JTalk Eighth front-end security Daqi Di summary

This article is reproduced in: Ape 2048 Website ➧ https://www.mk2048.com/blog/blog.php?id=hc0ka02b1j

JTalk "front-end security," end of the event you, I included a question and answer of the lecturer lecturer and some students about the content presented, unfortunately, is not all down included only part of a collection of content, the content of the article is not entirely on behalf of the entire contents of the lecturer tells, some of my memories supplement, will differ, I hope this section can help you.

activity description

Front-end security Daqi Di | JTalk Nuggets at Eighth line activities

Cross-site scripting XSS Attacks and Defense - Long-kai

What is XSS? (XSS What harm would steal credentials, steal session token)
In the character input box label may reflect values obtained cookie, and sends the cookie to a specified address
v-html pop-up important data can be in any form of this function is similar to innerHEML
The reason XSS produced? (XSS way common cause: the reflective type, storage type, DOM based)
Do not use innerHEML as a waterfall display
Form of a label can be used to obtain or to change the page displayed in the address form
Chrome will XSS defense comes back automatically when injected intercepted label, only to intercept the main injection form.
How to defend against XSS? (Caution data, and so avoid the use innerHTML)
XSS attacks can be realized session hijacking, sends the user information to the address specified by cookie
Using the resulting cookie to get the token can mimic the user's information and conduct routine operations.
Request by mimicking a server for an attack on a specified server by JS continue to create the file.

The content as an escape, to prevent malicious label injection.

Content whitelist, the use of external dynamic content security filtering white list, instead of using blacklists to filter by selecting a given label whitelist.

Issues included

The number of reported attacks
Use the CSP, its contents can be reported by declaration inside.
CSP will go beyond the requirements into the execution of all content. The implementation of illegal interception page JS CSP will be in its implementation.
The concept does not know how to detect items hidden depth
OWSP have safety norms and security audit software can be used
Escaped only for HTML escaped to the other escaped with the need to do background processing
XSS attack to defense, there is no easy to use tools or tools for real-time monitoring vulnerability
Use security auditing software for business process audit, if the company can afford to go to this place more emphasis on auditing, security is the need to develop a team boss and collaborate together. Third-party data may not be reliable, the team needs to collaborate with each other.

On the traffic hijacking and prevention - Liu Yang

What phases of a typical Internet experience
Eager to appear in the product is in use, resulting in the software development process, many problems copper leak, do not know the attacker's attack, just for the basics must be mastered.
Traffic is not hijack the nascent topic, pure and traffic hijacking has not completely eliminated.
Ideal online environment, open the browser can use, when a user opens a browser when the Internet is needed and then download the file by CDN through the router's IP access server site.
Traffic Hijack is how it happened?
Link itself unsafe
From the design does not consider security.
As computing power development, security links become unsafe.
Interference secure link, forcing the use of the link if the safety program.
DNS poisoning and prevention and control of traffic hijacking

DNS
A UDP-based protocol, the slower time work efficiency, when the cache is relatively fast.
Without the need to query the cache for a long time.
Public domain names top-level domain there is a buffer time if TTL can not request the data will be requested again within the specified time limit.

DNS pollution
You can use the cache of DNS attack or contamination

HTTP
In its DNS service network encryption, users get to decrypt the encrypted file and then use after download, increase the security of the DNS.
Resistance DNS traffic hijacking
Link to troubleshoot the problem
⽅ Case A: In some provinces, regions automatically self-built stations, periodically crawl fixed resource
Question: resources are too fixed, the number of monitoring stations far enough
⽅ Case B: Business ⽅ listening Error event resources automatically own the html
Question: ⽆ method to recognize the problem is that the road link, it may just be plain wrong js
⽅ Case C: Using third ⽅ enterprise service monitoring into ⾏
Question: The more services cost more ADVANCED
⽅ program D: CSP, SRI
Question: compatibility and flexibility is poor, not be performed because custom logic

Questions and answers

Q & A part of this, I only recorded the reply lecturer, as long overtime during the recent tinnitus, could not hear clearly the problem, apologize to everyone.

Browser when running the business code, no spare time to do business computing. We do not have much resources, or embedded in the SDK, and the end to end length of the file to get the first 100 bytes for determining whether tampering.
Asynchronous script loading, first of all you can use the browser to do the loading mechanism, another solution is to not use the original program is loaded. Use their own definition of the program to be modified.

In layman's language CSRF - Wu Kong

What CSRF? What CSRF can do? CSRF attack the status quo
CSRF attacks can be forged messages imitation user account information stolen by bank transfer to buy goods.

CSRF Attacks copper detection and leak prevention CSRF
Defense available at PPT CSRF common defense.

CSRF Tester vulnerability detection
We crawled using the proxy information for all connections visited in the browser vessel and all forms, etc., by modifying the corresponding information in a form such as in CSRFTester resubmit, equivalent to a forged client request, if the repair test request the server successfully accepted, then there is a CSRF vulnerability, of course, the tool can also be used to this section into ⾏ CSRF attacks.
CSRF Request Build vulnerability detection
In black and hacker circles refers to: Opinions verification process, when running a trekking this program get the expected results, it verified this view.
How front-end and server-side code level to prevent CSRF attacks
In the process of accessing the automated build tool to exploit detecting leakage of copper at the time of filing.
Interface scan line, a line entry, updating and scanning lines through vulnerability scanning tool.

Security for user authentication Exploration - Jun Pan

Verify the location of security in Web services

Classification of information associated with the nature of the site, the most common privacy and non-privacy generally divided into two categories. Combined with the characteristics of the product itself to choose how the information presented to the user
Sensitive operation and normal operation is not the same need for verification.
Case: [buy a new phone with someone else's data]
Case: [New registered an account, found something they do not own]

Type of authentication and verification merits weak strong authentication dynamic type (user identification) Extensible Authentication

Password is evolving, log in diversity and diversity.
The importance of password security, and gradually decreasing.
SMS shortcuts Login
The rise messages Log in
The development of mobile Internet and the popularity of smart phones
Changes in tariff structure change phone and SMS functions
SIM card of the mobile phone real name from when the role of a personal account

Some common questions developed by SMS
SMS prevent bombing
SMS is valid
Service providers and cost
The pros and cons of SMS Login
Simple and quick security
Phone number can be recycled
How to plan and develop strategies from product overall level

How to reduce the number of verification
Of equipment, the equipment of the browser is also associated with increased equipment (by ⼀ a long-term ⻓ COOKIE logo), historical data to determine the relationship between the device and regional accounts, IP, even ⾄ time period can be as active assistance to determine whether the current user can letter.
How to choose authentication
Password
SMS Log
Dynamic token
Scan code Login
other
Strong rely on third parties to log
Face recognition, fingerprint recognition, etc.

How to choose authentication
Pure micro-channel development
SMS micro-channel Login Password
App-based mobile phone
SMS micro-letter password to log complaints manually scan code Login
PC browser location
SMS dynamic password tokens
Both multiport
SMS scan code login password to log dynamic token micro letter
Low-interaction information class
SMS password
Tools (asset-heavy)
SMS micro-channel dynamic token artificial complaint Password Log scan code
Tools (weight information)
Dynamic token artificial appeal SMS password

The order represents the order of priority and recommended the development of

to sum up

Security issues, not just limited to Web front-end network where all involved, there will be an attack, the manufacturers have their own security team, small and medium sized companies to become hackers to practice hand there is, according to friends that there are many places in training hackers, Some small and medium sized companies will take practiced hand to hear this feeling full of challenges, is a comprehensive test of their ability and fast troubleshooting and problem solving. The finished product not only improve the reliability of the code, robustness, security features are also very important, any minor defects will become the entrance of the attacking side, I think this is a test of their improvement and only experience surviving the storm is the ability to move on.