '${ctx.request.body.password}'
console.log('sql', SQL) res = await query(SQL) const SQL = 'SELECT * FROM test.user WHERE username =? AND password = ? ` console.log('sql', sql)
res = await query(sql,[ctx.request.body.username,ctx.request.body.password])
Copy the code
  • defense

    • Mysql_real_escape_string () and addslashes() (PHP syntax)

    • The mysql_real_escape_string() function escapes: ‘” \r \n NULL Control-z

    • The addslashes() function escapes: ‘” backslashes and NULL

    • This approach is particularly effective against SQL injection bypassing login authentication, known as universal passwords. It can also be used against character injection, because an attacker needs to inject single quotes to achieve quote balance.

5.OS command injection

  • OS command injection attacks use Web applications to execute illegal operating system commands to attack. Wherever shell functions can be called there is a risk of attack 
    const exec = require('mz/child_process').exec;
letParams = {/* Input parameter */};exec(`git clone ${params.repo} /some/path`)
Copy the code
  • If the parameter is passed in 
    https://github.com/xx/xx.git && rm -rf /* &&
Copy the code
  • defense
    • Before executing command functions and methods, filter variables and escape sensitive characters.

Request hijacking (DNS hijacking HTTP hijacking)

  • DNS hijacking
    • The DNS server is tampered to modify the resolution result of the domain name, so that the accessed IP address is not the expected ONE.
    • defense
      • First of all, select an authoritative DNS resolution service provider for domain name resolution, which can effectively reduce the occurrence of domain name resolution record tampering due to the vulnerability of DNS resolution service provider.
      • Secondly, DNS acceleration products can continuously refresh the DNS cache to ensure that the data cached on the DNS server can be updated in real time and reduce the probability of hijacking and tampering in the process of resolving requests.
      • There are also some DNS hijacking monitoring function launched at present, can also timely find the situation of DNS resolution around, once the problem can be targeted to solve, to avoid further increase in losses.
  • HTTP hijacked
    • How it looks: When you open a web page, there are small ads in the bottom corner. Sometimes these ads are not placed by the visiting site to make money, but are provided by a third party carrier. This is HTTP hijacking.
    • The principle of
      • Identify TCP connections that use HTTP at the application layer.
      • Tamper with the HTTP response body. You can obtain data packets through the gateway to tamper with the content.
      • Preemptive packet back: The tampered data packets arrive at the user side before those returned by the normal site. In this way, normal data packets are discarded after they arrive
    • defense
      • Using HTTPS

Distributed Denial of Service (DDOS)

  • A large number of visits within a short period of time, the network resources, CPU all occupied, leading to the website can not respond to the normal, leading to the website offline.
  • example
    • I run a restaurant that normally can hold up to 30 people at a time. You just walk into a restaurant, sit down at a table and order your food, and you get it right away. Unfortunately, I fell foul of a rogue. He sent 300 people into the restaurant at once. They looked like normal customers and each said, “Hurry up.” However, the capacity of the restaurant is only 30 people, it is impossible to meet so many orders at the same time, plus they blocked the door, three floors inside and three floors outside, normal dining guests can not enter, in fact, the restaurant paralyzed. This is known as a DDOS attack, in which a large number of requests are made in a short period of time, exhausting the server’s resources and making it unable to respond to normal visits, causing the website to essentially go offline.
  • defense
    • Add a backup site: it doesn’t need to be a full-featured site, just a static page to tell users that something is wrong with the site and to do your best to fix it.
    • HTTP request interception: GENERALLY, HTTP requests have two characteristics: IP address and User Agent field. For example, if a malicious request is sent from an IP address segment, it is sufficient to block the IP address segment.
    • Bandwidth expansion, CDN