Shulou(Shulou.com)06/01 Report--

XSS cross-site and CSRF attacks are often exposed with high-risk vulnerabilities in the current penetration testing and website vulnerability detection. When we SINE security companies conduct penetration tests on customer websites, we often find the above loopholes in customer websites and APP. In fact, CSRF and XSS cross-site are easy to be found and used, when collecting customer website domain names and other information. Generally pay attention to some request operations, front-end input, get,post request, whether csrf code can be inserted, and XSS code.

Many customers' websites do some security filtering, are to intercept some malicious parameters, and the fields tested are referer detection and post content detection. There is no detailed security validation and filtering on http headers and cookies. Today, we will mainly talk about how to detect csrf vulnerabilities and csrf protection methods to prevent xss csrf attacks.

Usually, our SINE security tests whether there are csrf vulnerabilities in customer websites in the form of clicks. first, we test the vulnerabilities in the form of clicks, and use clicks to bypass security effectiveness and interception in a website function. From a technical level, the request operation of clicks comes from trusted websites and will not intercept csrf attacks, which will lead to CSRF attacks. Another way to detect vulnerabilities is to change the request method. For example, the website used get submission method to request the backend of the website. We can forge parameters, grab the package and modify the post submission method to send it, so that we can bypass the previous security protection of the website and directly execute CSRF malicious code. The reason for the vulnerability is that website developers only securely intercept the GET request method. There is no interception of post's approach, which leads to vulnerabilities. Some customer websites use token to prevent XSS cross-site attacks. In the design of token, the problem of whether null values can be bypassed is not taken into account. As a result, if the token is empty, malicious code can be directly transferred to the backend. Some websites APP do not have the account to which token belongs for verification, which can lead to CSRF code attacks using the token of other accounts.

So how to prevent XSS csrf attacks? How to fix the loophole in this website

According to our experience in SINE security over the past decade, the fix for XSS,csrf vulnerabilities is to filter the input of illegal characters in all GET requests, as well as POST requests.' Semicolon filtering-security filtering of% 20 special character filtering, single quotation mark filtering,% percent sign, and filtering, tab key values, etc. Use token to perform security verification and interception of csrf requests, and to judge the logic function of token control. If you find that the token value is empty, you will directly return a 404 error, or block a request with an empty value, and check the account to which the token belongs to determine whether the token is the current account. If not, intercept the request, or return an error page.

Use the double-layer security validation of session and token. If the values of seeion and token are not equal and are not consistent with your encryption algorithm, filter and block the request. If the values of the two are equal to the values calculated by encryption, it is a legitimate request, but the encryption algorithm must be hidden, written to the backend, and not be cracked in reverse. Perform security validation on the referer field to check whether URL is in the whitelist. If the request is blocked directly if referer is empty, the whitelist of URL should contain WWW and reject the request for second-level domain name. The above is about the xss csrf vulnerability repair scheme found in the penetration test, if you do not know much about the website code, do not know how to fix the loophole, you can find a professional website security company to deal with the solution, domestic SINESAFE, Green Alliance, Qiming Star, are relatively good network security companies, for loophole repair here, security tips: website, APP on-line at the same time Must carry on the penetration test service to the website, detect the loophole that the website exists, as well as the security hidden danger, prevent some unnecessary loss in the later stage website operation.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.