A peek at Web security
Let’s start with two examples of Web security:
Google Data Leak
Top up is free on Steam
Common Web security questions and defense measures
A, XSS
Cross-site scripting attacks, because the abbreviation and CSS overlap, so can only be calledXSS. Cross-site scripting is an attack in which an attacker tries to insert illegal non-local HTML tags or JavaScript into a website.
The characteristics of
- It’s often hard to sense from the UI (execute scripts covertly)
- Stealing user information (Cookie/Token)
- Draw the UI (such as a popover) and trick the user into clicking/filling out a form
classification
1. Storage TYPE XSS
- Malicious scripts are stored in the database
- Access page -> Read data === attack
- Maximum damage, visible to all users
2. Reflective XSS
- No database involved
- Attack from the URL
3. DOM XSS
4, the Mutation – -based XSS
Defensive measures
Front end:
- Do not render user-submitted content directly into DOM nodes
- Using mainstream frameworks, most of them default to XSS defense
- google-closure-library
Server (Node) :
- Don’t trust any data submitted by the user. Filter DOM attributes, style nodes, script nodes, iframe/frame nodes, etc. uploaded by the user
- DOMPurify
Second, the CSRF
Cross-site request forgery is a common Web attack. It takes advantage of a user’s logged-in identity to perform illegal operations in the user’s name and steal or modify sensitive information without the user’s knowledge.
case
Get request:
Post request:
Defensive measures
- Origin+Referer, only the same Origin script is allowed to execute (GET and HEAD requests do not add Origin in the header, requiring special processing)
- The token is bound with user information to strictly control permissions. For example, user A is not allowed to request data from user B by calling the interface (for example, passing in user B’s ID)
- X-frame-options is used to disable iframe from executing same-origin requests
- Operation for read/write separation, GET and POST separation
- Same Site Cookie: Disables cookies to be carried globally
- Use middleware to handle CSRF attacks in a unified manner, such as gateway authentication
Third, Inject
Inject is attacked by code injection.
classification
1. SQL injection
2. OS command injection
Defensive measures
- This section describes how to control user operations
Four, DoS
In some way (by constructing a specific request), the server becomes so consumed that it cannot respond to any more requests, resulting in a crush of requests and an avalanche effect.
classification
1. ReDos based on re
Distributed DDos(Distributed Dos)
In a short period of time, the server is flooded with requests from a large number of zombie devices. As a result, the server cannot complete all the requests in a timely manner, resulting in an avalanche of requests and unable to respond to new requests.
Don’t get complicated, the amount is done
For example, SYN Flood attacks rely on massive requests.
Defensive measures
For front-end developers, there are few things that can be done. Basically, operation and maintenance students do it.
ReDos defense
DDos defense
5. Man-in-the-middle attack
Man-in-the-middle attackAn attacker creates an independent connection with the two ends of the communication and exchanges the data they receive. The two ends of the communication think they are talking to each other directly through a private connection, but in fact the whole conversation is completely controlled by the attacker.
Defensive measures
To defend against man-in-the-middle attacks, use the HTTPS protocol (HTTPS = HTTP + TLS).
HTTPS
HTTPS characteristics
- Reliability: Secure encryption
- Integrity: MAC authentication
- Non-repudiation: digital signature
Reliability: Secure encryption
HTTPS reliability is guaranteed by TLS. It is the successor to the now-defunct Secure Sockets Layer (SSL), an encryption protocol designed to provide communications security over computer networks. The protocol is widely used in applications such as email, instant messaging and voice over IP.
TLS handshake is divided into two processes. Asymmetric key encryption is used to transmit symmetric keys to ensure transmission security, and symmetric key encryption is used to ensure communication efficiency.
Asymmetric encryption: The browser provides some encryption suite options to the server. The server selects the suite and returns a certificate. The browser verifies the certificate after receiving it.
Symmetric encryption: Both parties use the generated sessionKey to encrypt and decrypt the transmitted content.
Integrity: MAC authentication
Non-repudiation: digital signature
A digital signature
The performer of the signature has a private key and a public key. As the name implies, the private key is hidden and the public key is publicly visible.
The digital certificate
Digital Certificate CA: Certificate Authority is a relatively authoritative and fair Certificate issued by e-commerce Certification Center (hereinafter referred to as CA Center).
When the signature algorithm is not robust enough, the signature algorithm is easy to be cracked, and the man in the middle attack will still occur. At present, signature algorithms are more robust and difficult to crack, so HTTPS ensures non-repudiation.
conclusion
- Security is no small matter, we as developers must pay attention to security issues, to ensure the safety of the company’s property, users and our own interests.
- The dependencies you use (NPM packages, or even NodeJS) can be the weakest link, so don’t just introduce third party dependencies.
- Attack mode is constantly updated, we should keep a good learning mentality at all times