Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

前端安全笔记 #243

Open
FrankKai opened this issue Nov 30, 2020 · 0 comments
Open

前端安全笔记 #243

FrankKai opened this issue Nov 30, 2020 · 0 comments

Comments

@FrankKai
Copy link
Owner

FrankKai commented Nov 30, 2020

XSS(跨站脚本攻击 Cross Site Scripting)

攻击

  • 分类:存储型、反射型、DOM型
  • DOM API注入:innerHTML(v-html),outerHTML,document.write(),
  • js API注入: 内联监听器,eval(),setTimeout,setInterval

防范

  • 输入过滤并且转义
  • XSS攻击字符串,XSS漏洞检测工具
  • 避免原生API使用模板引擎,避免内联事件,避免拼接HTML
  • 包含敏感数据的cookie通过服务端做写入,httpOnly;event isTrusted属性
  • 验证码(手机端是一个沙盒,很难进行窃取)、图形验证、手势验证、人脸识别等等

CSRF(跨站请求伪造 Cross Site Request Forgery)

攻击

  • 构造一个恶意的伪造请求并诱导用户触发(可以是跳转链接手动触发,也可以是执行脚本自动触发)
  • GET类型是对url参数做修改;POST类型伪造一个hidden的input表单

防范

  • 浏览器同源策略CORS(Referrer和Origin)
  • 加token(md5加密,md5加salt)
  • sameSite cookie(限制较为严格)
  • 包含敏感数据的cookie通过服务端做写入,httpOnly;event isTrusted属性
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant