Web front--Hacker technology Secrets (beginner's knowledge)

One, the key point of web security

1. The same-origin strategy is one of many security policies and is a web-level strategy. Very important.

2. The same-origin policy stipulates that client scripts in different domains are not clearly authorized. Cannot read and write to each other's resources.

3. Same domain requires two sites with agreement, same domain name, same port.

4. Of course, within the same domain. The client script is free to read and write resources within the same origin, provided that the resource itself is readable and writable.

5. Safety similar to the cask principle, the short board determines how much water the barrel can actually fill. A webserver, assuming that the site does not have a good separation of authority, the trust relationship is not controlled, the overall security is the least secure site decision.

6. A well-secured site may be due to the establishment of unreliable trust relationships. Causes the site to be hacked.

7.CSRF is cross-site request forgery.

CSRF will use the permissions of the target user to do something diehard (note "borrow".) Rather than "steal" the target permission). Then to do bad things, "stealing" is usually an XSS (cross-site scripting attack) favorite thing to do.

Second, the front-end Foundation

1. The CSS reset technique developed to address CSS compatibility resets some styles (these styles have different rendering in different browsers). Perhaps the CSS will start to define its own style again on this basis.

2. In order to resolve JavaScript compatibility. Many excellent JavaScript frameworks have been created, such as jquery, Yui and so on.

The 3.URL request protocol is almost always HTTP, which is a stateless request response. That is, after each request response. The connection is immediately disconnected or delayed (keeping the connection valid for a certain duration). After disconnecting. The next request is set up again.

4.HTTP is stateless, so how does the server know you were the last time you were connected? This is followed by a cookie for session tracking, and the cookies set at the first response are sent in each subsequent request.

Cookies can also contain identity information that is registered after authentication.

5.iframe tags other interesting security topics. When the Site page uses the IFrame method to sneak into a page, we agree that the Site page is the parent page, and that the page being embedded is a child page.

6. Assume that the parent and child pages are in the same domain. That's very easy, and the parent page can manipulate the DOM tree of the child page by invoking the Contentwindow of the child page, in the same vein, the child page can invoke the parent page's Contentwindow to manipulate the parent page's DOM tree.

Assuming they are different domains, the same-origin policy must be followed, but the child page can also write to the location value of the parent page, which allows the parent page to be redirected to another Web page. Only the operation of the location is only write permission, without Read permission, so that the content of the parent page location URL cannot be obtained. Failure to do so may result in privacy data leaks. For example, some sites will have authentication tokens present in the URL.

7. For the cross-site division, in most cases, with an XSS vulnerability, it means being able to inject random javascript with JavaScript. means that the attacker's ability to simulate whatever action is available, regardless of the privacy information.

To be able to say, JavaScript is the cross-site soul.

8. The data in the URL address can be obtained from the window.location or location.

9. Asynchronous and synchronous accordingly. Async can be understood to open a single thread, independent of the browser main thread to do their own things, so that the browser will not wait (blocked), this asynchronous in the background quietly, so the use of Ajax attacks appear very strange. Silent. Ajax itself is made up of JavaScript, just XML is not required, XML here is to refer to the transmission of data format is XML, for example. Ajax sends out the HTTP request. The data that responds back is in XML format. Then JavaScript parses the XML DOM tree to get the content of the corresponding node. In fact the response back to the data format can also be JSON (already mainstream), text, HTML and so on. The special mention of XML in Ajax is due to historical reasons.

The core object of 10.AJAX is XMLHttpRequest.

11.AJAX is strictly in accordance with the same-origin strategy. You can neither read data from a single domain nor send data to a domain.

There is only one situation where you can send data to a domain. In the new standard. Cors started to push the browser to support this cross-domain scenario. Today's browsers support this approach. Steps such as the following:

www.foo.com (source domain) Ajax initiates a request to www.evil.com (the target domain), and the browser gives itself the initiative to take the Origin header. For example, the following:

Origin:http://www.foo.com

The destination field then infers the Origin value. Assumptions are what you expect. Then return.

12. Assuming the target domain does not set access-control-allow-origin:http://www.foo.com, can private data be stolen? The answer is yes.

13. For Get mode, it is actually a URL.

14. For the POST request, the XMLHttpRequest object mentioned above is a convenient way to simulate the form submission, it has asynchronous and synchronous points, the difference is the XMLHttpRequest instantiated object xhr The Open method of the third parameter, True indicates asynchronous, False indicates synchronization. Assume that you use asynchronous methods. is Ajax. Asynchronous means that after the request is sent, JavaScript can do other things, and when it responds back, it will actively trigger the onReadyStateChange event of the XHR object and be able to listen to the event to handle the response content. Synchronization means that the JavaScript needs to wait for the response back after the request is sent. During this period, the blockage phase is entered.

15.Cookie is a wonderful mechanism for any request that is made in a browser within the same domain to bring a cookie, regardless of the resource requested, when requested. The cookie is in the cookie field of the request header today.

16.Cookie is often used to store user session information, for example. The user logs in after the authentication session. Subsequent requests for D within the same domain will bring the authenticated session information.

17.HttpOnly is a cookie that is transmitted only at the HTTP level, and the client script cannot read and write the cookie when the HTTPONLY flag is set. This effectively defends against XSS attacks to obtain cookies.

The 18.Secure cookie mechanism means that a cookie with the secure flag is transmitted securely at the HTTPS level only, assuming that the request is HTTP, without the cookie, which reduces the risk of an important cookie being intercepted by a middleman.

19. Local Cookies and memory cookies. It is closely related to the expiration time (the Expires field of the cookie). Suppose you don't set an expiration time, which is a memory cookie that disappears from memory as the browser shuts down. Suppose the set expiration time is a certain point in the future. Then this cookie will be saved as text until the operating system is local to expire before it disappears.

20. When you delete a cookie, you only need to set the expiration value for the past time. Cookies cannot exist across browsers.

21.Flash is a universal solution across browsers, and the default storage data size for Flash cookies is 100KB.

22. Assuming that there are a large number of illegal characters before H1, how to ensure the H1 code smooth parsing? It is possible to add {} before H1, assuming it is under IE. Plus} you can. This is caused by differences in browser parsing.

{}h1{font-size:50px; color:red;}

Third, the front-end Hacker's XSS

1.XSS is a cross-site script that occurs at the browser level of the target user in the target site, and when the user's browser renders an entire HTML document with unintended script directives and runs. XSS can occur.

Target user for Target site: This highlights the scenario

Browser: Because this type of attack is run by the browser to parse.

Not expected: Then it is very likely that the attacker submitted a controllable script content at input and then was parsed by the browser after the output.

2. The focus of the cross-site script is not on "cross-site", but on "scripting". This is literally analyzed. Because this "cross" is actually a browser feature, not a flaw, the illusion of "cross" is due to the fact that most XSS attacks will be embedded in a remote or third-party domain script resources.

3. The common summary of XSS is: do everything possible to use your script content in the target site in the target user's browser to resolve the run.

4.XSS has three categories: reflective XSS (also known as non-persistent XSS), storage-type XSS (also known as persistent XSS), and Dom XSS.

5. Storage-type XSS attacks are the most covert.

Four, front-end Hacker's CSRF

1. In a cross-site world, CSRF plays an important role in the same way. The full name of CSRF is cross Site Request forgery. That is, cross-site request forgery.

The attack was caused by various requests, and for CSRF, there were two key points for its request, and cross-site requests and requests were forged.

2. Security risks are always in the normal process today, and now we are sending out a GET request to delete the article. For legitimate cross-domain requests, the browser is released.

A GET request can be initiated for a label in 3.HTML that can set a link address such as src/href.

4. There are also get requests initiated by JavaScript dynamically generated tag objects or CSS objects, and a POST request can only be submitted via form.

5. Because of the simplicity and power of the JSON format, the site began to use JSON instead of traditional XML for data transfer.

6.JSON data is assumed to be returned as a dictionary, and will be displayed directly in the browser, because the browser's script starting with "{" should be a block of code enclosing around the curly braces. So, the processing of such JSON data. This is usually the case:

Eval ("(" +json_data+ ")"); Round and round parentheses

7. For JSON data returned in the form of a list, it is an array object that was able to hijack the array data for JSON hijacking attacks.

Five. Front-end Hacker interface operation hijacking

1. Interface operation hijacking attack is a Web session hijacking attack based on visual deception. It overrides an invisible box (IFRAME) on a Web page's visible input control, causing the user to mistakenly assume that a visible control is being manipulated, whereas the user's behavior is hijacked by a box that is not seen. Run the malicious code in the invisible box to steal sensitive information, tamper with data and other attacks without the user's knowledge.

2. Interface operation hijacking is divided into three kinds: click Hijack. Drag-and-drop hijacking and touch screen hijacking.

3. In the browser, the drag-and-drop operation is not restricted by the Origin policy. Users can drag and drop the contents of a domain into a different domain.

Thus, a drag-and-drop hijacking that breaks through the same-origin policy limits can evolve into a broader form of attack. Break through a lot of defenses.

4. The hierarchical relationship between control locations uses Z-index. And no matter what browser is supported:

Z-index:1. The value can be negative. A high-value control is preceded by a low-value control, and the higher the value, the closer the control is to the user.

Six. Vulnerability Mining

1. Go back to XSS vulnerability mining. It says there are <path>,<query>,<fragment> three input points that the attacker can control. In fact, the value of <fragment> in general does not go out of service-side parsing today. Unless you have a Web 2.0 site.

2. The most common scenario is now <div id= "Body" >[output]</div> location, then commit:

Id=1<script>alert (1) </script> can trigger XSS.

Can you assume that these tags are now in the following?

<title></title>

<textarea></textarea>

<xmp></xmp>

<iframe></iframe>

<noscript></noscript>

<noframes></noframes>

<plaintext></plaintext>

Example. Code <title><script>alert (1) </script></title> pop-up box? The answer is: No!

Scripts cannot be run between these tags. The XSS vulnerability mining mechanism must have this ability to differentiate, for example, the discovery of today's <title></title>. The submitted payload is changed to:

</title><script>alert (1) </script>

In addition to these, there are two types of special labels <script> and <style>. They are not nested tags, and the payload constructs are more flexible, with the ability to construct special payload, in addition to closing the corresponding labels, by using the nature of the scripts they can run.

The 3.HTML is a very non-strict markup Language (its inverse represents XML). Attribute values can be used without an argument. or use single-cited. Double-cited. The anti-single-quote (IE browser-only support) is referenced.

4. The purpose of the "Scout" is two: whether the target value is present in response. Assumptions do not appear. It is not necessary to carry out a possible payload request and analysis, because these payload requests and analysis may be carried out many times, waste the request resources; What part of the HTML is the target value, from the above analysis we already know that different HTML parts of the mechanism of the treatment of XSS is not the same, The payload of the request is of course not the same.

5. A text or symbol unit that is visible to the naked eye is a character (containing garbled characters). One character may correspond to 1~n bytes, 1 bytes is 8 bits, and each bit is either 1. either for 0.

6. The corresponding 1~n byte of a character is determined by the character set and encoding, for example. The ASCII character set is a character corresponding to 1 bytes, only 1 bytes is used only 7 bits. The highest bit is used for other purposes, so the ASCII character set collectively has 2 of the 7-square (128) characters, basically the English characters on the keyboard (including the control character).

7.<!--[if IE] > all IE recognizable <! [EndIf]-

<!--[if IE 6] > only IE6 recognizable <! [EndIf]-

<!--[If Lt IE 6] >ie6 and IE6 The following version number is recognized <! [EndIf]-

<!--[if GTE IE 6] >ie6 and IE6 above are recognized <! [EndIf]-
This is unique to IE, and in other browsers it seems to be the same as ordinary gaze. But in IE seems to be able to operate according to conditions, which gives us to bypass the filter created an opportunity.

8. There are three pseudo-protocols commonly used in XSS today: Javascript:,vbscript: (The protocol name can also be abbreviated as VBS:) and data:

9. Similar to the characteristics of HTML tags and attributes. The protocol name of the pseudo-protocol is also not distinguish between uppercase and lowercase, and similar to the event, the data can do its own active HtmlDecode decoding and decoding.

10.@charset for the rule;!

Important for the declaration. There are only CSS resource class attribute values and @import rules where we can exploit the insertion of an XSS script. and a property value expression that can only be run under IE browser.

11. var a = "123 ".

For JavaScript code in an HTML page. The closed label has the highest priority and is able to interrupt JavaScript code wherever it is located. Therefore, in the actual filter implementation, in fact, the reference variable is also the use of the closed tag, assuming that the use of the anti-leader to do the conversion "<\/script>."

Also, pay attention to the data trend of the reference variable to see if there is the possibility of Dom XSS.

12. Depending on the requirements, JSON is broadly available in two formats: The form of a bare object without the callback function name and the parameter with the callback function name called object, such as the following:

[{"A": "B"}]

Callback ([{"A": "B:"}])

The latter exists primarily for the need to transmit data across domains, and this feature is often an important channel for attackers to obtain user privacy data across domains.

Seven, exploit

1.

Such techniques have been mentioned before. The data content that contains the request back is the Json+callback function (so that cross-domain data communication is called JSONP).

Eight. HTML5 Safety

Nine. Web Worm

The 1.Web worm mainly contains: XSS worm. Csrf worms, clickjacking worms, all three worms are related to detailed vulnerability risk and are distinguished from names. In order to better describe the Web worm idea, I will mention the fourth class: Text worm.

2. These worms, in addition to exploiting the vulnerabilities, are essentially the same, with the user being deceived into interacting with the Web2.0, resulting in a passive or active (or somewhere in between) spreading the threat.

From the XSS worm to the Csrf worm. From the Clickjacking worm to the text worm, the older the social worker is, the greater the composition.

3. The use of public psychology, the psychological role of the drive to spread, we call it a text worm.

4. Worms have the most basic two properties such as the following: propagation and viral behavior.

Ten, about defense

Web front--Hacker technology Secrets (beginner's knowledge)