Attack and defense of website application

1.XSS attack

People often attack cross site scripts （Cross Site Scripting） Abbreviation for CSS, But this will work with cascading style sheets （Cascading Style Sheets,CSS） Confusion of abbreviations . therefore , Some people abbreviate cross site scripting attacks to XSS.

Cross-site scripting attacks （XSS）, It's the most common Web Application security holes . This kind of vulnerability can allow attackers to embed malicious script code into pages that normal users will visit , When a normal user visits the page , Can lead to the execution of embedded malicious script code , So as to achieve the purpose of malicious attacks on users .

Attackers can enable users to execute their predefined malicious scripts in the browser , We can imagine the harm caused by it , Such as hijacking user sessions , Insert malicious content 、 Redirecting users 、 Hijacking a user's browser with malware 、 Reproduction XSS worm , Even destroying websites 、 Modify router configuration information, etc .

common XSS There are two types of attacks , One is reflective , One is persistent .

reflective

The attacker enticed the user to click on a link embedded in a malicious script , Achieve the purpose of attack , As shown in the figure .

In reality , Attackers can use XSS attack , Steal the user's cookie, Passwords and other important data , And then forge the transaction 、 Stealing user property 、 Stealing information, etc .

A persistent （ Storage type ）

Hackers submit requests containing malicious scripts , Save the script in the database of the server of the web site , When a user browses the website , Malicious script is included in the web page visited by the user , To achieve the purpose of an attack , As shown in the figure .

 XSS Attack defense

 xss Attackers usually achieve their attack purposes by embedding malicious scripts , This script is usually special code , Normal users will not enter the used... In the website , If you filter and escape user requests , If filtered out ">","<","=" These characters , Or convert to "&gt"、"&lt"、"&eq" etc. . To avoid filtering or escaping unnecessary content , You need to escape if after text matching "<input", In this way .

2. Injection attack

There are two main forms of injection attacks ,sql Injection and os Injection attack .

sql Injected attack principle when the attacker is http The request is infused with malicious sql command （ Such as drop table users;）, The server receives a request to execute sql On command , malice sql Be executed together .

sql Injection attacks require the attacker to have some knowledge of the database structure before they can carry out , There are several ways for an attacker to obtain the database structure ：

Open source

  If the website is built with open source software code , If used dz Build a forum website , So the database structure of the website is public , Attackers can directly obtain .

Error echo

  If the website is turned on, the error echo , That is, internal server error 500 Will be displayed on the browser , An attacker constructs an illegal parameter , Make the server exception information output to the browser , It provides convenience for attackers to obtain data structure information .

Blind note

Attackers exploit many years of experience and habits , Guess database structure information .

sql Inject defense

Same as xss Inject defense just like , Using regular matching , Filter out the... In the request sql Keyword information , such as select \update\delete\drop\whre etc. .

os Inject attack and sql Injection attack is almost , When it's different , Injected os Operating system commands .

3.CSRF attack

  Cross-site request forgery （ English ：Cross-site request forgery）, Also known as  one-click attack  perhaps  session riding, Commonly abbreviated as  CSRF  perhaps  XSRF, It is a kind of coercion that users are currently logged in Web Applications Attack method for performing unintentional operations on . Follow Cross site scripting （XSS） comparison ,XSS  Using the user's trust in the designated website ,CSRF Use of is Website For users Web browser The trust of the .

  CSRF The main method is to use cross site request , Without the user's knowledge , Forge a request with the user's identity information , Its core principle is to use the browser cookie Or the server's session Strategy .

CSRF Attack defense

1. Forms token

CSRF There is an operation to forge the user's request , Therefore, you need to construct the parameters requested by the user , Forms token By adding a random number to the request parameters, the attacker is prevented from obtaining all the request parameters . Forms token By adding a random number to the request parameter as token, Each response page token All different , Requests submitted from normal pages will contain token value , Forged requests cannot be obtained token value , The back end can verify token Whether the value of is legal determines whether it is a normal request or an illegal request .

2. Verification Code

  As opposed to a kind of , Verification Code , Is more simple and effective , That is, when the user submits , You need to enter a verification code , So as to avoid users' ignorance , Being attacked to forge requests , But frequently entering a verification code is a bad user experience , So please use... When necessary , Such as user login page , Payment page and other key pages .

3.Referer check

HTTP The request header Referer The request source is recorded in the domain , You can check the source of the request , Verify that the request is legal . 

4. Other attacks and vulnerabilities

In addition to the common attacks mentioned above , There are also some vulnerabilities that are often exploited by hackers .

Error Code

It also becomes an error echo , Many websites default to the output of exception information for the first accident , That is, the stack information of exceptions not handled by the server will be directly output to the client browser , Hackers deliberately create illegal input , Make the system run with errors , Get exception information , So as to find system vulnerabilities to attack , Defense is simple , By controlling the throwing of code exceptions , To configure web Parameter causes the page to jump to the set 500 Wrong page .

html notes

  For the convenience of development and debugging , Sometimes programmers will put the code description information , Comments on the code , When the code is cooked, it will eventually be displayed on the client browser , It makes it convenient for hackers .

Upload files

If there is no restriction on the file format for website uploading , Hackers upload executable program files from the server , And through the program file , Take control of the server , Then hackers can do whatever they want . So the website must limit the file format when uploading files .

5.web A firewall

WEB The application firewall is a set WEB protective 、 Web protection 、 Load balancing 、 Application delivery In one WEB whole Safety protection equipment A product of . It integrates new security concepts and advanced innovative architectures , Ensure the continuous and stable operation of users' core applications and businesses .

WEB The application firewall also has the characteristics of multi-faceted . For example, from the network Intrusion detection From the point of view of WAF As if running on HTTP On the floor IDS equipment ; From a firewall perspective ,WAF It is a functional module of firewall ; There are people to WAF regard as “ Deep detection firewall ” The enhancement of .

Open source web A firewall : ModeSecurity

business web A firewall ： siteShell

6. Website security vulnerability scanning

Just like computer vulnerabilities , The website also has vulnerabilities that need to be awakened for security vulnerability scanning .

Developers can regularly check the vulnerabilities of the website according to their own experience , It also uses the irregular scanning of vulnerability checking tools , testing .