Front-end interview preparation Notes 1, interview preparation notes

Front-end interview preparation Notes 1, interview preparation notes

I. Common web security and protection principles

1. SQL Injection principles

The SQL command is inserted into the web form to submit or enter the query string of the domain name or page request, and finally the server is deceived to execute malicious SQL commands.

In general, there are the following points:

1. Never trust your input. to verify your input, you can use a regular expression or limit the length to convert the single quotes and double.

2. Never use dynamic assembled SQL statements. You can use parameterized SQL statements or directly use stored procedures for data query and access.

3. Never use the administrator privilege to connect to a database. Use a database with limited permissions for each application.

4. Do not store confidential information in plain text. Encrypt Or hash the password and sensitive information.

 

2. XSS principles and Prevention

XSS (cross-site scripting) attacks refer to attacks that insert malicious html tags or javascript code into Web pages. For example, an attacker can send a seemingly secure link in qq to obtain users' private information from cookies after Obtaining users' clicks. Alternatively, the attacker can add a malicious form to the Forum, when a user submits a form, the information is transmitted to the attacker's server, rather than the site that the user originally believed to be trusted.

3. XSS defense methods

First, the Code should carefully check the length of the places and variables entered by the user and filter the characters such as <",">; second, encode must be used before any content is written to the page to avoid accidentally extracting the html tag. At least half of the XSS attacks can be blocked.

First, avoid directly leaking user privacy in cookies, such as email and password.

Second, you can bind the cookie to the system ip address to reduce the risk of cookie leakage. In this way, the cookie obtained by the attacker has no actual value and cannot be used for replay.

If the website does not need to perform cookie operations on the browser, you can add HttpOnly at the end of the set-cookie to prevent JavaScript code from directly obtaining the cookie.

Try to use post instead of get to submit the form

4. What is the difference between XSS and CSRF?

XSS obtains information and does not need to know the code and data packets of other user pages in advance. CSRF is used instead of the user to complete the specified action. You need to know the code and data packets of other user pages.

To complete a CSRF attack, the victim must complete two steps in sequence:

Log on to trusted website A and generate A cookie locally.

Access dangerous website B without logging out of website.

5. Protection against CSRF

The CSRF method on the server side is diverse, but the general idea is the same, that is, to add pseudo-random numbers on the client page.