First, network securityOWASP: The Open Web Application Security Project (Owasp,open Web application. Project) OWASP is an open-source, nonprofit, global security organization dedicated to security research for application software. http://www.owasp.org.cn/
second, XSS attacks1. General statement
2. XSS attack principle XSS attack (Cross-site Scripting) cross-site scripting attack. The second threat vulnerability in the top ten security vulnerabilities was owasp.
features: the ability to inject malicious html/javascript code into a user-viewed Web page, So as to achieve cookie data theft, session hijacking, phishing scams and other attacks. < attack code is not necessarily (not) in <script></script> > Cause: The design of the A:web browser itself is not secure. The browser can parse and execute JS and other code, but will not judge whether the data and program code is malicious. &NBSP;B: input and output are the most basic interactions of Web applications, and the interactivity of Web sites is becoming more and more abundant. If you do not have security protection in the process, you can easily get an XSS vulnerability. &NBSP;C: The level of programmers is uneven, and most of them do not have formal security training, no relevant security awareness. &NBSP;D:XSS attacks are flexible and versatile. 3, defending against XSS attacks &NBSP;A:HT Tponly Browser prohibits JS access to cookies with the HttpOnly attribute on the page. &NBSP;B: input check XSS Filter format check of input, similar to "whitelist", can make some attacks based on special characters invalid. The same input checks are implemented in the client JS and server-side code (server side must have). &NBsp c: Output Check When a variable is exported to an HTML page, it can be encoded or escaped to defend against XSS attacks htmlencode: Convert the character to htmlentities, the corresponding standard is iso-8859-1. , &AM P --> & < < >-->> "-" '-& #x27; & #x2F; &NBSP ; Javascriptencode can be used in JS. You need to escape the "\" to a special character, and the output variable must be inside the quotation marks. The essence of &NBSP;D:XSS is "HTML injection", where the user's data is executed as part of the HTML code, confusing the original semantics and creating new semantics. HTML tag output: <div> $var </div> The variables that are output in the label can cause XSS directly if nothing is done: constructs a <script> tag, or any way to generate script execution: <div ><script>alert (/xss/) </script></div> or <a href=# ></a> & nbsp Defense method: Use HTMLEncode for variables. in HTML properties output: <div id= "ABC Name= "$var" ></div> attack method: <div id= "abc" name= "" ><script>alert (/xss/) </script>< "" > </div> The defensive approach: using HTMLEncode. recommended a stricter htmlencode in OWASP&NBSP;ESAPI: All special characters except letters and numbers are encoded as htmlentities. in <script> tab output: <script>var x = ""; alert (/xss/); ";<script> Defense method: Use Javascriptencode. in event output: Similar to the output in <script> tags: <a href=# onclick= "Funca ("), alert (/xss/),//')" >test</a> defense method: Using JAVAscriptencode. CSS output: Various ways Defense approach: Prevent user-controllable variables from being output in the <style> tags, style properties for HTML tags, css files, as much as possible. If this is a requirement, it is recommended to use the ENCODEFORCSS () function in Owasp esapi. All characters except letters and numbers are encoded in 16 binary form "\uhh". address output: more complex. It is usually output in the URL's path (path) or search (parameter), using UrlEncode. <a href= "http://www.evil.com/?test= $var" >test</a> & nbsp -- <a href= "http://www.evil.com/?test=" Onclick=alert (1) "" >test</a> when the entire URL is fully controlled by the user, the Protocal (http://) and host (www.evil.com) portions of the URL cannot use UrlEncode, and pseudo-protocol enforcement attacks can be constructed. <a href= "$var" ></a> -- <a href= "J Avascript:alert (1); " ></a> Defense method: First check if the variable is open with "http"Headers (if not automatically added) to ensure that there is no XSS attack on the pseudo-protocol class. After this, the variable is urlencode. e: Processing Rich text websites allows users to submit custom HTML code called "Rich Text." For example, the user posts in the Forum, the content of the post has pictures, videos, tables, and so on, these "rich text" effect is required through the HTML code to achieve. The defensive approach: consistent with the idea of input checking. Use "XSS Filter": "Events" should be strictly prohibited; some dangerous labels:<iframe>, <script>, <base>, <form> and so on should also be strictly prohibited; On the selection of tags, attributes, events , you should use the whitelist and avoid using blacklists. For example, only <a>, , <div> and other "safe" labels are allowed to exist. You can use some open source projects: Anti-samy is an open source project on owasp that can be used in Java,. NET, and so on. htmlpurify can be used in PHP. &NBSP;F: defense dom Based XSS If it's output to an event or script, do it once Javascriptencode If you are exporting to HTML content or attributes, do it once htmlencode. when dealing with XSS injections, not only to escape or remove special HTML tags and symbols, such as angle brackets <> such as IFRAME, you also need to filter a lot of the properties involved in JavaScript events, the front end of the general use of XSS filter set "whitelist." The filtered events are roughly as follows:
Property |
This event occurs when the following conditions occur |
Onabort |
Image load is interrupted |
Onblur |
Element loses focus |
OnChange |
User changes the contents of a domain |
OnClick |
Mouse click on an object |
OnDblClick |
Mouse double-click an object |
OnError |
An error occurred while loading a document or image |
onfocus |
Element gets focus |
OnKeyDown |
The key of a keyboard is pressed |
onkeypress |
Key of a keyboard is pressed or pressed |
OnKeyUp |
The key of a keyboard is loosened |
OnLoad |
A page or image is finished loading |
OnMouseDown |
A mouse button is pressed |
OnMouseMove |
Mouse is moved |
onmouseout |
The mouse moves away from an element |
onmouseover |
The mouse is moved above an element |
OnMouseUp |
A mouse button is released |
OnReset |
Reset button is clicked |
OnResize |
The window or frame is resized |
Onselect |
Text is selected |
OnSubmit |
Submit button is clicked |
OnUnload |
User Exit Page |
third, csrf attack1. General statement
2. Attack principle
CSRF attack Cross-site request forgery. Essence: All parameters of an important operation can be guessed by the attacker. The attacker predicts all parameters and parameter values of the URL to successfully construct a forged request. 3, Defense Csrf Attack Defense method: Verification Code, Referer check checks whether the request from a legitimate source (can be forged). General method: Token uses ANTI-CSRF token to keep the original parameter unchanged in the URL, adding a parameter token. The value of token is random (must use a sufficiently secure random number generation algorithm, or a true random number generator), which is held by the user and the server, can be placed in the user's session, or in the browser's cookie. Pay attention to secrecy and try to put tokens in the table consignments (construct a hidden INPUT element), submit it to post, and avoid token leaks. Note: If the Web site has an XSS vulnerability or some cross-domain vulnerability, token disclosure may occur. Under XSS attacks, read the token value and then construct a legitimate request, which can be called: XSRF.
iv. Safety of HTML5HTML5 added some new tags and attributes, so that the XSS attack has changed, if the original XSS filter is used "blacklist", will lead to attackers with HTML5 new tags to attack, if the use of "white list", this will be less hidden.
Five, the common front-end framework to prevent XSS attacksReact all strings are escaped by default. AngularJS uses the SCE in AngularJS to defend against XSS attacks.
VI. Web Security scannersCommercial software: IBM Rational Appscan, WebInspect, Acunetix WVS free software: W3AF, Skipfish---------------------------------------------- ----------------------------------------------reference: "White hat Talk web security" Wu Yu Qing "web front-end hacker technology disclosure" Bell Ming Xu Shaobai "Analysis and defense of XSS cross-site scripting attacks" Chu Yonghua "OWASP Top 10-2013"
Front-end Security (XSS, CSRF Defense)