Introduction: While learning about Node recently, I have written examples of Web security attacks and solutions. After referring to some materials, I have figured out my ideas. The code is not perfect, and Node is also in the exploratory stage. Please forgive me. Hope for those who do not understand the security, background knowledge is not clear students help.

The solution refer to the article (theory), which mainly demonstrates the attack principle

Code: [email protected]: StyLanQP/web – Safe. Git

Github: github.com/StyLanQP/we…

The project code is as follows:

App: Normal website hack: Use technology: Node + Express + React +mysql

Project introduction

1. Code directory

2. Create a database

Nodeapp /mysql.js first executes this file to create tables and data

As is shown in

Cross-site Scripting (XSS) attacks

Principle: A malicious attacker inserts malicious executable script code into a Web page. When a user browses the page, the script code embedded in the Web page is executed. In this way, the attacker can steal user information or infringe user security and privacy.

1. Run the NPM run start project to open the Home page

At this time, the home page is written using the React template, and the React DOM will escape the content (strings) during rendering, so the string tags will not be processed as HTML tags, so the input script cannot be executed

So add a use ejs template page load XSS. HTML (either from the url input script tags such as http://localhost:4000/xss? Text = or directly retrieve the database store code will be executed)

2. Start to use document. Cookie attack, and change it to attack according to the way just now

Open thehttp://localhost:4000/xss will see the request of http://localhost:5000/xss.html, a interface

In the console, you can see that the 5000 port hacker website has printed out the cookie, and we can completely set the cookie in the console to log in the website directly

Two, CSRF cross-site forgery

Principle: The user is induced to open the hacker’s website. In the hacker’s website, the user login status is used to initiate cross-site requests.

1. In the login state, open the localhost: 5000/ srf. HTML page, we can see the setDataList request on the console, this is the interface to submit the content, in the 4000 home page can see the content changed

The normal website content has been changed

Solution (generate token, interface with nonce and timesTamp)

Click hijacking

Principle: After A user accesses the system of website A, the attacker seduces the user to open A third-party website. The third-party website introduces the page content of website A through the iframe. When the user clicks A button (decorated button) on the third-party website, he actually clicks on the button of website A.

  1. Open http://localhost:5000/clickHijack.html click on the button, is actually click on the attention of the http://localhost:4000/home button, because the iframe embeds the page 4000

The solution is to restrict iframe embedding

reference

Anti-replay attacks based on Timestamp and nonce

An issue with the X-Content-type-options HTTP security header is introduced

Xia teacher’s web security video, a friend sent, can not put on the link

Web security CSRF defense and attack