[white hat talks about web security] Chapter 2 browser security

2.1 The same-origin policy

1. The same source strategy for browsers , Limit... From different sources “document” Or scripts , For the current “document” Read or set some properties .

2. This strategy is extremely important , If there is no homology strategy , Probably a.com A section of JavaScript Script , stay b.com When this script has not been loaded , It can also be modified at will b.com The page of （ In browser display ）. In order not to confuse the browser's page behavior , The browser came up with “Origin”（ Source ） The concept of , From different Origin Objects of cannot interfere with each other , As shown in the following example

As can be seen from the table above , influence ” Source ” The factors are ：host（ Domain name or IP Address ）、 subdomain 、 port 、 agreement .

It should be noted that , For the current page , Page storage JavaScript The domain of the file is not important , It's important to load JavaScript What is the domain of your page . Illustrate with examples ：a.com Through the following code

<script src=http://b.com/b.js ></script>

To load the b.com Upper b.js. because b.js Is running on the a.com Upper , therefore b.js My domain is a.com.

3. In the browser ,<script>,<img>,<iframe>,<link> And so on Load resources across domains , Not limited by the same origin strategy . These tapes ”src” Property each time the tag is loaded , It was actually launched by a browser GET request . differ XMLHttpRequest Yes. , adopt src Property loaded resources , Browsers limit JavaScript Authority , Make it unreadable 、 Write the returned content .

but XMLHttpRequest Constrained by the same source strategy , Resources... Cannot be accessed across domains , To solve this problem ,W3C The committee formulated XMLHttpRequest Cross domain access standards , It needs to Returned through the target domain HTTP Header to authorize cross domain access , therefore , The security foundation of this cross domain access scheme is trust JavaScript Can't control the HTTP head .

2.2 Browser sandbox

1. This kind of malicious code is inserted into the web page , Tools that exploit browser vulnerabilities to execute arbitrary code , In the hacker circle, it is vividly called “ Hang a horse ”.

2.Sandbox The design purpose of is generally to make untrusted code run in a certain environment , Restrict untrusted code access to resources outside of quarantine .

3. One of the most obvious benefits of multi process architecture is , Compared with the single process browsing area , In the event of a crash , Multi process browsers will only break the current Tab page , The single process browser will crash the entire browser process .

2.3 Malicious website interception

1. At present, the function of various browsers to intercept malicious web sites is based on “ The blacklist ” Of , Generally, the browser periodically obtains the latest malicious URL and list from the server , If the URL users visit when surfing the Internet exists in this blacklist , The browser will pop up a warning page .

2. Common malicious web sites fall into two categories ： One is Hanging horse website , These websites usually contain malicious scripts such as JavaScript or Flash, By exploiting browser vulnerabilities （ Including some plug-ins 、 Control vulnerability ） perform shellcode, Implant Trojan horse into user's computer ; The other is Phishing site , Cheat users by imitating similar pages of well-known websites .

2.4 The rapid development of browser security

1. Microsoft took the lead in IE8 Introduced in the XSS Filter function , Used to resist reflex XSS. When users access URL It contains XSS When attacking the script ,IE The key characters will be modified so that the attack cannot be successfully completed , A prompt box will pop up for users .

Ben Shi ,IE The key characters will be modified so that the attack cannot be successfully completed , A prompt box will pop up for users .

2. stay Firefox 4 Introduced in the Content Security Policy（CSP）, The method is to return a HTTP head , And describe the security policy that the page should comply with . however CSP The rule configuration of is complex , When there are many pages , It is difficult to configure one by one , And the later maintenance cost is also very huge , These reasons lead to CSP It has not been well promoted .