There are two main reasons for the loopholes: system mechanism and coding specification. Due to the openness of network protocol, web loopholes are the majority at present
JavaScript / CSS history hack is a typical vulnerability of system mechanism, while heart bleed is a typical vulnerability of coding specification. After a certain understanding of the concept of vulnerability, a test website will be built to test CSS spoofing, SQL injection and CSRF attacks.
Vulnerability impact: an attacker can obtain some history of the user's browser.
Attack method: since JavaScript can read the CSS information of any element, it can distinguish which style the browser applies to judge whether the user has visited the link. Attackers can build their own websites and define hyperlinks of some websites. When other users visit the website, the browser will automatically determine which websites have been visited according to the user's history, so as to present them in different colors.
The attacker's website background can send the website visited by the user back to the server. The effect is to detect whether the user has visited a website, but not to directly obtain the history of the user's visit.
The vulnerability has been fixed. Although we can see different displays of hyperlink status, JS can't get the color difference.
Also known as bleeding hole, No. (cve-2014-0160)
Origin of vulnerability: the vulnerability is proposed by Google white hat Neil Mehta, who can randomly obtain 64K work logs from a specific server. The whole process is like fishing. Attacks can be carried out continuously and a large number of sensitive data will be leaked.
Cause: encoding failed to check the length boundary before memcpy() called user input. An attacker can enter bytes that are out of range and return the same length of cache content.
Each query will be attached with a query character length. If the character length is longer than the actual length, the server will still return the same size of character information, thus forming the out of bounds access of information in memory.
Vulnerability impact: every time a heartbeat is initiated, the server can disclose a little bit of data (64 K at most in theory), which may or may not contain information such as the user's login account password, e-mail or even encryption key, but the attacker can constantly use "heartbeat" to obtain more information. In this way, the server leaks more and more information bit by bit, just like the heart is bleeding slowly. The name of heart bleeding comes from this. The vulnerability has been fixed at present, but it is not known whether the vulnerability has been used before it was proposed.
The above is a brief introduction of two types of vulnerabilities. The following will experiment with CSS spoofing, SQL injection and CSRF attacks
Just like the name, CSS deception is mainly used as a kind of deception to present false information to browser users.
虽然是很简单的手段,但是应用却十分广泛
Deception principle: realize the content coverage of web pages through CSS positioning and pseudo classes
Html is like human skeleton, CSS is exterior decoration, JS controls the effect of the page similar to nerve, CSS deception mainly uses CSS to render the page.
Introduction to positioning method and pseudo class
There are four ways for CSS to locate web page elements:
- Static: the default location of all elements. You can locate elements in a static location. The so-called static location is the default location of each element in the HTML document flow.
- Relative: it does not separate from the document flow, and refers to its static location through top, bottom, left, right, and can be hierarchical through Z-index.
- Absolute positioning: separate from the document flow, select the nearest parent element through top, bottom, left, right to locate. When the parent position is static, the absolute element will be located at the origin of the body coordinate, which can be hierarchical through Z-index.
- Fixed: the fixed object is the current visible window (browser window), not the body or parent element. Page scrolling does not move. It can be hierarchical through Z-index.
Common positioning method: child absolute parent phase
- When the child element is absolute positioning, the parent element uses relative positioning, so that the parent container can not only retain its position in the original file stream, but also refer to the parent container for absolute positioning.
CSS pseudo classes can be used with CSS classes, such as anchor pseudo class, first child pseudo class, etc.
For example, the anchor pseudo class:
- a: Link {color: ාff0000;} / * link not visited*/
- a: Visited {color: {00ff00;} / * visited links*/
- a: Hover {color: ාff00ff;} / * mouse over link*/
- a: Active {color: {0000ff;} / * selected links*/
Cheating case: in the early years, Taobao store decoration directly used CSS control page to display the effect, and some merchants made false store information.
The following is a store information map around 2012, which presents information that is not true. The actual sales volume in 30 days is 0. Through setting the background map when the shop is decorated, 580 pieces of words are displayed. "Shopping notice" is disguised by the background map as "high quality merchants return for 7 days without reason". The evaluation details and transaction records are also used for false publicity. In fact, there is no buyer evaluation, just added background pictures.
Why is CSS spoofing simple but widely used?
As far as personal web browsing experience is concerned, before or at the beginning of 4G, it is very common to make fake pages with pictures.
The most recent one was on the 11th day of 2018, when an e-commerce platform applied for a refund, the merchants ignored it all the time. When the platform complained, they found that the button to submit the complaint didn't respond at all. At first, I thought that the mobile display was not compatible, but later I found that the bottom half of the page was a picture, and the submit button was just a part of the picture.
However, we can also understand the double 11, but for most of the Internet users who have little computer foundation, CSS deception is still very effective.
Next, we will introduce SQL injection first, and then combine CSS spoofing with SQL injection to implement CSS spoofing using SQL injection front-end code on the built test website.
SQL injection refers to the fact that web applications do not judge or filter the legitimacy of user input data. Attackers can add additional SQL statements at the end of pre-defined query statements in web applications, and implement illegal operations without the knowledge of administrators. It is one of the most common dangerous vulnerabilities at present.
SQL injection is not an out of date security problem, on the contrary, it is a very easy to use attack. SQL injection does not need a deep attack means to easily make sensitive database information be illegally browsed or deleted.
General injection process:
- SQL injection point probe. Determine where SQL injection points exist by analyzing the application appropriately. Generally, as long as the dynamic web page with input submission and dynamic web page accessing the database, SQL injection vulnerability may exist.
- Collect background database information. The injection methods and functions of different databases are different. Before injection, we need to determine the type of database. You can enter special characters, such as single quotation marks, to let the program return error information and judge according to the error information prompts; you can also use specific functions, such as "1 and Version () 0 ", the program returns normal indicating that the version () function is recognized and executed by the database, while the version () function is a unique function of MySQL, so it can be inferred that the background database is mysql.
- Guess the user name and password. The naming of tables and fields in a database is generally regular. By constructing special SQL statements, the table name, field name, field number, user name and password can be guessed out successively in the database.
There are two types of SQL injection that can make your zoobars more:
- Modifying your zoobars by filling in your profile will change the number of zoobars in your database
- Inject CSS code by filling in personal profile to make zoobars look more when others search for themselves without changing the number of zoobars in the database
Method 1
Injection Code:
userA的个人简介', Zoobars='20
?php
if($_POST['profile_submit']) { // Check for profile submission
$profile = $_POST['profile_update'];
$sql = "UPDATE Person SET Profile='$profile' ".
"WHERE PersonID=$user-id";
$db-executeQuery($sql); // Overwrite profile in database
}
$sql = "SELECT Profile FROM Person WHERE PersonID=$user-id";
$rs = $db-executeQuery($sql);
$rs = mysqli_fetch_array($rs);
echo $rs["Profile"];
?
The $SQL value in lines 4 and 5 is the statement to be executed by the database. Method 1 makes the actual executed SQL statement become:
UPDATE Person SET Profile='userA的个人简介', Zoobars='20' WHERE PersonID=userA
Method two
Due to different scenarios, sometimes method 2 injection is used to modify the display of web pages only for CSS spoofing: the number of zoobars of usera is 20, and the number of zoobars that users of this website can see when searching usera is 200 through SQL injection of front-end code. In order to facilitate observation, the spoofing font is set in red.
Injection Code:
span style="color:#000000;position:relative;left:60px;top:-54px;"0/span
Different from the previous introduction that Taobao merchants use CSS to directly set the background picture, here is a relative positioning tag written in the personal profile through SQL injection. When the website user searches the personal profile of usera, the HTML code in the personal profile will be interpreted and rendered into the number 0 by the browser, and displayed behind the number of zoobars. Next, we will introduce another attack mode related to browser mechanism.
CSRF (Cross Site Request Forgery), that is, cross site request forgery.
To lure browser users to visit their own attack website for cross site access, through the mechanism of browser to save the user's original website cookie, obtain the user's identity permission in the attack website and forge the request for attack.
Browser mechanism:
当用户登录某一网站后,本地会保存一份cookie用于身份认证,如果cookie没有过期,就不需要反复进行登录操作。
Unlike JavaScript / CSS history hack, CSRF is temporarily unable to fix vulnerabilities like modifying CSS or JS engine, because current browsers need this mechanism.
Scenario simulation: the programmer logs in to the blog park to browse the blog, and after finding a good blog, he intends to share it with the circle of friends, but when sharing for the first time, the web page will ask to log in to the circle of friends first. After logging in and sharing successfully, it wasn't long before the programmer found a good blog and planned to share again, so as to cycle back and forth, what would the browser do?
At present, the mechanism of browser is to save the user's cookie after the first login, so that the user does not need to repeatedly authenticate identity within the validity period, so the subsequent cross site does not need to log in again. (no actual operation, or blog Park sharing needs to log in every time, just for example to simulate the cross site situation of web page)
The mechanism of the browser to save cookies is needed, but at the same time, it gives the attacker an opportunity to take advantage of it.
Vulnerability of user authentication in Web:
简单的身份验证只能保证请求发自某个用户的浏览器,却不能保证请求本身是用户自愿发出的。
In other words, the user's browser sends a request, and the cookie of the browser can also prove the user's identity, but it can't guarantee that the request is the user's active operation on the original website.
Take the website as an example to demonstrate the attack
Attack steps:
- Build a web page to forge a request. The content of the request is to transfer a zoobar from the attacker's account to his own account
- In the website account applied by the attacker, fill in the profile, and SQL inject a website connection of its own
- Induce other users to click the web link on the profile of the attacker's account for attack
Building web pages
Original webpage and code: click send in transfer interface to send a request for transfer operation.
The attacker needs to make a website of his own and write the attack operation on the website. Here, the original website interface code is copied directly, and the amount of send is written into the default value 1. The transfer object is set to the attacker's usera account by default, and then the website can automatically execute the submit operation of send button when loading through JS code.
Attack web page and code: although it looks the same, you can see this other web page through the browser address, which is used to simulate the attack site.
Then add a hyperlink to your profile:
- JavaScript / CSS history hack exploits a vulnerability in the browser mechanism of querying history for user's convenience, and has been patched by improving CSS / JS.
- The data leakage vulnerability caused by nonstandard codes has been fixed.
- CSS spoofing is a commonly used spoofing technology, which needs to be combined with other attack methods according to specific scenarios.
- One of the most common security vulnerabilities in SQL injection, one of the main reasons for data leakage, is the high security risk, which exceeds the buffer overflow vulnerability to a certain extent, and can only be avoided as far as possible.
- Cross Site Request Forgery can not be directly cured by exploiting the mechanism vulnerability of browser. It is a process of attack and defense just like SQL injection.