What is Web security?
Hackers take advantage of the loopholes in the network operating system and SQL injection loopholes in the Web server to gain control of the Web server, from tampering, deleting and adding data to stealing important business information and transferring funds, and more seriously, implanting malicious code in the web page, which makes the website suffer unexpected infringement.
Common attacks can be divided into three categories: XSS, CSRF and SQL injection.
Cross-site scripting cross-site scripting attack, in order to distinguish it from CSS, is abbreviated as XSS.
Malicious attacks implant malicious script code into web pages. When the user browses the webpage, the script code embedded in the webpage will be executed, thus achieving the attack effect.
To put it bluntly, a malicious attacker adds malicious script code to the input box and executes the script code when the user browses the web page, thus achieving the purpose of maliciously attacking the user.
1. 1 and the hazards of XSS.
1.2 and XSS attack types
When the request is made, the XSS code will appear in the url and be submitted to the server as input. The server will return it to the browser, and then the browser will parse and execute the XSS code. This process is like a reflection, so it is called reflection.
This type of attack is usually to put the XSS attack code into the data transmission part of the request address, for example:
The submitted XSS code will be stored in the server, such as database, memory and file system, and the XSS code will not be submitted the next time the target page is requested.
The document-based XSS attack does not go through the server, but acts as a middleman, hijacking network packets during data transmission, and then modifying the html documents inside.
1.3, defensive measures of XSS
Metric 1: code.
The Html entity that encodes the data. Both the client and the server need escape encoding.
After escaping, it is:
Put it in the code above, it will still be automatically parsed into the code above, so put it outside.
Measure 2: Filtering.
Remove DOM attributes uploaded by users, such as onerror above.
Remove styles, scripts and iframe nodes uploaded by users.
Measure 3: Use CSP
The content security policy in the browser is to decide which resources to load in the browser.
Cross-site request forgery Cross-site request forgery.
The attacker induced the victim to enter the third-party website, sent a cross-site request to the attacked website, and used the registration credentials obtained by the attacked website to bypass the background user authentication, thus realizing some operation of impersonating the user on the attacked website.
Characteristics of CSRF attack:
2. 1, the hazards of CSRF
2.2. Attack types of CSRF
It is very simple to use and only needs an http request.
For example, adding a link to a picture on the page, as well as iframe and script, is the easiest way to complete CSFR attacks, which is not easy to be found by users and is extremely concealed.
Because get interface is the most common type of CSRF attack, many important interfaces are not suitable for get, and using post can prevent CSRF attacks to some extent.
This type of SCRF attack usually uses automatically submitted forms. Simply put, it is to forge an automatic submission form, and once you visit the page, the form will be submitted automatically.
For example:
Compared with the first two, this type of attack is relatively rare, and only when the user clicks on the link will a link attack be triggered.
Usually, malicious links are embedded in the pictures published by forums, or users are induced to click in the form of advertisements. So we see a bunch of messy advertisements in the mailbox, try not to click on them to prevent tripartite attacks.
Create new ways of attack. The user mistakenly thinks that he is logging in to the website normally, but actually logs in to the hacker's website with his own account and password, so that the hacker can monitor all the user's operations and even know the user's account information.
2.3, CSRF defense measures
Measure 1: Check the referer information in the http header.
Referer is contained in the request header and represents the page source of the request interface.
When the server checks the referer information and finds that it comes from a foreign domain, it can intercept the request, and to some extent, it can reduce the attack by preventing the access of unknown foreign domains.
Measure 2: Use a one-time token
Using one-time token for identity identification, hackers can't obtain one-time token through cross-domain, so the server can exclude some illegal operators by judging whether to carry one-time token.
Measure 3: Use verification pictures.
The server generates some characters and numbers, saves these information on the server, and presents them to the client in the form of pictures, so that users can fill in the information legally. When CSRF attacks, when it can't get this verification code, it can't provide this information to the server, which leads to the failure of matching and thus identifies it as an illegal attacker.
This application is very common. Before logging in, you need to fill in the graphic verification code.
Sliding picture verification is also common now.
SQL injection generally occurs in registration, comment, addition, etc. SQL injection can only happen where there is user input. SQL injection is a common network security vulnerability. Attackers can use this vulnerability to access or modify data and exploit potential database vulnerabilities.
The so-called SQL injection is to submit or input the query string of domain name or page request by inserting SQL command into Web form, thus deceiving the server to execute malicious SQL command. Specifically, it is the ability to use existing applications to inject (malicious) SQL commands into the background database engine for execution. It can get the database on the website with security holes by inputting (malicious) SQL statements in the web form, instead of executing the SQL statements according to the designer's intention. For example, before many film and television websites leaked VIP member passwords, most of them submitted query characters through web forms, which was particularly vulnerable to SQL injection attacks.
3. 1, SQL injection hazard
Any account can be logged in and any operation can be carried out. You're welcome, just come casually.
3.2, SQL injection classification
When the input parameter is an integer, there may be a digital loophole.
When the input parameter is a string, there may be a character injection vulnerability. The biggest difference between digital injection and character injection is that digital injection does not need single quotation marks to end, while character injection generally needs single quotation marks to end.
The key of character injection is how to close SQL statements and comment redundant code.
In fact, I think there are only two types of SQL injection: quantitative and personality. Many people may say that there are Cookie injection, POST injection, delay injection and so on.
Yes, but in the final analysis, these injection types are just different forms or positions of digital injection and character injection.
The following are some common injection names:
3.3, SQL injection prevention measures
No matter where the user inputs, it is necessary to prevent hacker attacks and never trust the user's input. So the corresponding defensive measures are:
After the front and rear ends are separated, the front end touches many interfaces every day. When sending a network request, some interfaces will use the get method. The most common way to pass parameters is to add parameters directly after url address.
It is particularly dangerous to transmit data directly in this way. If the data is hijacked or stolen by the package grabbing tool, it will be stolen directly. If interface encryption is used, it is as follows:
The long string of symbols above that I can't understand is encrypted data.
Interface encryption is to encrypt the parameters passed in the interface request call, in order to ensure the safety of the parameters passed in the interface request and the returned results. General sensitive data, such as ID card, telephone number, account number and password, need to be encrypted.
Common encryption methods:
There are many encryption methods, and you can choose one according to your specific needs and project language.
The encrypted data is more secure, so can we encrypt all the data on the interface? Encryption is very resource-intensive. If a large amount of data is encrypted, it will take longer to return the data, which will directly affect the user experience. So when we encrypt, we only need to encrypt sensitive and important information.
Well, that's the end of my article today. This article does not introduce web security. Welcome to the comments section!