Understand SQL injection, XSS attack and resolution

preface

Friend says: I heard you made a website
I said: Yes, become my user
Friends say: ok, you know SQL injection, XSS attack
I said, I don’t know
My friend said to me tomorrow, wow, the administrator account is good, there are a lot of permissions, really fragrant
I said: how can you log in my administrator account??
My friend said: You do not know SQL injection, XSS attack, then you certainly did not do these, I use SQL injection, know the administrator account can log in
Frighten me to do the relevant work quickly, good friend informed
The following details SQL injection, XSS attacks and their resolution

Four aspects:

1. What is SQL injection

The so-called SQL injection is to trick the server into executing malicious SQL commands by inserting SQL commands into Web form submission or query string for entering domain names or page requests. SQL injection is the most primitive and simplest attack, since web2.0 has had SQL injection attacks.

2. Example of SQL injection

For user login, we need to query the users table and compare the username and password.
The SQL statement:

Select * from users WHERE username="zhangsan" and password="524abb53cce35"// SQL injection user name write: zhangsan'-- select * from users WHERE username='zhangsanThe '-' and password='5245'Copy the code

The above two SQL statements can query the existence of the user, and the second statement in the password verification statement has been logged off, so this time if others know your user name can log in to your account, it is not very dangerous ？？？？？？
SQL > execute SQL statement ()

select id, username, realname from users where username='zhangsan '-- ' and password='696'Copy the code

Don’t panic, let’s take a look at the previous db/mysql.js file,

const mysql = require('mysql')
const { MYSQL_CONF } = require('.. /conf/db'Const con.createconnection (MYSQL_CONF) const con = mysql.createconnection (MYSQL_CONF) const con = mysql.createconnection (MYSQL_CONFfunction exec(sql) {
    const promise = new Promise((resolve, reject) => {
        con.query(sql, (err, result) => {
            if (err) {
                reject(err)
                return
            }
            resolve(result)
        })
    })
    return promise
}
 
module.exports = {
    execEscape: mysql.escape // prevent SQL injection encoding special characters}Copy the code

See this key code??
Escape: mysql.escape // Prevents SQL injection from encoding special characters
Let’s change the controller/users.js login method:

const { exec, escape } = require('.. /db/mysql')
const { genPassword } = require('.. /utils/cryp') const register = async (username, password) => { ... } const userNameFilter = async (username) => { ... } const login = async (username, Password) => {username = escape(username) // Formatting prevent SQL injection password = genPassword(password) // Generate encryption password password = Escape (password) // formatting prevent SQL injection const SQL = 'select ID, username, realname from userswhere username=${username} and password=${password}
    `
    // console.log('sql is', sql)
 
    const rows = await exec(sql)
    return rows[0] || ' '
}
 
const userInfo = async (id) => {
    ...
}
 
module.exports = {
    login,
    register,
    userNameFilter,
    userInfo
}Copy the code

Let’s log in again and find that the login failed
SQL statement executed after formatting:

select id, username, realname from users where username='zhangsan \'-- ' and password='6996'Copy the code

From the above comparison, we can see that escape formats the following special characters that can affect the SQL statement, preventing the concatenation of the SQL statement.
So just in case, we need toAll variables that can be concatenated into SQL statements must be added to escape!

3. What is XSS attack

XSS attack usually refers to the use of the vulnerabilities left in the development of the web page, through a clever way to inject malicious command code into the web page, the user load and execute the malicious web program made by the attacker. These malicious web programs are usually JavaScript, but can actually include Java, VBScript, ActiveX, Flash, or even plain HTML. After a successful attack, the attacker may gain various contents including but not limited to higher permissions (such as performing some operations), private web content, sessions and cookies.
Attack mode:
Stealing cookies to get sensitive information.
By embedding Flash, obtain higher permissions through crossDomain permission setting; Or use Java, etc., to get similar operations.
Use iframe, Frame, XMLHttpRequest, or the above Flash method to perform administrative actions as the (attacked) user, or perform general operations such as tweeting, adding friends, and sending private messages.
By taking advantage of the fact that the domain that can be attacked is trusted by other domains, the trusted source requests some operations that are not normally allowed, such as improper voting activities.
XSS on heavily visited pages can attack small websites to achieve the effect of DDoS attacks.

4. Nodejs protects against XSS attacks:

On the home page we install an XSS dependency
```
npm install xss --save-devCopy the code
```
Let’s take a simple example. Read the notes!!

const xss = require('xss'// import XSS const {exec } = require('.. /db/mysql')
 
 
const newBlog= async (blogData = {}) => { Contains the title Content author attribute const title = XSS (blogdata.title) // Defend against XSS attacks const Content = XSS (blogdata.content) // Defend against XSS attacks  const author = blogData.author const createTime = Date.now() const sql = ` insert into blogs (title, content, createtime, author) values ('${title}'.'${content}'.${createTime}.'${author}');
    `
 
    const insertData = await exec(sql)
    return {
        id: insertData.insertId
    }
}
 
 
module.exports = {
    getList,
    getDetail,
    newBlog
}Copy the code

To be brief: The way to protect against XSS attacks is to encode special characters
What are special characters?
The data entered by the user is HTML Entity encoded, that is, to<script>,<a>Labels, such as< >Make the conversion, and then save it to the background database.
Such as:
Malicious input in the input box<script> document.cookie </script>, will be converted to the following statement and stored in the database:
< script>document.cookie< /script>Has reached the level of unenforceable<script>Purpose ！！！！

The last

SQL injection: Stealing database content

XSS attack: steal sensitive information such as cookies of the front end

Password encryption: Ensure user information security (Important)

DDOS attacks: Requires hardware and services to support (requires OP support)

The original address

Juejin. Cn/post / 684490…

reference

Chapter 5: nodejs koa2 mysql redis the whole development of stack – security (SQL injection, XSS attacks) : blog.csdn.net/u012878818/…