Summary of typical attack methods and countermeasures against web applications
With the enhancement of browser functions, various applications can be realized on the web. At the same time, the number of cases where websites and web apps handle important information is increasing, and hackers are becoming more and more targeted. Engineer Varun Nike has posted a blog about typical attack methods that hackers often use in such situations and their countermeasures.
CSRF, CORS, and HTTP Security headers Demystified
◆ 1: CSRF
CSRF is an abbreviation for Cross-Site Request Forgery, which is an attack in which a third party takes action on a website on which a user is logged in. The attack is carried out according to the following procedure.
1. User visits a malicious website
2. Malicious websites have a hidden form for submitting remittance requests to the online bank, and if the user remains logged in to the online bank, the user will issue a remittance instruction.
3. Malicious websites and online banks have different origins , so the browser does not convey the result of the request to the malicious website, but the remittance itself is done.
To protect against these attacks, Nike says it's best to use the CSRF token mechanism below.
1. Each time the online bank provides the form to the user, generate a CSRF token and insert it into the hidden field of the form
2. When receiving a request from a user, check the CSRF token to see if it matches what was previously generated
In order to protect CSRF, it is necessary to add code to the application, and it can not be protected by proxy server layer such as Nginx. In addition, CSRF can be prevented simply by using the SameSite attribute for cookies.
◆ 2: CORS
CORS is an abbreviation for cross-origin resource sharing, and is a mechanism for mitigating security that enables the use of resources of another origin, which is normally impossible. When a website makes an XHR to another origin, the browser first makes a request called preflight to see if access from the current website is allowed.
By using the CORS mechanism, you can access the same API from multiple websites such as 'gigazine.net', 'gigazine.co.jp', and 'gigazine.biz'. Also, if you want to provide an API that can be used from a browser to a third party, you need to set CORS.
In addition, since CORS is a browser protection function, it does not work with communication from other than the browser such as hacker's own tools.
sanitization, and it is the most commonly used method.
◆ 3: XSS
XSS is an abbreviation for cross-site scripting, an attack in which a hacker inserts a client-side script into a web page. It is often installed using an input form with insufficient
To prevent XSS, it is important to sanitize when displaying the input received from the user. According to Nike, it is better to sanitize on the output side instead of the input side, and by leaving the raw data in the database, the REST API will provide the data that was previously provided only in HTML. It will be possible to flexibly respond to changes in business requirements such as.
To protect your application from XSS, you should refer to 'Cross Site Scripting Prevention --OWASP Cheat Sheet Series'.
◆ 4: CSP
CSP stands for Content Security Policy and is an additional layer of security to mitigate XSS attacks. By specifying a valid domain as a source for scripts, CSS, images, frames, form actions, etc., it is a mechanism to prevent loading of resources from domains that are not on the white list.
Although XSS cannot be ignored just because CSP is set, it is useful for reducing damage after intrusion. However, it seems that setting CSP is very difficult, and every time you add a new font or script to the website, you need to set CSP properly, and although it works during development, it breaks in the production environment. Problems tend to occur, says Nike.
To implement CSP, ' Content-Security-Policy Header ⟶ CSP Reference & Examples ' will be helpful, and Google's test tools will also be useful.
◆ 5: HSTS
HSTS is an abbreviation for HTTP Strict Transport Security, a feature that prevents protocol downgrade attacks and cookie hijacking by allowing the server to declare that the browser can only be accessed using HTTPS, not HTTP. That is.
For example, when using Free Wi-Fi on the go, if the access point is prepared by a hacker, there is a risk that the data exchanged with the website will be stolen, but the website will use HSTS. If you are using it and have accessed it via HTTPS even once before, security will be maintained. If a hacker attempts a MITM attack in this situation, the browser will deny access.
◆ 6: Certificate Transparency
'Certificate Transparency' is a method for checking whether the certificate for HTTPS communication has been forged. When the certificate authority issues the certificate, the issue information is recorded in the public log, and the browser searches the log server using the SCT (signed certificate time stamp) field of the certificate, and the certificate is You can verify the validity of the certificate by checking if it matches the log record.
By introducing the above mechanism, it is possible to prevent the domain certificate from being issued without the domain owner's knowledge. For more information, ' Certificate Transparency: Certificate Transparency ' is stated to be helpful.
◆ 7: Set-Cookie
' Set-Cookie ' is an HTTP header that has been used for a long time and is used by a wide range of websites, and it is the most important header to configure correctly. However, setting Set-Cookie is easy, and there are some directives in Set-Cookie, but in principle, you should set the following three.
・ SameSite = Strict
This setting prevents CSRF attacks by making cookies unavailable from another domain.
Cookies are only available on HTTPS connections.
Nike said the workarounds on this page are just a small part of what is feasible, and many of the top 10 web security reports published by the OWASP security organization are due to the application itself. As such, application design and architecture are also important for security.