Shulou(Shulou.com)06/03 Report--

This article is about what common web attacks are all about. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

XSS, what is XSS?

XSS attack: cross-site scripting attack (Cross-Site Scripting). In order not to be confused with the abbreviation of cascading style sheets (Cascading Style Sheets, CSS), cross-site scripting attack is abbreviated to XSS. XSS is a common web security vulnerability that allows attackers to plant malicious code into pages made available to other users. Unlike most attacks (usually involving only attackers and victims), XSS involves three parties, namely, the attacker, the client, and the Web application. The target of XSS is to steal sensitive information stored in the client's cookie or other websites to identify the client's identity. Once the information of the legitimate user is obtained, the attacker can even impersonate the legitimate user to interact with the site.

XSS can generally be divided into two main categories:

Storage XSS mainly appears in places where users enter data and can be viewed by other users browsing this page, including messages, comments, blog logs and various forms. The application queries the data from the database and displays it on the page. After an attacker enters malicious script data on the relevant page, the user may be attacked when browsing such a page. This process can be described simply as: malicious user's Html input Web program-> enter database-> Web program-> user browser.

Reflective XSS, the main method is to add the script code to the request parameters of the URL address, and the request parameters are output directly on the page after entering the program. Users may be attacked when they click on similar malicious links.

For example, I wrote a website, and then the attacker posted an article on it, the content is like this alert ([xss_clean]). If I do not process his content and store it directly in the database, then the next time another user accesses his article, the server reads it from the database and then responds to the client. The browser executes the script and displays the cookie. This is a typical storage XSS.

As shown in the figure:

How to prevent XSS

The answer is simple: never trust any input from the user and filter out all the special characters in the input. This will eliminate the vast majority of XSS attacks.

Currently, there are the following main ways to defend XSS:

Filter special characters

One of the ways to avoid XSS is to filter the content provided by the user (such as the script tag above).

Use the HTTP header to specify the type

W.Header (. Set ("Content-Type", "text/javascript")

This allows the browser to parse the javascript code instead of the html output.

SQL injection what is SQL injection

The attacker successfully submitted the malicious SQL query code to the server, and the program mistakenly executed the attacker's input as part of the query statement after receiving, resulting in the original query logic being changed and additional malicious code carefully constructed by the attacker.

For example:'OR'1.

This is the most common SQL injection attack. When we enter a user name such as admin, and then enter a password such as'OR'1, when we query whether the user name and password are correct, we will execute the SQL statement SELECT * FROM user WHERE username='' and password='' OR'1 after parameter concatenation, and then skip verification.

As shown in the following figure:

But if it is more serious, the password is'; DROP TABLE user;--, then the SQL command is SELECT * FROM user WHERE username='admin' and password='';drop table user;--', then we will delete the table directly.

How to prevent SQL injection

In Java, we can use precompiled statements (PreparedStatement), so that even if we use SQL statements to forge parameters, when we get to the server, the parameters of the forged SQL statements are only simple characters and can not play the role of attack.

Escape or transcode special characters ('"\ angle brackets & *;, etc.) that enter the database.

Before the release of the application, it is recommended to use professional SQL injection detection tools to repair the discovered SQL injection vulnerabilities in time. There are many open source tools on the Internet, such as sqlmap, SQLninja and so on.

Prevent websites from printing SQL error messages, such as type errors, field mismatches, etc., and expose SQL statements in the code to prevent attackers from using these error messages for SQL injection.

In the figure above, using PreparedStatement precompilation in Java JDBC to prevent SQL injection, you can see that all inputs are treated as strings to avoid malicious SQL execution.

DDOS, what is DDOS?

DDOS: a distributed denial of service (Distributed Denial of Service) attack that simply paralyzes the server by sending a large number of requests. DDos attack is based on DOS attack, it can be understood that dos is an one-on-one fight, while ddos is a group fight. Because of the development of modern technology, the lethality of dos attack is reduced, so there is DDOS. With the help of the public network, the attacker unites a large number of computer devices to attack one or more targets.

From a technical point of view, DDoS attacks can be aimed at all layers of network communication protocols, such as SYN Flood of TCP class, Fraggle of ACK Flood,UDP class, Trinoo,DNS Query Flood,ICMP Flood,Slowloris class and so on. Generally, according to the situation of the attack target, we will mix the technical techniques pertinently, in order to achieve the lowest cost and the most difficult to defend, and can control the reasonable rhythm and hide the attack resources.

Let's take a look at SYN attacks in the TCP protocol.

SYN attack

During the three-way handshake, after the server sends the SYN-ACK, the TCP connection before receiving the client's ACK is called a half-open connect. The server is in the SYN_RCVD state at this time. When the ACK is received, the server can be transferred to the ESTABLISHED state.

SYN attack means that the attacking client forges a large number of non-existent IP addresses in a short period of time, sends SYN packets to the server constantly, and the server replies to the confirmation packet and waits for the customer's confirmation. Because the source address does not exist, the server needs to be constantly retransmitted until the timeout, these forged SYN packets will occupy the unconnected queue for a long time, and the normal SYN requests will be discarded, resulting in slow operation of the target system and, in serious cases, network congestion or even system paralysis.

How to prevent DDOS

Alibaba's security team found in the actual combat that the core of DDoS defense products is detection technology and cleaning technology. The detection technology is to detect whether the website is being attacked by DDoS, and the cleaning technology is to clean up the abnormal traffic. The core of the detection technology is a deep understanding of the business in order to quickly and accurately determine whether the DDoS attack has really occurred. As far as testing is concerned, cleaning technology requires different granularity in different business scenarios.

CSRF, what is CSRF?

CSRF (Cross-site request forgery), Chinese name: cross-site request forgery, also known as: one click attack/session riding, abbreviated as: CSRF/XSRF.

You can understand the CSRF attack this way: the attacker stole your identity and sent malicious requests in your name. Things CSRF can do include sending emails in your name, sending messages, stealing your account, even buying goods, and transferring money in virtual currency. The problems include: disclosure of personal privacy and property security.

The principle of CSRF

The following figure briefly illustrates the thinking of CSRF attacks.

As you can see from the figure above, to complete a CSRF attack, the victim must complete two steps in turn:

Log in to trusted Web site An and generate Cookie locally.

Without logging out of A, visit the dangerous website B.

When you see here, you might say, "if I don't meet one of the above two conditions, I won't be attacked by CSRF." Yes, that's true, but you can't guarantee that the following won't happen:

You can't guarantee that after you log on to one site, you won't open a tab page and visit another site.

You can't guarantee that your local Cookie expires immediately after you close the browser, and your last session has ended. In fact, closing the browser won't end a session, but most people mistakenly think that closing the browser is tantamount to logging out / ending the session.

The so-called attacking website in the picture above may be a trusted and frequently visited site with other vulnerabilities.

Let's talk about how java solves CSRF attacks.

Simulated CSRF attack to log on to website A

Both the user name and password are admin.

Http://localhost:8081/login.html:

You have the right to delete post No. 1.

Http://localhost:8081/deletePost.html:

Log in to website B with CSRF attack A

Http://localhost:8082/deletePost.html:

It is obvious that the B website is port 8082 and the A site is port 8081, but the function of deleting post 2 of the B website is still realized.

How to prevent CSRF attacks

To put it simply, CSRF means that after website An establishes a trust relationship with users, it makes use of this trust relationship on site B to launch some fake user operation requests to site An across sites in order to achieve the purpose of attack.

The reason why the attack can be completed is that when B launches an attack on A, it will bring the cookie of website A to website A, that is to say, cookie is no longer secure.

Through Synchronizer Tokens

Synchronizer Tokens: hide a randomly changed csrf_token csrf_token in the form and submit it to the background for verification, and if the verification passes, you can continue with the operation. The main reason why this situation is valid is that site B cannot get the csrf_token in the form of site A.

The conditions for using this method are PHP, JSP and so on. Because cookie is no longer secure, store the csrf_ token value in session, and then take it out of session and put it in the hidden field of the form form every time the form is submitted, so that site B cannot get the value stored in session.

Here is JSP's:

But my current situation is html, not JSP, and I can't dynamically extract the csrf_ token value from session. It can only be encrypted.

Csrf_ token value in Hash encrypted cookie

This is probably the simplest solution, because the attacker cannot obtain a third-party Cookie (in theory), so the data in the form fails to be constructed.

The hash encryption method I use is the HashCode method that JS implements Java to get the hash value, which is relatively simple. Other hash algorithms can also be used.

The front end passes the csrf_ token value after the hash and the csrf_ token value in the cookie to the background. The background gets the csrf_ token value in the cookie and gets the hashCode value and compares it with the value passed by the front end.

You have the right to delete post No. 3.

Http://localhost:8081/deletePost.html

He has no access to the B website.

We returned a 403 error to the attacker via UserFilter.java, indicating that the server understood the user client's request but refused to process it.

Http://localhost:8082/deletePost.html:

The attacker cannot delete the No. 4 post.

Front-end code:

DeletePost.html

DeletePost function deletePost () {var url ='/ post/' + document.getElementById ("postId"). Value; var csrf_token= [xss_clean] .replace (/ (?: (?: ^ |. *;\ s *) csrf_token\ s *\ =\ s * ([^;] *). * $) | ^. * $/, "$1"); console.log ('csrf_token=' + csrf_token) $.ajax ({type: "post", / / request method url: url, / / send request address timeout: 30000 time-out: 30 seconds data: {"_ method": "delete" "csrf_token": hash (csrf_token) / / hash encryption for csrf_token}, dataType: "json" / / set the format of the returned data success: function (result) {if (result.message = = "success") {$("# result") .text ("deleted successfully") } else {$("# result") .text ("deletion failed");}}, error: function () {/ / request error processing $("# result") .text ("request error") }});} / javascript's hash algorithm function hash (str) from String to int (32-bit) {var hash = 0; if (str.length = = 0) return hash; for (I = 0; I < str.length; iTunes +) {char = str.charCodeAt (I) Hash = (hash

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.