XSS & CSRF
What is XSS Attach, How to prevent it?
XSS is Cross-Site Scripting. It means a hacker can cheat the client or server to excute their malicious code.
According to the source of malicious code, there are 3 kinds of XSS Attach:
- DOM based XSS, where the malicious code comes from client-side code;
div.innerHTML = "<script>...some evil code</scirpt>"
- Stored XSS(Persistant XSS), where the malicious code comes from DB;
db.save({ content : <script>...some evil code</scirpt> })
- Reflected XSS, where the the malicious code comes from HTTP request;
http://be-attcked.com?message="<script>...some evil code</scirpt>"
But, How to prevent it?
Just do not trust any input from outside. There are 2 methods to prevent XSS:
- Escape & Filter
see js-xss - CSP
see Content Security Policy
Some exmaples from real world
MDN.png
content-security-policy: default-src 'self';
script-src 'report-sample' 'self' *.speedcurve.com 'sha256-q7cJjDqNO2e1L5UltvJ1LhvnYN7yJXgGO7b6h9xkL1o=' www.google-analytics.com/analytics.js 'sha256-JEt9Nmc3BP88wxuTZm9aKNu87vEgGmKW1zzy/vb1KPs=' polyfill.io/v3/polyfill.min.js assets.codepen.io production-assets.codepen.io 'sha256-CUy3BwqnmCSHS96nUyHoUsOB3r+s10eRpf5GbZdZqgk='; script-src-elem 'report-sample' 'self' *.speedcurve.com 'sha256-q7cJjDqNO2e1L5UltvJ1LhvnYN7yJXgGO7b6h9xkL1o=' www.google-analytics.com/analytics.js 'sha256-JEt9Nmc3BP88wxuTZm9aKNu87vEgGmKW1zzy/vb1KPs=' polyfill.io/v3/polyfill.min.js assets.codepen.io production-assets.codepen.io 'sha256-CUy3BwqnmCSHS96nUyHoUsOB3r+s10eRpf5GbZdZqgk=';
style-src 'report-sample' 'self' 'unsafe-inline';
object-src 'none';
base-uri 'self';
connect-src 'self' updates.developer.allizom.org updates.developer.mozilla.org www.google-analytics.com stats.g.doubleclick.net;
font-src 'self';
frame-src 'self' interactive-examples.mdn.mozilla.net interactive-examples.prod.mdn.mozilla.net interactive-examples.stage.mdn.mozilla.net mdn.github.io yari-demos.prod.mdn.mozit.cloud mdn.mozillademos.org yari-demos.stage.mdn.mozit.cloud jsfiddle.net www.youtube-nocookie.com codepen.io;
img-src 'self' *.githubusercontent.com *.googleusercontent.com mozillausercontent.com profile.stage.mozaws.net profile.accounts.firefox.com lux.speedcurve.com mdn.mozillademos.org media.prod.mdn.mozit.cloud media.stage.mdn.mozit.cloud interactive-examples.mdn.mozilla.net interactive-examples.prod.mdn.mozilla.net interactive-examples.stage.mdn.mozilla.net wikipedia.org www.google-analytics.com www.gstatic.com;
manifest-src 'self';
media-src 'self' archive.org videos.cdn.mozilla.net;
child-src 'self';
worker-src 'self';
local.png
codepen.png
codepen xss case
Why I never encounter an XSS attach?
- All systems I developed are internal, generally speaking, no employee will attack their own company.
- I tried to set evil innerHTML to a React component DOM, it turns out that this DOM is not rendered although it still existed in DOM tree. So, React will in charge of filter those invaid element nodes.
- If I put evil code into JSX, it will be automatically escape to a normal text string.
What is CSRF Attach, How to prevent it?
Before search in Internet, I think the process is:
I create a link then induce victim user to click it. Once he/she click it, the evil code will be excuted to stole his credential or other private data. Then I can pretend as the real user to do some evil things.
If I am a common user, I will get a sessionId in cookie after I logined to a system successfullt, When I request the system again this sessionId will send to the server, so the server can trust me.
Abount how to prevent it, I rememberd the token will help, But i don't konw how it workd indetail.
After seach in internet: The biggest mistack that i made is, hackers do not stole the credential of users then login to the system by themselves, The truth is they induce user to view their fishing site after user has logined the target system successfully.
because Once they logined successfully, sessionId was set in cookies, if the same-site is not set, the fishing site will get the sessionId, so any request send to server will bring the sessionId, it makes server consider the hacker is a balid user.( sessionId is an important data to client and server, bacause server identify client by it. )
I found 3 methods to prevent it:
- Judging Referer
- Setting same-site
- Using CSRF token
I have to say, I finnaly understand the CSRF token this time. I always think that nomatter what token is, hackers can always stole it. This is not totally right.
The reason why hackers are able to send request to target server with the sessionId is because the sessionId is saved in cookies, this is a fraud or specification of the browser, it's not controlable.
If server generated a token to client in advance, client get it then save it and send the request with this token everytime, the token is saved in client's code, no one can stole it directly.
Other questions
- What is HTTPs, Why and How it works?
- How to keep cookies safe?
- When we use git in a new device, use ssh-gen, What is ssh, pulick key, private key?
If i am h hacker
If i am a hacker, I will pretent as a authenticed client;
If i am a hacker, I will pretent as a real server;
If i am a hacker, I will hajack the data flow to rewrite it or just stole it;
If i am a hacker, I will send countless of requests to shut down a server;
If i am a hacker, I will cheat the client or server to excute my malicious code;