Shulou(Shulou.com)06/01 Report--

When I was learning technology a long time ago, I didn't take the security of the web side seriously. At that time, system-level exploit was popular in the circle, and remote overflow and local rights promotion were very popular. "automatic propagation" and "taking down system permissions" were the main goals of the people at that time, which was also the best period in the era of network security.

However, after entering the year 2000, people began to pay attention to Web security. SQL injection first became a star, and then got out of hand. A variety of seemingly rugged systems and servers with only 80 ports open have become extremely vulnerable to this type of *. The era of Web security has come.

* such as SQL injection + upload Webshell has become the mainstream of the industry, almost no harm to dynamic Web services. Large and medium-sized enterprises and institutions have increased the inspection and blocking of port 80. They smiled with satisfaction when they saw some logs in which SQL injections were blocked.

However, in the powerful Web*** way, is there only one SQL injection?

Recently, the book "revealing the Secrets of Web Front-end Technology" has revealed the answer for everyone.

If we say that it is more direct for SQL to inject this kind of Web back-end * *, then the application of XSS and front-end * such as CSRF and ClickJacking is more covert.

In this book, the author expounds the truth that "plants, trees, bamboo and stone can be swords." In their eyes, URL, HTML, JavaScript, CSS, ActionScript. Killing can be hidden almost everywhere.

Whether it's exploring the troublesome XSS and CSRF, or parsing the Web worm and interface manipulation hijacking, this book will make people amazed.

If you want to cite a few front-end * * examples, you can take a look at two recent popular posts on the Internet-"Yahoo email DOM XSS loophole" and "how to get final exam papers and modify grades through * * teacher's email". The XSS hack technology is the front-end * * technology. Of course, there are also classic cases of cross-site worms that raged on Twitter before. And these technologies are only part of the "Web front-end technology disclosure". More such as Baidu, Google, Renren and other real case analysis, will make people dizzying.

For HTML5, which confirmed the new standard at the end of 2012, a separate chapter has been opened in the book for readers. Maybe it's because of HTML5 video technology for a while, but I'm personally impressed by this chapter-it reminds me of what I need to pay attention to when writing HTML5 code.

Many of the HTML5 cross-site methods described in the book are sufficient to bypass some of the existing IPS*** defense systems and WAF strategies. With the addition of new attributes such as formaction, onformchange, onforminput, autofocus and so on, cross-site defense becomes more challenging.

In the last chapter, the author puts forward defensive measures from the perspectives of browser manufacturers, website technicians and users (such as domain separation, secure transmission, secure Cookie, excellent CAPTCHA, cautious third-party content, X-Frame-Options defense, use of token, etc.), so that people can be fully prepared before facing this kind of *. In addition, in order to help you better understand the Web front-end system, Zhong Chenming (cosine) and Xu Shaopei (xisigr) also made a special analytical diagram.

In the era of cloud computing in Daji, the protection of the server will be done more and more deeply, and more hackers will choose to obtain users' sensitive data from the front end. Therefore, understanding the front-end * and the user * * will be an urgent need for Web security personnel to be familiar with in the future.

PS: this is almost the first domestic book focusing on the front end of Web. After watching too many Web back-end books before, there are finally * books on the front end of Web. I can't help but see it first and get tired of it. Unlike previous security books, this book is not only suitable for security enthusiasts and practitioners, but also worth a look at by Web front-end engineers. While many people still think that Web front-end security is narrow, maybe this book will give them a new perspective.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.