See what Web attack technologies are available
1、 Foreword
HTTP protocol has the characteristics of stateless, no connection and best effort. The attacks on Web sites are basically based on these characteristics of HTTP protocol. For example, the stateless feature requires developers to design and develop "authentication" and "session management" functions to meet the security of web applications, and various self implementations also pose risks for user session hijacking, SQL injection and other attacks; The feature of no connection means that the client can arbitrarily modify the HTTP request content, and the server may receive content different from the expected data.
Among web vulnerabilities, logic vulnerabilities account for the largest proportion. Logic vulnerabilities refer to some logic that cannot be handled normally or processing errors due to lax or complex program logic. They generally appear in payment amount, unauthorized access, information query, login authentication and so on. A large part of the reason for the logic vulnerability is that the code is not serious enough and the customer is too trusted. For example, the returned data contains user sensitive information, and there is a risk of database collision in login authentication
Technical vulnerability attack means that users use attack code to obtain information illegally and disguise their identity through certain technical means. Technical vulnerability attacks can be divided into active attacks and passive attacks.
Active attack refers to the attack mode in which an attacker embeds the attack code by directly accessing the web application. The representative attacks are SQL injection attack and OS command injection attack.
Passive attack refers to the attack mode of executing attack code by using trap strategy, such as luring users to click by using phishing websites. Representative attacks are cross site scripting attack (XSS) and Cross Site Request Forgery (CSRF).
2、 Active attack
1. SQL injection
SQL injection is an attack on the database used by the web application by running illegal SQL. In short, it is to induce the server to splice into an illegal SQL through the contents entered in the form. For example, a normal SQL statement is as follows:
SELECT * FROM user WHERE name='张三' and password = '123456'
Normally, the user enters the user name "Zhang San" and password "123456" (normally, the password needs MD5 encryption) to complete the authentication process.
Assuming that the user name entered is "Zhang San '--", let's see what SQL will look like? The -- in the SQL statement is then treated as a comment, and the user successfully bypasses the authentication.
SELECT * FROM user WHERE name='张三'--' and password = '666666'
The common method to prevent SQL injection is SQL statement precompiling.
2. OS command injection attack
OS command injection attack refers to executing illegal operating system commands through web applications to achieve the purpose of attack. OS command injection attack can send commands to the shell to enable the command line of windows or Linux operating system to start programs. That is, various programs installed on the OS can be executed through OS injection attack.
OS command injection is similar to SQL injection. SQL injection forges illegal SQL and OS command injection forges illegal shell commands.
A common way to prevent OS injection is to transcode and replace the symbols executed by the shell (such as & &, &, |, etc.).
3. DoS attack
DOS attack is an attack that makes running services stop. It is sometimes called service stop attack or denial of service attack. The object of DoS attack is not limited to web sites, but also network devices and servers.
The simple understanding of DoS attack is to send a large number of legitimate requests, resulting in server resource overload and depletion, so as to stop the server from serving. (because it is difficult for the server to distinguish between normal requests and attack requests, it is difficult to prevent DoS attacks.)
DOS attacks can also stop services by exploiting security vulnerabilities.
3、 Passive attack
1. XSS attack
Cross site scripting (XSS) is an attack against a web site with security vulnerabilities by running illegal HTML tags or JavaScript in a user's browser. An attacker writes a script and sets a trap. When a user runs on his own browser, he will be subjected to a passive attack.
Common XSS attacks, such as false input forms to defraud users' personal information, stealing users' cookies and sending malicious requests.
Common means to prevent XSS attacks, such as escaping HTML tags and JavaScript, prohibiting JavaScript from reading cookies, etc.
2. CSRF attack
Cross site request forgeries (CSRF) attack means that an attacker forces an authenticated user to update some status such as unexpected personal information or setting information through a set trap.
Common means to prevent CSRF attacks, such as verifying referer + Post submission, adding token authentication, etc.
3. HTTP header injection attack
HTTP header injection attack refers to an attack in which an attacker adds an arbitrary response header or body by inserting a line feed in the response header field, such as redirecting to an arbitrary URL, replacing the body content to be returned, etc.
For example, there is a page that needs to be redirected. The original header information is like this:
Location: http://example.com/?cat=101
Because redirection needs to bring back parameters, the attacker will induce the user to add attack code in the parameters - adding or replacing arbitrary header information. (the following location may not take effect. Different browsers have different processing methods for duplicate header fields)
Location: http://example.com/?cat=101(%0D%0A:换行符)
Location: http://xxx.com
A common way to prevent header injection attacks is to add SSL / TLS authentication, that is, enable HTTPS.
4. Session hijacking attack
Session hijack attack means that an attacker obtains a user's session ID by some means and illegally uses this session ID to disguise as a user to achieve the purpose of the attack.
Common means to prevent session hijacking, such as binding the session ID with the user's device information. When the user uses the session ID on other devices, it will prompt the risk of theft and require the user to log in again.