Large Web site technology Architecture (eight)--Web site security architecture

Large Web site technology Architecture (i)--large-scale website architecture evolution

Large Web site technology Architecture (ii)--Architecture mode

Large Web site technology Architecture (iii)--Architecture core elements

Large Web site technology Architecture (iv)--high-performance architecture of the website

Large Web site Technology Architecture (v)--site high-availability architecture

Large Web site technology Architecture (vi)--Web site Extensibility Architecture

Large Web site technology Architecture (vii)--Web site Extensibility Architecture

From the birth of the Internet, security threats have been accompanied by the development of the website, a variety of web attacks and information leakage has never stopped. Common attack methods include XSS attack, SQL injection, CSRF, session hijacking, and so on.

1. XSS attack

An XSS attack is a cross-site scripting attack in which hackers manipulate web pages, inject malicious HTML scripts, and control the user's browser from malicious actions when they visit a Web page.

There are two common types of XSS attacks, one of which is reflective, and the attacker convinces the user to click on a link that embeds a malicious script to achieve the purpose of the attack, as shown in:

Another XSS attack is a persistent XSS attack, where a hacker submits a request containing a malicious script that is stored in the database of the attacked Web site, and when the user browses the Web page, the malicious script is included in the normal page for the purpose of the attack, as shown in:

Disinfection

For some HTML character escapes, such as ">" escaped to "&gt" and so on.

HttpOnly

That is, the browser prohibits page JavaScript from accessing cookies with the HttpOnly attribute. You can prevent attackers from using cookies to obtain user information by adding the HttpOnly attribute to the cookie.

2. Injection attack

There are two main types of injection attacks, SQL injection attacks and OS injection attacks. The principle of SQL injection attacks is as shown. The attacker injects a malicious SQL command into the HTTP request, and the server constructs the database SQL command with the request, and the malicious SQL is constructed together and runs in the database.

In addition to SQL injection, attackers inject OS commands, programming language code, and so on for specific applications to attack.

Disinfection

As with anti-XSS attacks, filter the SQL that might be injected into the request data, such as "drop table". In addition, parameter bindings can be used to prevent SQL injection.

3. CSRF attack

CSRF is the cross site request forgery, where the attacker is illegally operating as a legitimate user through cross-site requests. The main means of CSRF is to use cross-site requests, without the user's knowledge, to forge the request as a user. The core is the use of browser cookies or server session policy to steal user identities .

Form Toke

CSRF is an action that forges a user request, so all the parameters requested by the user need to be constructed, and the form token organizes the attacker to get all the request parameters by adding a random number to the request parameter.

Verification Code

Simpler and more efficient, that is, when a request is submitted, the user is required to enter a verification code to avoid being spoofed by the attacker without the user's knowledge of the request.

Referer Check

The source of the request is recorded in the Referer domain of the HTTP request header, which can be verified by checking the request source to verify that it is legitimate, and can also be exploited to break through the chain of intrusion.

4. Web Application Firewall

Modsecurity is an open-source Web application firewall that detects attacks and protects Web applications, either embedded in a Web application server or launched as a standalone application. Modsecurity is only one of the first Apache modules, now has Java, net multiple versions, and support Nginx.

The modsecurity employs a schema pattern that separates the processing logic from the set of attack rules. Processing logic (execution engine) load requests and corresponding interception filtering, rule load execution and other functions. The set of attack rules is responsible for describing the rules definition, pattern recognition, defense strategy and other functions of the specific attack. The processing logic is stable, and the rules collection needs to be constantly upgraded for vulnerabilities, which is an extensible architecture design.

5. Information encryption Technology

In order to protect the sensitive data of the website, the application needs to encrypt some data, the Information encryption Technology Section divides into three kinds: one-way hash encryption, symmetric encryption and asymmetric encryption .

5.1 One-way hash encryption

One-way hash encryption means that a fixed-length output is obtained by hashing the information of different input lengths, and the hash calculation process is unidirectional, as shown in.

The general purpose of one-way hash encryption is the encryption of the user's password, so that the password is not reversible to the database, even if the database information leaks, the attacker can not know what the original password is.

The common one-way hashing algorithm has MD5, SHA and so on.

5.2 Symmetric encryption

That is, both encryption and decryption use the same key, as shown in:

The commonly used symmetric encryption algorithm has DES algorithm, RC algorithm and so on. Symmetric encryption is a traditional means of encryption, but also the most commonly used encryption means, suitable for most occasions.

5.3 Asymmetric Encryption

The encryption and decryption used by asymmetric encryption are not the same key, one of which is exposed to the outside world, becomes the public key, and the other is known only to the owner, and is called the private key. The information encrypted with the public key must be solved with the private key, anyway, the information encrypted with the private key can only be solved with the public key, as shown in:

The common algorithms for asymmetric encryption are RSA and so on. the digital certificate used by the browser in HTTPS transmission is essentially an asymmetric public key that is authenticated by an authoritative authority.