1. Cross-site scripting attacks
Concept
Cross-Site Scripting (XSS) , which can inject code into the web pages that users browse, such code includes HTML
and JavaScript
.
Principle of the attack
For example, there is a forum site on which an attacker could post the following.
|
|
The content may then be rendered in the following form.
|
|
Another user viewing a page with this content will be redirected to domain.com
with a cookie
for the current scope. If the forum site manages user login status via Cookie
, then the attacker can log in to the attacker’s account via this Cookie
.
Hazards
- Stealing user
Cookie
s - Forging fake input forms to obtain personal information
- Displaying fake articles or images
Precautions
1. Set Cookie to HttpOnly
Setting Cookie
to HttpOnly
prevents JavaScript
script calls from getting user Cookie
information via document.cookie
e.
2. Filtering special characters
For example, <
is escaped as <
and >
is escaped as >
, thus avoiding HTML and Jascript code from running.
Rich text editors allow the user to enter HTML code, so that characters such as <
cannot simply be filtered, greatly increasing the likelihood of XSS attacks.
Rich text editors often use XSS filter
to prevent XSS
attacks by defining some tags to be whitelisted or blacklisted, thus disallowing the input of offensive HTML
code.
In the following example, tags such as form
and script
are escaped, while tags such as h
and p
will be preserved.
2. Cross-site request forgery
Concept
Cross-site request forgery (CSRF) is a technique by which an attacker tricks a user’s browser into visiting a website that he or she has authenticated before and performing some operations (such as sending emails, sending messages, or even property operations such as transferring money and purchasing goods). Since the browser has been authenticated before, the visited website will think it is a real user action and perform it.
XSS
takes advantage of the user’s trust in a given website, while CSRF
takes advantage of the website’s trust in the user’s browser.
Attack Principle
Suppose a bank uses the following URL
address to perform a transfer operation.
|
|
Then a malicious attacker could place the following code on another website.
|
|
If a user with an account named Alice
visits a malicious site, and she has just visited the bank shortly before and her login information has not yet expired, she could lose 1000
dollars.
Such malicious URLs can take many forms and hide in many places on the Web. Moreover, the attacker does not need to control the site where the malicious URL is placed. For example, he can hide such addresses in forums, blogs, and any other websites with user-generated content. This means that if there are no proper defenses on the server side, users are at risk of being attacked even if they visit a familiar and trusted website.
As you can see from the example, attackers cannot directly gain control of a user’s account through a CSRF
attack, nor can they directly steal any information about the user. What they can do is to trick the user’s browser into performing actions in the user’s name.
Precautions
1. Checking the Referer initial field
The Referer
initial field is located in the HTTP
message and is used to identify the address of the request source. Checking this initial field and requiring the address of the request source to be under the same domain name can greatly prevent CSRF
attacks.
This approach is easy to implement, low effort, and requires only one additional step of verification at critical accesses. However, this approach has its limitations, as it relies entirely on the browser sending the correct Referer
field. Although the HTTP
protocol specifies the contents of this field, there is no guarantee that the specific implementation of the visiting browser or that there are no security vulnerabilities in the browser that could affect this field. There is also the possibility that an attacker could attack some browsers and tamper with their Referer
fields.
2. Add Checksum Token
When accessing sensitive data requests, the user’s browser is asked to provide data that is not stored in the cookie
and cannot be forged by an attacker as a checksum. For example, the server generates a random number and appends it to the form, and asks the client to pass back this random number.
3. Enter the CAPTCHA
Since CSRF
attacks occur without the user’s awareness, asking the user to enter a CAPTCHA lets the user know what he or she is doing.
3. SQL Injection Attack
Concept
The database on the server runs illegal SQL
statements, mainly through splicing.
Principle of attack
For example, the SQL
query code for a website login verification is
|
|
If the following is filled in.
Then the SQL query string is as follows.
|
|
At this point, the following query can be executed without verification pass.
|
|
Precautions
1. Use parameterized queries
A PreparedStatement
in Java
is a pre-compiled SQL
statement that can be passed appropriate parameters and executed multiple times. Since there is no splicing process, it prevents SQL
injection from occurring.
2. Single quote conversion
Convert single quotes in the incoming parameter to two consecutive single quotes, the Magic quote
in PHP
can do this.
4. Denial of Service Attack
denial-of-service attack (DoS) , also known as a flood attack, is designed to exhaust the network or system resources of the target computer so that services are temporarily interrupted or stopped, resulting in inaccessibility to its normal users.
distributed denial-of-service attack (DDoS) , which refers to an attacker using two or more compromised computers as bots to launch a denial-of-service style attack on a specific target.
Precautions
Although a bit insurmountable, there are certain countermeasures.
- Purchase a high security server
- Set up gateway or routing firewall
- Using CDN
- Multiple identification of requesters, don’t let all traffic in without any authentication
- If there is a problem on the line, you can direct the attack to another batch of hosts to ensure that the core hosts are healthy and working