Web security under NodeJs

Web security under NodeJs

Web security is a topic that we must pay attention to and cannot escape. This article introduces various common Web attack techniques and solutions, especially for Node. security is even more important for js, a new language. This article mainly refers to the book "Node. js Practice". In addition to the front-end security knowledge compiled in this article, this book also provides many node-related instances, which is great!

HTTP pipeline flood vulnerability

Principle: the client does not receive responses from the server, but the client is desperately sending requests. As a result, the Stream of Node. js cannot be flooded, and the host memory is exhausted and crashes.

Preventive Measure: when the server is waiting for the stream drain event, socket and HTTP resolution will stop. In the attack script, the socket will eventually time out and the connection is closed by the server. If the client is not a malicious attack, but sends a large number of requests, but the response is very slow, the server's response speed will also decrease accordingly.

SQL Injection

Cause: by inserting SQL commands into a Web form or entering a domain name or a query string for a page request, the server is finally Spoofed to execute malicious SQL commands.

Preventive Measure: ensure that all the variables that are concatenated into SQL query statements are filtered by the escape function, which eliminates injection. You can also use some mature ORM frameworks.

Injection example:

var userId = req.query["id"];  var sqlStr = 'select * from user where id = "' + userId + '"';  connection.query(sqlStr, function(err, userObj) {    // ...}); 

Under normal circumstances, we can get the correct user information, for example, the user accesses/user/info through the browser? Id = 11 go to the personal center, and we will display the details of this user based on the ID parameter passed by the user. But if a malicious user's request address is/user/info? Id = 11 "; drop table user --, the concatenated SQL query statement is: select * from user where id =" 11 "; drop table user --. Note: two consecutive minus signs indicate that the statements following the SQL statement are ignored. The original SQL statement used to query user information will discard the entire user table after execution!

XSS Script attack

Full name: Cross-Site Scripting. It is named XSS to distinguish it from CSS Cascading Style Sheets.

Principle: it is a type of website application-layer sequential Security Vulnerability attack and a type of code injection. It allows malicious users to inject code into the webpage, and other users will be affected when they watch the webpage. Such attacks usually contain HTML tags and user-side scripting languages.

Preventive Measure: filter! Keep skeptical about the data submitted by the user and filter out the characters that may be injected to ensure application security. Recommended tools: XSS filter module

CSRF Request Forgery

Cross-Site Request Forgery is a type of malicious website exploitation. CSRF is more dangerous than XSS.

Principle: The Session object on the server stores the user information, and the client uses cookies, ETag, and other technologies to save a sessionid as its own identity, and then deals with the server. CSRF attacks are similar to malicious users copying the identities of other users, and then using forged identities to intrude friends.

Preventive measures: strictly filter the content entered by the user, add hidden fields to the place where data is submitted, set HttpOnly to prevent Cookie hijacking, and use a secure browser

DoS at the application layer

Some very small vulnerabilities in the application layer may be captured by attackers and thus paralyze the entire system. The Node. js pipeline Denial-of-Service vulnerability mentioned above is a type of attack.

1. SYN flood attacks at the network layer:

Principle: Due to the design defect of tcp, tcp client and server connections require three handshakes. Attackers use a large number of zombie servers to forge source IP addresses and send SYN packets to the server, hoping to establish a tcp connection. The server normally responds to SYN/ACK packets and waits for the client to respond. The attacker does not respond to these SYN/ACK packets, and the server discards the connection when it determines the timeout. If the number of connections to these attacks is huge, the server will lose the response to the normal request due to waiting and frequent handling of such semi-connections, resulting in the success of the DoS attack.

Preventive Measure: hardware firewall

2. ultra-large Buffer

Principle: The client uploads a large file, causing the server to run out of memory

Preventive Measure: Compare the size of the buffer block each time you receive it. If the data is too large, the upload will be truncated immediately.

3. Slowlori attack

Principle: POST slow attacks. For low-configuration servers, attackers first initiate a normal POST request to the Web application server and set a Content-Length that is within the limited scope of the Web server, then send data at a very slow speed, for example, sending 10 bytes of data to the server about 30 seconds, so that the connection is not released, in this way, a tcp connection of the server is always occupied by a slow POST, which greatly wastes server resources.

Precaution: Use Nginx

4. HTTP Header attacks

Principle: Generally, the Web server sets the length of time for receiving the HTTP Request Header, which means that the client must finish sending the HTTP head within the specified length. If the Web server has no restrictions in this regard, we can also use the same principle to send head data packets at a slow speed, resulting in a waste of server connection.

Precaution: Set the Request Response Header size

5. Regular Expression

Principle: Regular Expressions used in daily use. Malicious users may be attacked if the writing is not standardized. The Regular Expression Engine NFA has a callback. A major influence of backtracking is that although the regular expression can calculate the exact match fairly quickly, it takes a little longer to confirm the negative match.

Preventive Measure: improve the robustness of Regular Expressions

File Path Vulnerability

Principle: Node. the HTTP module provided by js is very underlying, so a lot of work needs to be done by developers themselves. It may be because the business is relatively simple, rather than using mature frameworks, if you do not pay attention to code writing, it will bring security risks. For example, the file name and storage path are directly spliced to allow the relative path to take advantage of the intrusion into the server.

Preventive Measure: use some functions provided by Node

Encryption Security

Traditional encryption/Decryption methods include symmetric encryption (AES, DES), asymmetric encryption (RSA), and irreversible encryption (MD5, SHA-1)

Principle: The same string will always generate the same encrypted string after MD5 hash calculation. Therefore, attackers can use the powerful MD5 rainbow table to reverse push the original string MD5 cracking tool before encryption.

Preventive Measure: add the salt field to the user table. A salt string long enough must be randomly generated for each registration, and then the password is encrypted Based on the salt value.

Conclusion: Node. when js is deployed to the production environment. js applications are placed behind mature Web servers such as Nginx. For injection attacks such as SQL and XSS, we must strictly filter and review user input content, this can avoid the vast majority of injection attacks. For Dos attacks, we need to use various tools and configurations to mitigate the hazards. Finally, we need to perform rigorous system monitoring. Once an exception is found, reasonable response measures must be made immediately.