Front-end Interview---Common web security and protection principles

I. Common Web security and protection principles

1.sql Injection principle

is by inserting a SQL command into a Web form to submit or entering a query string for a domain name or page request, eventually reaching a malicious SQL command that deceives the server.

protection, in general there are the following points:

1, never trust the user's input, to check the user's input, you can pass the regular expression, or limit the length of the single quotation mark double "-" to convert.

2. Never use dynamically assembled SQL, you can use parameterized SQL or directly use stored procedures for data query access.

3. Never use administrator privileges for database connections, use separate permissions for each application for a limited database connection.

4. Do not store confidential information in plaintext, please encrypt or hash out the password and sensitive information.

2. The principle and prevention of XSS

An XSS (cross-site scripting) attack refers to an attacker inserting a malicious HTML tag or JavaScript code into a Web page. For example: The attacker sends a seemingly secure link in QQ, cheats the user to click, steals the user's private information in the cookie, or the attacker adds a malicious form to the forum, and when the user submits the form, it transmits the information to the attacker's server instead of the site that the user originally believed.

3.XSS Precautionary Approach

First, the code in the user input places and variables need to carefully check the length and the "<", ">", ";", "" "and other characters to filter, and then any content written to the page must be encode, to avoid accidentally the HTML tag out. At least half of XSS attacks can be blocked.

First, avoid disclosing user privacy directly in a cookie, such as email, password, and so on.

Second, reduce the risk of cookie leaks by using cookies and system IP bindings. This way the attacker gets a cookie that has no real value and cannot be replayed.

If the Web site does not need to operate cookies on the browser side, you can add httponly at the end of the Set-cookie to prevent JavaScript code from obtaining cookies directly.

Try to submit a form using post instead of get

What is the difference between 4.XSS and CSRF?

XSS is the code and packet that gets the information and does not need to know the other user's page in advance. CSRF is the code and the packet that needs to know the other user's page, instead of the user completing the specified action.

To complete a csrf attack, the victim must complete two steps in turn:

Log on to trusted Web site A, and generate cookies locally.

If you do not log out of a, visit dangerous website B.

5.CSRF of protection

There are many ways to csrf the server-side approach, but the general idea is consistent, which is to add pseudo-random numbers to the client page.

Front-end Interview---Common web security and protection principles