Web Front-End-hacker technology exposure (cainiao knowledge)

I. Key Points of Web Security

1. The same-origin policy is one of many security policies. It is a Web-based policy and is very important.

2. same-origin policy: client scripts in different domains cannot read or write resources of the other party without explicit authorization.

3. two sites in the same domain must have the same protocol, same domain name, and same port.

4. Of course, in the same domain, client scripts can read and write resources in the same source, provided that the resource itself is readable and writable.

5. Security is similar to the working principle of a bucket. The short board determines how much water the bucket can hold. For a Web server, if the website does not have permission separation and trust relationship under control, the overall security is determined by the website with the worst security.

6. A website with high security may be hacked because of its unreliable trust relationship.

7. CSRF is a cross-site request forgery. CSRF will borrow the permissions of the target user to do some killing with a knife (note that it is "borrow" rather than "Stealing" the target permissions) and then do bad things, "Stealing" is usually what XSS (cross-site scripting attacks) like most.

Ii. Front-end Basics

1. CSS Reset technology developed to solve CSS compatibility, this technology will Reset some styles (these styles are displayed differently in different browsers ), in the future, CSS will re-define its own style on this basis.

2. Many excellent JavaScript frameworks, such as jQuery and YUI, were created to solve JavaScript compatibility.

3. the request protocol of a URL is almost all HTTP. It is a stateless request response, that is, after each request response, the connection will be immediately disconnected or delayed (to maintain a certain connection validity period ), after disconnection, the next request is re-created.

4. HTTP is stateless, so how does the server know that you were the last one each time you connect? The session is tracked through Cookies. The Cookies set during the first response are sent in each subsequent request. Cookies can also contain identity information after logon authentication.

5. The iframe tag has some interesting security topics. When a website page uses the iframe method to sneak into a page, we agree that the website page is a parent page, and the embedded page is a subpage.

6. if the parent and child pages are in the same domain, it is very easy. The parent page can call the contentWindow of the child page to operate the DOM tree of the Child page. Likewise, the child page can call the contentWindow of the parent page to operate the DOM tree of the parent page. If they have different domains, the same-origin policy must be followed, but the child page can still write the location Value of the parent page, so that the parent page can be redirected to other webpages, however, the location operation only has the write permission, but does not have the read permission. In this way, the content of the location URL of the parent page cannot be obtained. Otherwise, private data may be leaked. For example, some websites store authentication tokens in URLs.

7. for cross-site teachers, in most cases, the XSS vulnerability means that arbitrary JavaScript can be injected. With JavaScript, attackers can simulate any operation, any privacy information can be obtained. It can be said that JavaScript is the soul of cross-site.

8. You can obtain the data in the URL address from window. location or location.

9. asynchronization corresponds to synchronization. Asynchronization can be understood as opening a thread separately, independent from the main thread of the browser to do its own thing, so that the browser will not wait (Block ), this asynchronous process is carried out quietly in the background, so AJAX attacks seem strange and sound-free. AJAX itself is made up of JavaScript, but XML is not necessary. Here, XML wants to index that the data transmission format is XML. For example, the HTTP request sent by AJAX, the response data is in XML format, and JavaScript parses the xml dom tree to get the content of the corresponding node. In fact, the response data format can also be JSON (already mainstream), text, HTML, and so on. XML is particularly mentioned in AJAX for historical reasons.

10. The core object of AJAX is XMLHttpRequest.

11. AJAX strictly complies with the same-origin policy. It neither reads data from another domain nor sends data to another domain. However, in one case, data can be sent to another domain. In the new W3C standard, CORS starts to promote browser support for this cross-origin scheme. The current browsers support this scheme as follows:

The AJAX of www.foo.com (source domain) initiates a request to www.evil.com (target domain). The browser automatically carries the Origin header, as shown below:

Origin: http://www.foo.com

Then the Origin value should be determined for the target domain. If the Origin value is as expected, it will be returned.

12. If Access-Control-Allow-Origin: http://www.foo.com is not set for the target domain, can private data be stolen? The answer is yes.

13. The GET method is actually a URL.

14. for POST requests, the XMLHttpRequest object mentioned above is a very convenient method. It can simulate form submission, which can be divided into asynchronous and synchronous, the difference is that the third parameter of the open method of the object xhr instantiated by XMLHttpRequest. "true" indicates Asynchronization, and "false" indicates synchronization. If asynchronous mode is used, AJAX is used. Asynchronous means that after the request is sent, JavaScript can do other things. After the response is returned, the onreadystatechange event of the xhr object is automatically triggered, and the event can be monitored to process the response content. Synchronization means that after the request is sent, JavaScript needs to wait for the response to return, during which it enters the blocking phase.

15. Cookie is a magic mechanism. Any request sent by a browser in the same domain will carry a Cookie. No matter what resources are requested, the Cookie appears in the Cookie field in the request header.

16. Cookies are often used to store user Session information. For example, after a user logs on to the authenticated Session, the authenticated Session information will be carried when a d request is sent in the same domain.

17. HttpOnly refers to the Cookie transmitted only at the HTTP layer. When the HttpOnly flag is set, the client script cannot read or write the Cookie, which effectively defends against XSS attacks to obtain the Cookie.

18. the Secure Cookie mechanism means that the Cookie with the Secure flag is transmitted only at the HTTPS level. If the request is HTTP, the Cookie is not carried, this reduces the risk of important cookies being intercepted by middlemen.

19. The local Cookie and memory Cookie are closely related to the expiration time (the expires field of the Cookie. If the expiration time is not set, the memory Cookie will disappear from the memory as the browser closes. If the expiration time is set to a certain time point in the future, the Cookie will be saved as text in the local operating system and will disappear after the expiration time.

20. When deleting a Cookie, you only need to set the expiration value to the past time. Cookie cannot exist across browsers.

21. Flash is a common cross-browser solution. The default data size of Flash cookies is kb.

22. If there are large illegal characters before h1, how can we ensure smooth parsing of h1 code? Add {} before h1. If it is in IE, add}. This is caused by browser resolution differences.

{} H1 {font-size: 50px; color: red ;}

3. XSS for front-end hackers

1. XSS is a cross-site script that occurs on the browser layer of the target user on the target website. When the user's browser renders the entire HTML document, unexpected script commands are executed, XSS will happen.

Target users of the target website: the scenario is emphasized here.

Browsers: these attacks are parsed and executed by browsers.

Not expected: the attacker may have submitted controllable script content during input and then parsed and executed by the browser after output.

2. The emphasis of XSS is not on "XSS", but on "Scripts", which is literally analyzed. Because this "cross" is actually a browser feature, rather than a defect, it creates the illusion that "cross" is because most XSS attacks use scripts embedded in a remote or third-party domain.

3. Summary: XSS does its best to parse and execute your script content on the browser of the target user on the target website.

4. There are three types of XSS: reflective XSS (also called non-persistent XSS), storage XSS (also called persistent XSS), and dom xss.

5. The stored XSS attack is the most concealed.

4. Front-end hacker CSRF

1. CSRF also plays an important role in the Cross-Site world. CSRF stands for Cross Site Request Forgery, that is, Cross-Site Request Forgery.

The attack is caused by various requests. For CSRF, its requests have two key points, and cross-site requests and requests are forged.

2. Security Risks always occur in the normal process. Now we send a GET request to delete the article. For valid cross-origin requests, the browser will release the request.

3. a GET request can be initiated for tags that can set src/href or other link addresses in HTML.

4. There are also GET requests initiated by TAG objects or CSS objects dynamically generated using JavaScript, and POST requests can only be submitted using form.

5. Because the JSON format is concise and powerful, websites gradually use JSON to replace traditional XML for data transmission.

6. If the JSON data is returned in a dictionary, an error is reported when it is directly displayed in the browser because the browser thinks that the script starting with "{" should be a block surrounded by curly braces. Therefore, the processing of such JSON data is generally like this:

Eval ("(" + JSON_DATA + ")"); // enclose the parentheses

7. JSON data returned in the form of a list is an Array object. Previously, JSON HiJacking attacks can be initiated by HiJacking Array data.

5. browser hacker interface hijacking

1. interface operation hijacking is a Web session hijacking attack based on visual spoofing. it overwrites an invisible box (iframe) on the visible input control of the webpage ), this allows the user to mistakenly think that the operation is visible to the control. In fact, the user's operation behavior is hijacked by the invisible box, and the malicious code in the invisible box is executed, attackers can steal sensitive information, tamper with data, and perform other attacks without your knowledge.

2. There are three types of interface hijacking: Click hijacking, drag-and-drop hijacking, and touch screen hijacking.

3. In the browser, the drag-and-drop operation is not restricted by the same-origin policy. You can drag and drop the content of one domain to another. Therefore, drag-and-drop hijacking that breaks through the same-origin policy restrictions can evolve into a wider range of attack forms, breaking through many types of defense.

4. the hierarchical relationship between control locations uses z-index, and any browser supports:

Z-index: 1. The value can be a negative number. The control with a high value is in front of the control with a low value. The higher the value, the closer the control is to the user.

 

Vi. Vulnerability Mining

1. go back to XSS vulnerability mining. The attacker's controllable input points include <path>, <query>, and <fragment>, in fact, the value in <fragment> is generally not resolved on the server, unless the Web 2.0 website.

2. If the most common scenario appears at the <div id = "body"> [Output] </div> position, submit:

Id = 1 <script> alert (1) </script> to trigger XSS.

But what if they appear in the following labels?

<Title> </title>

<Textarea> </textarea>

<Xmp> </xmp>

<Iframe> </iframe>

<Noscript> </noscript>

<Noframes> </noframes>

<Plaintext> </plaintext>

For example, will the <title> <script> alert (1) </script> </title> prompt box pop up? The answer is: none! Scripts cannot be executed between these labels. The XSS vulnerability excavator system must have such differentiation capabilities. For example, if it finds that it appears in <title> </title>, it changes the submitted payload:

</Title> <script> alert (1) </script>

In addition, there are two types of special labels <script> and <style>. They cannot be nested with tags, and the payload construction is more flexible. Besides closing the corresponding labels, you can also use the nature of their own executable scripts to construct special payload.

3. HTML is a very non-strict markup language (XML on the opposite side). The attribute values can be referenced without quotation marks, or by single quotation marks, double quotation marks, and reverse single quotation marks (only supported by IE.

4. the "probe" has two purposes: whether the target parameter value is in the response. If it does not appear, there is no need for subsequent payload requests and analysis, because these payload requests and analysis may be performed multiple times, wasting the request resources. Which part of the HTML contains the target parameter value? We have known from the above analysis, different HTML parts have different mechanisms to treat XSS, And the request payload is certainly different.

5. A text or symbol unit visible to the naked eye is a character (including garbled characters). A character may correspond to 1 ~ N Bytes, 1 byte is 8 bits, each bit is either 1 or 0.

6. One character corresponds to 1 ~ N Bytes are determined by the character set and encoding. For example, an ASCII character set corresponds to 1 byte, but 1 byte only uses 7 bits, and the maximum bit is used for other purposes, therefore, the ASCII character set contains 2 to the power of 7 (128) characters, which are basically English characters (including controllers) on the keyboard ).

7. <! -- [If IE]> all IE identifiable <! [Endif] -->

<! -- [If IE 6]> only IE6 can recognize <! [Endif] -->

<! -- [If lt IE 6]> versions earlier than IE6 and IE6 are recognizable <! [Endif] -->

<! -- [If gte IE 6]> IE6 and IE6 and later versions can be recognized <! [Endif] -->
This is exclusive to IE. It seems similar to normal comments in other browsers, but in IE, it can be executed according to the conditions, which creates a chance for us to bypass the filter.

8. Currently, three pseudo protocols are commonly used in XSS: javascript:, vbscript :( the protocol name can also be abbreviated as vbs :) and data:

9. Similar to HTML tags and attributes, protocol names of pseudo protocols are case-insensitive and similar to events. data can also be automatically decoded using HTMLDecode and hexadecimal decoding.

10. @ charset is a rule ;! Important is the declaration. Only the CSS Resource class property values and @ import rules can be used to insert XSS scripts, and an attribute value expression that can only be executed in the IE browser.

11. var a = "123 </script> <script> alert (1); </script> ";

For JavaScript code on an HTML page, </script> closed tags have the highest priority and can interrupt JavaScript code anywhere. Therefore, in the actual filter implementation, it will actually distinguish whether the </script> closed tag is used in the referenced variable. If yes, convert "<\/script>" with a reverse lead ". In addition, pay attention to the data trend of referencing variables to check whether dom xss is possible.

12. Depending on the requirements, JSON generally has two formats: the bare Object without the callback function name and the Object with the callback function name parameters, as follows:

[{"A": "B"}]

Callback ([{"a": "B:}])

The latter is mainly used for cross-Origin data transmission. This feature is usually an important channel for attackers to obtain user privacy data across domains.

 

7. Exploitation of Vulnerabilities

1. <script> the tag request content can be cross-origin. This is a legal function. The request must be in a legal JavaScript syntax format. This technology was mentioned before, including the data content such as the JSON + CallBack function returned by the request (this cross-domain data communication is called JSONP ).

 

8. HTML5 Security

 

9. Web Worm

1. Web worms mainly include: XSS worms, CSRF worms, and Clickjacking worms. These three types of worms are related to specific vulnerability risks and are well distinguished by names. To better express the Web worm idea, the fourth type is mentioned below: Text worm.

2. apart from exploiting different vulnerabilities, these worms are essentially the same. They all trick users involved in interaction with Web2.0, resulting in passive or active (or between the two) spread threats. From the XSS worm to the CSRF worm, and then from the Clickjacking worm to the text worm, the more social engineering components the more.

3. the psychology of the masses is used to drive the spread of psychology. We call it a text worm.

4. Worms have the following two main features: propagation and virus behavior.

 

10. Defense