Page front-end also pay attention to web security

This article was published in the March issue of "programmers", with the deletion

When it comes to security issues, the first thing to think about is the system administrator and the backend development engineers, and the front-end development engineers seem to be far away from these problems. However, a series of Web security incidents that took place in the security field in 2008 changed perceptions of traditional security. Let us briefly review the following:

IE7 0day Vulnerabilities and the Chrome crash event

At the end of 2008, IE7 a serious security breach. Unlike the previous Microsoft vulnerabilities, this time the vulnerability was released from IE7 (which is also known as the 0day Vulnerability).

The flaw is the principle of IE7 memory overflow by parsing a piece of carefully constructed XML, which in turn can execute arbitrary code. Although the official soon released a patch for this vulnerability, the vulnerability still affects the present.

Another similar browser storm is Google's Q3 release of its Chrome browser in 08. On the day of the Chrome release, hackers found that simply typing characters in the address bar could cause the browser to crash. Since then, even though Google has quickly fixed the vulnerability, it has made a very bad impression on users.

Sigh: Browser platform security issues, directly affect the browser's future market share. When Firefox started out as a result of the emphasis on playing security this heavy card, only today's harvest. In the upcoming IE8 browser, Microsoft has been trumpeting the security of the new browser on a variety of occasions. From this, it is explained that the browser vendors to the safety of this piece of attention. Believe that the current busy browser battlefield, for the security of this piece must be a battleground.

CSRF and clickjacking vulnerabilities of various micro blogs

The popularity of micro-blogging is a wonderful flower in the Web2.0 tide, however, the recent outbreak of rice, Twitter, and other security vulnerabilities, really let the front-end development engineers eye-opening. Meal No and the CSRF loophole, so that attackers can through the section of Javascript code in the user unknowingly, to the micro-blog server to publish the corresponding message, resulting in attacks.

Sigh: The client's Javascript script has already gotten rid of the "toy" that only shows the effect of the page, it has become a good knife. This knife can help the front end to solve the problem, but also can hurt the user.

Earlier this year, the launch of the Twitter clickjacking vulnerability, it will be the Twitter release page through an iframe embedded into Third-party pages, and then through CSS and the Twitter release button and the Third-party page of the button overlap. In this way, when the user is meant to click on a third party page button, it is actually clicked on the Twitter Page release button, resulting in attacks.

Exclamation: The front-end attack way is also gradually upgrading, guard against the front-end code attack is not only to prevent Javascript and other front-end script, CSS and even HTML can constitute an attack.

"Jing Wu Men" Security Summit

The "Jing Wu Door" Security Summit is a seminar organized by Alibaba Group for WEB application security. Unlike previous years to discuss background security, this year focuses on the ways and precautions of Web attacks. A number of well-known domestic security groups gathered to discuss the current domestic WEB application front-end security issues.

Sigh: In a dazzling array of attacks at the same time, but also led to the future of domestic WEB application security thinking.

PostScript

WEB 2.0 to drop, the front end of this position has been from the traditional "art", transformed into a user experience to realize. However, with the increasingly powerful capabilities of browsers and the growing sophistication of WEB applications, security, a traditionally shrouded "grey zone", is also entering the eyes of every front-end development engineer. I believe that in the near future, the front-end development engineers as a new security force, will occupy a very important seat.