前端安全之常见问题总结

目录

七、接口敏感信息相关处理常识?
八、低版本的 jQuery 库、其他框架或者前端组件有可能有安全漏洞

正文

一、XSS(Cross Site Scripting) 跨站 JS 脚本攻击,如何防范?

  1. 针对接口进行 XSS 攻击,即把js脚本或者带恶意 js 脚本的 html 标签,作为 GET 或者 POST 参数提交到服务器,然后服务器解释并响应,在响应结果里把脚本或者 html 标签原样返回明显示和执行。这明显是很有问题。防范方式:1)提交数据前前端要做数据校验,对用户输入的信息 (js 代码及 dom 节点) 进行过滤。2)对重要的 cookie 设置为 httponly(服务器端可设置此字段),客户端就没有操作此 cookie 的权限。3)服务器端也要数据合法性校验
  2. 针对 DOM 本身进行 XSS 攻击,如果本身页面代码中使用了 window.eval 来执行代码。eval 本身会把一段字符串变成可执行的 js 代码,这是非常危险的。还有拼接 html 字符串后直接显示 DOM 时也会遇到同样的问题。防范方式:尽量避免使用 eval,拼接 html 字符串时应校验字符串的合法性,过滤非法元素节点与属性节点, 如 iframe,script 标签,onerror 事件, style, src, href 等。

可能产生危害:泄露了个人的 cookie 信息,身份认证被套取后,被用作非法用途

非法字符过滤可以使用第三方的过滤库如:HTMLParser.jshe.js

参考引用自:https://www.cnblogs.com/unclekeith/p/7750681.html

二、CSRF (Cross-site request forgery) 跨站请求 (GET 和 POST) 伪造攻击,如何防范?

由于浏览器一般都是可同时打开多标签的。举个例了,现浏览器同时打开了两个标签,一个是已被合法登录并保持登录状态的网站 A,另外一个是已被欺骗打开的含恶意代码的网站 B(不一定是来源于非法网站,也可能藏在各大合法论坛上的一些非法链接被你打开了),则可以通过在恶意网站 B 上静态或者动态创建 img, script 等标签发起 GET 或者 POST 请求,发出的恶意请求是身份认证后的,这就构成 CSRF 攻击了。将其 src 属性指向发起对 A 网站的接口请求(如一个 GET 请求:api.a.com/blog/del?id=1)。通过标签的方式发起的请求不受同源策略的限制。

可能产生危害:模拟表单提交盗取用户资金,篡改目标网站上的用户数据,盗取用户隐私数据

防范方式:

1)后端接口要对接口请求来源如(* Referer:)字段进行合法校验。

2)添加 token,带 token 请求, + CSRF Token 写在 COOKIE 里面。双 token 一致则可信。

参考引用自:https://www.cnblogs.com/unclekeith/p/7788057.html

三、SQL 注入,攻击如何防范?

老生常谈的了,总之:

1.永远不要信任用户的输入。对用户的输入进行校验,可以通过正则表达式,或限制长度;对单引号和双 “-” 进行转换等。

2.永远不要使用动态拼装 sql,可以使用参数化的 sql 或者直接使用存储过程进行数据查询存取。

3.永远不要使用管理员权限的数据库连接,为每个应用使用单独的权限有限的数据库连接。

4.不要把机密信息直接存放,加密或者 hash 掉密码和敏感的信息

5.应用的异常信息应该给出尽可能少的提示,最好使用自定义的错误信息对原始错误信息进行包装

6.sql 注入的检测方法一般采取辅助软件或网站平台来检测,软件一般采用 sql 注入检测工具 jsky, 网站平台就有亿思网站安全平台检测工具。

参考引用自:https://www.cnblogs.com/sdya/p/4568548.html

四、接口访刷问题,前端如何与后端配合?

1、无限调用创建接口、无限制造垃圾内容。处理方式一般可以设一个阙值,比如当天该用户创建次数超过 5 就启用结合图形验证码方式方可继续创建。

2、在 IT 行业混得有一点资历的人估计都会遇到过接口被刷的情况了。如:听说搞某某活动,大奖瞬间被刷走。某某营销活动,奖品瞬间被抢光了。某某平台,短信验证码几天被刷到欠费。

认真去查查记录,发现这些行为都是人家用机器写程序自动刷你接口的。现在还有卡商有各种短信接码平台,专业批量接发验证码的。

如何能更好的做接口防刷:

1.发送请求之前前端这边要做人机识别。(如微信的静默授权返回一次唯一码,小程序的 wx.login 接口返回的 code,可供后端二次验证,还有发送短信验证码前要手动先输入验证码,或者使用拖动方块填充缺块那种人机识明系统)

2.接口传参要带加密签名

3.后端要增加 IP 防刷机制。如:使用用缓存记录,5秒钟内同一个 ip 连续执行就认为是在刷接口。

五、接口响应报文欺骗?

会有这样一种情况,如合法用户登录的登录成功接口报文被非法拦截了,然后非法用户在登录页随便输入用户名及密码去请求接口时做一层代理,用刚截到的登录成功的报文去响应就可以顺利登录成功了。

如何能防止此情况的发生:

1.对登录接口的请求报文增加唯一时间戳响应报文返回此唯一时间戳可以杜绝此情况的发生。

五、前端常用的js加密方式有哪些?

sha1,base64,md5,aes, SHA256,SHA512,RMD160 等

常用开源库有:

https://github.com/blueimp/JavaScript-MD5
https://github.com/h2non/jshashes
https://github.com/dankogai/js-base64
https://github.com/auth0/jwt-decode
https://github.com/brix/crypto-js

七、接口敏感信息相关处理常识?

接口传递(get / post)的参数中用户敏感信息,不能用 userId,password,uid 等敏感参数名,密码不能明文传输

八、低版本的 jQuery 库、其他框架或者前端组件有可能有安全漏洞

处理方式是定期扫描及制定升级计划,当然也要制定向前兼容的方案如:jQuery 高级版可以结合 jquery-migrate 一起升级。

版权声明:欢迎转载学习 => 请标注信息来源于 「A4纸」前端开发博客

作者: 博主

Talk is cheap, show me the code!

《前端安全之常见问题总结》有34个想法

  1. What’s up everyone, it’s my first pay a visit
    at this site, and paragraph is actually fruitful designed for me, keep
    uup posting such articles.

  2. What’s up everyone, it’s my first pay a visit att this site,
    and paratraph iss atually fruitful designed for me, keep up postinng
    such articles.

  3. It can also recommended which you shorten the length of your paragraphs.

    Buzzle: Buzzle is spoon lures are effective article database.

  4. It can also recommended which you shorten the length of your paragraphs.
    Buzzle: Buzzle is spoon lures are effective article database.
    By way of analogy, fishing is like producing prospects.

  5. I absolutely love your blog.. Great colors & theme.
    Did you make this website yourself? Please reply back as
    I’m trying to create my own site and would love to learn where you got this from or just what
    the theme is named. Many thanks! It is perfect time to make some plans
    for the future and it is time to be happy. I have read this post and if I could I
    wish to suggest you some interesting things or advice.

    Perhaps you could write next articles referring to this article.

    I wish to read even more things about it! I want to to thank you for this
    wonderful read!! I definitely loved every bit of it.
    I have got you book marked to look at new stuff you

  6. Hi would you mind letting me know which webhost you’re using?
    I’ve loaded your blog in 3 different web browsers and I must say this blog loads a lot quicker then most.
    Can you recommend a good hosting provider at a honest price?
    Many thanks, I appreciate it! I have been surfing online more
    than three hours today, yet I never found any interesting article like yours.
    It is pretty worth enough for me. In my opinion, if all webmasters and
    bloggers made good content as you did, the web will be much
    more useful than ever before. Hi, i read your blog from time to time and i own a similar one and
    i was just curious if you get a lot of spam comments?
    If so how do you reduce it, any plugin or anything
    you can suggest? I get so much lately it’s driving me crazy so any help is very much appreciated.

  7. No SEO skips this one, on top of the contrary takes care how the description is comprehensive, precise and to the point.
    First you’re able opt for article or content syndication. Is the page caused by your professional?

  8. No SEO skips this one, on top of the contrary takes care how the description is comprehensive,
    precise and to the point. First you’re able opt for article or
    content syndication. Is the page caused by your professional?

  9. And , remember to possess some money management rules.
    When you’ve got need to someone, express disappointment, or give feedback, use the “positivity sandwich”.
    Of course, they have other uses as skillfully.

  10. Because you took the time to find your mistakes and FIX your mistakes instead of just IGNORING them.
    Page rank becomes the obsession of many marketers.

    Others do it to bring attention to their business programs.

  11. We should experiment with both, but we will do it all
    for totally free. The spacing of the text lines
    and paragraphs likewise make website content more readable.
    But how could we complete a quick money-making website from
    the jawhorse?

  12. If you do don’t have one, ask if you can photograph a neighbor’s companion.
    Opt for natural poses and take close up shots and
    also distance children. All search engine results are
    completely democratic.

  13. You shouldn’t state dynamics of task that are usually offering.
    Don’t waste your time writing about topics that cannot help
    you drive your list to the cost.

  14. Marketing blog site is just about all that hard to do. Popular bloggers like to keep their audiences informed with helpful content.
    Joint ventures are are incredibly form of leverage web
    based.

  15. I’ve been browsing online more than three hours today, but I by no
    means discovered any attention-grabbing article like yours.
    It is lovely value sufficient for me. In my view, if all site owners and bloggers made good content material as you probably did, the web
    might be a lot more useful than ever before. Howdy!
    This post could not be written much better! Going through this
    post reminds me of my previous roommate! He constantly kept preaching about this.

    I’ll forward this post to him. Fairly certain he’ll have a good read.
    Thank you for sharing! These are truly fantastic ideas in on the topic of blogging.

    You have touched some fastidious things here.
    Any way keep up wrinting.

  16. You might go along with all the current marketing campaigns and flashy banners but there really isn’t any need.
    The failure rate is usually quite high if anyone else is who see making
    money online for easy mission.

  17. Headline tags show the search engines the significance of
    these directions. This area is since Affiliate Business.

    This could be a good page aid a lock of hair on.

  18. A good length for many of us articles is 400-600 express.that’s about 1 page.

    Don’t you want to be among the list of cool little kids? Basically you are saying-really quickly-what you will have them tell someone.

  19. Possibilities several to help do this one. Look for patterns in your daughter’s clothes that
    pick up on a floral costume. The fundamental link moves is a one-way hyperlink.

  20. Hello to every body, it’s my first visit of this blog; this website contains awesome
    and actually excellent stuff designed for visitors.

  21. Αmazing! This blog looks just ⅼike my old one! It’s
    on ɑ totally different subject but it has pretty
    much the same layoսt and design. Outstanding choice ᧐f colors!

  22. You reɑlⅼy make it seem so easy alߋng with yoսr presentɑtion howeveг I in finding this t᧐pic to be
    really one thing whic Ι belіeve I’d neveг understand.
    It seems too complex and very larցe fߋr me. I am taking а
    look ahead on youг subsequent post, I’ll attempt to get the cling of it!

  23. You should approach all of it like a match and understand why visitors aren’t buying your products.
    With the right keywords, you could get high rankings in the
    google search results.

  24. Hmmm is anyone else encountering problems with the pictures on this blog
    loading? I’m trying to figure out if its a problem on my end or if it’s the blog.
    Any responses would be greatly appreciated.

  25. Hi it’s me, I am also visiting this web page regularly, this web page is really fastidious and the users are truly sharing fastidious thoughts.

  26. Hi it’s me, I am also visiting this web page regularly, this web page is really fastidious and the users are truly
    sharing fastidious thoughts.

  27. I pay a quick visit each day a few websites and websites to read articles,
    but this blog presents quality based writing.

  28. I pay a quick visit each day a few websites and websites to read articles, but this blog presents quality based writing.

  29. Howdy I am so grateful I found your web site, I really found you by error, while I was researching on Bing for something
    else, Regardless I am here now and would just like to say thank you for a fantastic post and a all round enjoyable blog (I also love the theme/design),
    I don’t have time to read it all at the moment but I have saved it and also added
    your RSS feeds, so when I have time I will be back to read a great
    deal more, Please do keep up the excellent jo.

  30. I have been browsing online greater than 3 hours these days, but I
    by no means discovered any interesting article like yours.

    It’s pretty value sufficient for me. In my opinion, if all site
    owners and bloggers made just right content material as you did, the web will be much more useful than ever before.

    I will immediately grasp your rss as I can not to find your e-mail subscription hyperlink or
    newsletter service. Do you have any? Kindly let me recognize in order that I could subscribe.
    Thanks. Howdy would you mind letting me know which web host you’re using?
    I’ve loaded your blog in 3 different internet browsers and I must say this blog loads a lot faster then most.

    Can you suggest a good internet hosting provider at a fair price?
    Thanks a lot, I appreciate it!

  31. I have been surfing online more than 3 hours today, yet I never
    found any interesting article like yours. It’s pretty worth enough for me.

    In my opinion, if all website owners and bloggers made
    good content as you did, the web will be much more useful than ever before.
    It is perfect time to make a few plans for the longer term and
    it is time to be happy. I have read this put up and
    if I may just I desire to suggest you some interesting
    issues or advice. Perhaps you could write subsequent articles regarding this article.
    I want to learn even more issues about it! Ahaa, its nice discussion about this article
    here at this web site, I have read all that, so at this time me also commenting here.

  32. This will allow you to receive ranked high quickly. This really is how hard it has become.
    An institution for getting is not somewhere
    I would really like to ever have to put my hubby.

  33. Do saving time on small details or little reactions.
    An individual respect others you are enhancing your personality ultimately.

    Are generally living concerning.

  34. Howdy would you mind sharing which blog platform you’re using?
    I’m going to start my own blog in the near future but I’m having a
    tough time deciding between BlogEngine/Wordpress/B2evolution and Drupal.
    The reason I ask is because your design seems different then most blogs and
    I’m looking for something completely unique. P.S My apologies for being off-topic but I had to ask!
    Greetings from California! I’m bored to death at work so I decided to browse your website on my iphone during lunch break.

    I enjoy the knowledge you present here and can’t wait to take a look
    when I get home. I’m surprised at how quick your blog
    loaded on my mobile .. I’m not even using WIFI, just 3G ..

    Anyways, wonderful blog! I have been surfing on-line more than three hours today, but I never found any fascinating
    article like yours. It’s lovely worth sufficient
    for me. Personally, if all web owners and bloggers made good content as you probably did, the
    net will probably be much more helpful than ever before.

评论已关闭。