当前位置:网站首页>Web Security
Web Security
2022-07-05 10:47:00 【Code Bruce Lee】
web Security
Preface
The following is a summary of the common security common sense of the front end , It's also a must ask question in an interview . There is no big technical content , But you need to know . We are in our own application development , We also need to avoid such low-level problems .
sql Inject
describe
That is, the back end relies on the parameters returned by the front end to splice directly sql Query data , Lead to sql Abnormal splicing , Security problems caused by .
Solution
Verify the information transmitted by the front end layer by layer , Don't use .
remarks : From here to , In fact, any front-end data transmission may be risky 、 Not rigorous , Therefore, any interface at the back end must carry out illegal verification for the passed parameters , Business verification , Then you can actually use .
XSS(Cross Site Scripting, Cross-site scripting attacks )
describe
Simply put, it is to inject into your code in some way js Code , The most common is through the submission of forms . Then because these codes have the same permissions as your code , So you can access your data information , You can also report some data . therefore , The harm is great .
Solution
Replace some of the input :
& Replace with :&
< Replace with :<
Replace with :>
” Replace with :"
‘ Replace with :’
/ Replace with :/
In addition, targeted right cookie Strengthen control , Set up http-only, such js You can't get it cookie The content of .
however , For rich text content , Simple text substitution does not solve the problem , Can pass csp How to solve , That is to establish a white list .
Set up HTTP Header Medium Content-Security-Policy
Set up meta How to label
If it is http,header Words , The setting can be like this :Content-Security-Policy: default-src ‘self’, In this way, only the resources of this website are allowed .
CSRF(Cross-site request forgery, Cross-site request forgery )
describe
CSRF It is to use the authority of the current operator to complete an operation secretly , Instead of getting the user's information .
Its principle is :cookie The same origin strategy , Just log in , The request of the same domain name does not need to be verified by the user .
Solution
For the operations that need to be verified , Set up additional validation , For example, verification code 、 password 、 Fingerprints, etc ;
get Request changed to post request , More secure ; Give Way get Request more only for read operations ;
verification document.referer, Determine the source of the previous page of the web page , Wechat payment has this verification mechanism ;
token Timeliness mechanism , When performing an operation , Send a timely token, When performing a subsequent operation , verification token Are they the same? ;
Verify the network ip, Because if the request is initiated by a non local device , that ip It will also be compared with the original ip Is different , adopt ip The comparison of can also remove unsafe factors .
Web nesting attack
describe
adopt iframe Nested web pages , Then design nested transparency , Click through the interface , Trigger your own event .
Solution
The first one is : header Setting does not allow nesting
X-FRAME-OPTIONS It's a HTTP Response head , In modern browsers have a very good support . This HTTP Response head Defense is to use iframe Nested clickjacking attacks .
The three values in response to the first alternative , Namely
DENY, It indicates that the page is not permitted iframe Fashion show
SAMEORIGIN, Indicate that the page can be under the same domain name iframe Fashion show
ALLOW-FROM, Indicate that the page can specify the source of iframe Show in
The second kind : We can do it by simple js This problem can be solved by judging whether the current interface is a top-level window .
if(top.location!=self.location){
top.location.href = window.location.href;
}else{
alert(“ It's the top window ”);
}
Man-in-the-middle attack
describe
That is, the request is blocked , Then it may be rewritten , Or be extracted important information , Continue to request
Solution
Simple and effective : upgrade https programme
边栏推荐
- How can PostgreSQL CDC set a separate incremental mode, debezium snapshot. mo
- 【js学习笔记五十四】BFC方式
- SQL Server 监控统计阻塞脚本信息
- 5g NR system architecture
- Implement the rising edge in C #, and simulate the PLC environment to verify the difference between if statement using the rising edge and not using the rising edge
- Learning note 4 -- Key Technologies of high-precision map (Part 2)
- AtCoder Beginner Contest 258「ABCDEFG」
- Explanation of full vulnerability script of network security C module of secondary vocational group script containing 4 vulnerabilities
- 磨砺·聚变|知道创宇移动端官网焕新上线,开启数字安全之旅!
- Solution to the length of flex4 and Flex3 combox drop-down box
猜你喜欢
Go-3-the first go program
go语言学习笔记-初识Go语言
In the year of "mutual entanglement" of mobile phone manufacturers, the "machine sea tactics" failed, and the "slow pace" playing method rose
csdn软件测试入门的测试基本流程
2022年化工自动化控制仪表考试试题及在线模拟考试
AtCoder Beginner Contest 258「ABCDEFG」
Comparative learning in the period of "arms race"
Web3基金会「Grant计划」赋能开发者,盘点四大成功项目
Learning Note 6 - satellite positioning technology (Part 1)
Learning II of workmanager
随机推荐
数据类型、
想请教一下,十大券商有哪些?在线开户是安全么?
【tcp】服务器上tcp连接状态json形式输出
MFC宠物商店信息管理系统
QT implements JSON parsing
脚手架开发基础
分享.NET 轻量级的ORM
Flink CDC cannot monitor MySQL logs. Have you ever encountered this problem?
2022年流动式起重机司机考试题库及模拟考试
Should the dependency given by the official website be Flink SQL connector MySQL CDC, with dependency added
谈谈对Flink框架中容错机制及状态的一致性的理解
Sqlserver regularly backup database and regularly kill database deadlock solution
数据库中的范式:第一范式,第二范式,第三范式
赛克瑞浦动力电池首台产品正式下线
csdn软件测试入门的测试基本流程
Use bat command to launch common browsers with one click
LDAP概述
Blockbuster: the domestic IDE is released, developed by Alibaba, and is completely open source!
GBase 8c数据库如何查看登录用户的登录信息,如上一次登录认证通过的日期、时间和IP等信息?
"Everyday Mathematics" serial 58: February 27