What are the common types of attacks on the front-end Web side

DOS and ddos attacks

When we visit the website, sometimes we will encounter the website can not open the server paralysis so (D)Dos attack to paralyze the server is what? How do hackers implement DDos attacks

In order to understand what a ddos attack is we need to know how do we go online?

  • The terminal sends a request to the server
  • The server receives the request, processes the request and returns the result of the request
  • Let the client’s terminal decode and render the information

The principle of DOS attack

  • The principle of DOS and ddos attacks is to continuously send requests to the server
  • Prevents the server from processing requests from other terminals
  • To make the server unable to serve others
  • This is a DOS attack

Because only one terminal of DOS attack is easy to be recognized by the server and then blocked

That’s where ddos attacks come in

Ddos attack

In ddos attacks, the terminals that send the attack requests are no longer a few dozens or hundreds or thousands of them. When they constantly send the requests to the server, the server is not so easy to handle

Type of a DOS attack

There are roughly two types of DOS attacks

  • The first and most common is to consume the server’s traffic peer consumption with its own traffic
  • The second type of sharding attack is that instead of using my traffic to consume the server’s traffic, I send small packets containing malicious code that occupies the server’s memory

CSRF attacks

CSRF (cross-site Request forgery) is a malicious use of a website.

The attacker steals the identity of a legitimate user, which is a legitimate way for the server to achieve the desired effect of the attacker

Completing a CSRF attack victim this requires completing the following two steps

  • Log in to trusted website A and generate A token locally
  • Visit dangerous site B without logging out of site A

CORF defense

Currently, there are three strategies to defend against CSRF attacks:

(1) Verify HTTP Referer field

The HTTP referer field stores the source address of HTTP. The interviewed website can verify whether the address is valid. If not, it may be a CSRF attack and reject the request. However, this method is not foolproof. The value of the referer is provided by the browser, and we cannot guarantee that the browser is free from security loopholes. Currently, there are some methods to tamper with the value of the referer, and some users can set the browser to no longer provide the value of the referer when sending a request to protect their privacy.

(2) Add the token in the request address and verify

CSRF makes use of cookies to attack, so we can add in the request can not be forged information does not exist in the cookie, we can randomly generate a token in the form of parameters in the request, and establish an interceptor in the server to verify the token.

(3) Customize and validate attributes in the HTTP header

The previous method solves the inconvenience of adding tokens to the request. At the same time, the address requested by XMLHttpRequest is not recorded in the browser’s address bar, and there is no worry that the token will leak to other websites through the Referer.

XXS attack

XXS attacks are also known as scripting attacks where attackers use vulnerabilities to maliciously plant code on a page so that when someone visits the page, the embedded code is executed

Can be easily divided into two categories

  • Reflective XSS is submitted to the server as a URL parameter
  • Stored XSS stores malicious script data into a database and executes the script when the data is read by another user

XXS defense

  • Code escapes of what the user typed in. The user typed in data instead of code
  • Check Filter Filters special fields. For example, script sets the matching rules of the input field
  • Protect cookie, set httpOnly for important cookie, prevent client side through document. Cookie to get cookie.

SQL injection

Simply put, inserting THE SQL command at the time the form is submitted ultimately results in the web server executing the malicious SQL command

Defense of SQL injection

  • Do not use dynamic SQL To avoid putting user-submitted data directly into SQL statements
  • Limit database permissions and privileges Set database user functions to minimum requirements
  • Avoid displaying database error information directly to the user
  • Use a professional SQL injection detection tool to detect and fix the SQL injection before release

DNS hijacking

Domain name hijacking is a way of Internet attacks, by attacking DNS server (DNS), or fake DNS server (DNS) method, the IP address of the target website domain name resolution to the error so as to realize the purpose of users unable to access the target or intentional or malicious requires the user to access the specified IP address (website).

To explain my understanding through an example, if we access a website through a domain name (such as www.taobao.com) when surfing the Internet, the process should be to input the website address and search for the IP of www.taobao.com in the browser cache. If you have just visited the website, the IP will be returned directly. If not found, If yes, return the IP address. If no, go to the local DNS resolver to look for the cache. If no, the server on the network needs to look for the domain name. For example, we are familiar with Google’s 8.8.8.8 and Telecom’s 114.114.114.114 (configuration address file /etc/resolv.conf on MAC), both of which are pre-configured on our machine. If you access this server and find the IP address for it in its cache, you can directly access to us. Native DNS resolver cache the record at the same time, if the server has not found the domain name information at this time whether you need to look at the configuration of our local forwarding, if you need to level up the query requires local DNS server level, know to return to the domain name information, not forward, under the condition of local DNS servers to start with the root DNS server interaction, Of course, the root DNS server does not have the IP information we want. Since the whole world depends on it, it will only return some basic information. In this case, it will first return the IP address of the.com top-level domain name management server. It will return the management server IP address of the secondary domain name taobao.com. The local DNS server will look for the IP address returned to us at www.taobao.com. The local DNS server will return to the client, and the client will only address according to the IP address and connect to the target server.