Web Security (XSS and CSRF)

xss

xss ： Use some data directly , such as url,input Some things are entered in , The requested resources and other things that users can customize

such as ： stay input Enter some labels in （script label ）, No filtering or escaping （ Escape is to turn them into entity characters ）

Entity characters ：
< Entity characters smaller than symbols , Replace with <.

https://blog.csdn.net/weixin_49007365/article/details/118583523

html Sanitizer API( newest disinfect api)

10 month 18 Number , W3C China network platform incubator group （Web Platform Incubator Community Group） released HTML Sanitizer API The draft specification for . This draft is used to solve how browsers solve XSS Attack problem .

Web The biggest security threat in network security is XSS Cross site scripting attacks , How to solve this kind of vulnerability and attack is to develop 、 Operation and maintenance and safety engineers have a headache . Currently by Google 、Mozilla and Cure53 Jointly provide Sanitzer API The final development is about to be completed

https://blog.csdn.net/powertoolsteam/article/details/121650718

notes ：csp It can also prevent xss

CSP

CSP Refers to the content security policy .

CSP The whitelist mechanism works on resources loaded or executed by the website . In the web page , This strategy passes HTTP Header information or meta Element definition
CSP Although it provides strong security , But he also caused the following problems ：Eval And related functions are disabled 、 embedded JavaScript The code will not execute 、 Remote scripts can only be loaded through whitelists .

（1） Use HTTP Of Content-Security-Policy Head

Use... On the server side HTTP Of Content-Security-Policy Head to specify your strategy

Can only be loaded from the same domain :

Content-Security-Policy: default-src 'self'

Content-Security-Policy-Report-Only ： Collect reports , But there are no restrictions on requests

（2） Use meta label

Restrict form ：

<meta http-equiv="Content-Security-Policy" content="form-action 'self';">

https://www.jianshu.com/p/74ea9f0860d2

csrf

csrf： It mainly relies on some authentication mechanisms of the browser , Many websites are based on cookie and session id Wait to store

What is? CSRF attack ？

CSRF It's Cross Site Request Forgery (Cross—Site Request Forgery), Follow XSS The attack is the same , There is great harm .
CSRF The attack principle and process are as follows ：

1. user C Open the browser , Visit trusted sites A, Enter the user name and password to log in to the website A;

2. After the user information has been verified , Website A produce Cookie Information and return it to the browser , At this time, the user logs into the website A success , Can send request to website normally A;

3. The user did not exit the website A Before , In the same browser , Open one TAB Page visit website B;

4. Website B After receiving the user's request , Return some offensive code , And send a request to visit a third-party site A;

5. After the browser receives the attack code , According to the website B Request , Carry... Without the user's knowledge Cookie Information , To the website A Request . Website A I don't know that the request was actually made by B Sponsored , So according to the user C Of Cookie Information to C Permission to process the request , Lead from website B The malicious code was executed .

CSRF Attack protection

Current defense CSRF The main attacks are Three strategies ： verification HTTP Referer Field ; Add... To the request address token And verify ; stay HTTP Custom properties in the header and verify .

1. Use as much as possible POST, Limit GET
2. browser Cookie Strategy
3. Add verification code
4. Referer Check（Referer Check stay Web The most common application is “ Prevent image stealing ”.）
5. Anti CSRF Token（ Now the industry is right CSRF Defense , The consistent approach is to use a Token（Anti CSRF Token）.
   
   notes ：
   CSRF Of Token Just to fight CSRF attack . When websites exist at the same time XSS When there's a leak , Then this plan is empty talk .
   therefore XSS The problems brought about by , You should use XSS To solve the problem .

Cookie

PS：Cookie Divided into two

Session Cookie（ After browser is closed , It will fail. , Save in memory ）,

Third-party Cookie（ That is to say, there is only Exprie It won't work until time Cookie, such Cookie Will be saved locally ）.

PS： In addition, if the website returns HTTP Header contains P3P Header, Then browsers will be allowed to send third parties Cookie.

h5 Page login problem

because http It's stateless , It is impossible to let the user log in again the next time the user logs in , So we must remember the identity of the user .

So the server will give a set Cookie Take this cookie, The next time the browser sends a request , The browser will take this cookie close , The server will know who I am

If this is a transfer thing （ Like a simple one get）, Maybe the money will be transferred with one click , Then the browser followed with some strategies

https://www.wangan.com/wenda/3482

https://blog.csdn.net/u013934914/article/details/50428869

notes ：
Each browser has a property set to the default value （ It used to be null）,get The request will still bring cookie, but post You won't bring it

notes ：
The original Collect user preferences （ Pick of the week ） Through this Multi site third party cookie To do the , If you ban it, you can't do it

notes ：
csrf Of cookie The problem can be solved by cookie Of samesite Property to solve