Common website attack technologies in the field of Web Security


1. SQL injection

The core of SQL injection attack is to let the web server execute the SQL statement expected by the attacker, so as to obtain the data of interest in the database or read, modify, delete, insert and other operations on the database, so as to achieve its evil purpose.

How to make the web server execute the attacker’s SQL statement? The routine of SQL injection is to place the SQL statement in the form or request parameters and submit it to the back-end server. If the back-end server directly takes out the variables for database query without input security verification, it is very easy to get caught.

Common website attack technologies in the field of Web Security


Examples are as follows:

For an interface that obtains user information according to user ID, the back-end SQL statement is generally as follows:

select name,[...] from t_user whereid=$id

Where, $ID is the user ID submitted by the front end. If the request of the front end is like this:

GET xx/userinfo?id=1%20or%201=1

After the request parameter ID is escaped, it is 1 or 1 = 1. If the back-end does not do security filtering and directly submits the database query, the SQL statement becomes:

select name,[...] from t_user whereid=1or1=1

The result is to find out all the data in the user table, so as to achieve the purpose of data disclosure by hackers.

The above is only a very simple example. In a real SQL injection attack, parameter construction and SQL statement are much more complex than this, but the principle is the same.

Common website attack technologies in the field of Web Security


2. XSS attack

The full name of XSS is cross site scripting. In order to distinguish it from overlapping style sheet CSS, another abbreviation XSS is used.

Common website attack technologies in the field of Web Security


The core of XSS attack is to implant the executable front-end script code (generally JavaScript) into the web page. It sounds awkward. In vernacular, the attacker wants your browser to execute the JS code he wrote. So how? Generally, XSS can be divided into two types:

Reflex type
Common website attack technologies in the field of Web Security

  • 1. The attacker places the JS code as a request parameter in the URL to induce the user to click


http://localhost:8080/test?name=<script>alert("you are under attack!")</script>
  • 2. After the user clicks, the JS is passed to the back end of the web server as a request parameter
  • 3. The back-end server does not check and filter, and after simple processing, it is put into the web page body and returned to the browser
  • 4. The browser parses the returned web page, hit!
Storage type
Common website attack technologies in the field of Web Security


In the above way, the attack script is directly transferred by the server and returned to the browser to trigger execution. The difference between the storage type and the storage type is that the attack script can be stored in the warehouse. When querying later, the attack script is rendered into the web page and returned to the browser to trigger execution. Examples of common routines are as follows:

  • 1. The attacker’s web page reply contains JS script
  • 2. After the reply is submitted to the server, it is stored in the database
  • 3. Other netizens view the post, query the reply content of the post in the background, build a complete web page and return to the browser
  • 4. The netizen’s browser rendered the returned web page, and he was hit!

3. CSRF attack

Common website attack technologies in the field of Web Security


CSRF, cross site request forgery, its core idea is that when opening website a, open another tab page to open malicious website B. at this time, under the “Instigation” of page B, the browser initiates an HTTP request for website a. The hazards of this process lie in two points:

  • 1. This HTTP request is not the user’s active intention, but “instigated” by B. if it is a more harmful request operation (sending e-mail, deleting data, etc.), it will be troublesome
  • 2. Because website a has been opened before, and the browser has cookies or other information for identity authentication issued by A. this time, the request “instigated” will automatically bring these information. The back end of website a is not clear whether this is the user’s real intention

4. DDoS attack

DDoS full name distributed denial of service: distributed denial of service attack (also introduced in this article:). Is an upgraded version of a denial of service attack. Denial of service attack, as the name suggests, makes the service unavailable. It is often used to attack servers that provide external services, such as:

  • Web Services
  • mail serve
  • DNS Service
  • Instant messaging service
  • ……
Common website attack technologies in the field of Web Security


The attacker constantly puts forward service requests, which makes the requests of legitimate users unable to be processed in time. This is a DoS attack.

The attacker uses multiple computers or computer clusters to carry out DoS attack, which is DDoS attack.

In the early days when Internet technology was not so developed, it was easy to launch DoS attacks: a computer with strong performance wrote a program, and multithreaded constantly made requests to the server. The server was overwhelmed, and finally could not handle normal requests. For other normal users, it seemed that the website could not be accessed, which meant denial of service.

Later, with the development of technology, the current server is no longer as simple as a server. You can access the domain name is countless CDN nodes and countless web servers.

In this case, I still want to rely on a single computer to try to load a network service. It’s like an egg hitting a stone. The other party didn’t get down, so I got down first.

Technology has always been a double-edged sword. Distributed technology can not only be used to provide highly available services, but also be used by the attacker to carry out mass destruction attacks. Attackers are no longer limited to the attack ability of a single computer, but instead launch denial of service attacks through large-scale network clusters.

5. DNS hijacking

In today’s Internet traffic, the traffic generated by web services based on HTTP / HTTPS accounts for the vast majority. The development of Web services is in full swing, which is inseparable from an unknown hero is the domain name resolution system:

Common website attack technologies in the field of Web Security


If there is no DNS, we need to remember the IP address of each website instead of their domain name when surfing the Internet. This is a disaster. Fortunately, DNS has done all this silently. We only need to remember one domain name and leave the rest to DNS.

It is precisely because of its importance that people with ulterior motives will not let it go. DNS hijacking technology has been invented.

DNS provides services to convert domain names into IP addresses. However, its security was not considered much in the design of early protocols. For the query Party:

  • Is it really a DNS server I’m requesting? Is it someone else pretending?
  • Has the query result been tampered with? Is this IP really from this website?
Common website attack technologies in the field of Web Security


There is no mechanism in the DNS protocol to ensure that these questions can be answered, so DNS hijacking is very widespread. From the moment the user enters a domain name in the address bar, it is impossible to prevent dangers along the way:

  • The Trojan horse in the local computer modifies the hosts file
  • The Trojan horse in the local computer modifies the response in the DNS packet
  • Nodes in the network (such as routers) modify the response in DNS packets
  • Nodes in the network (such as operators) modify the response in DNS packets
  • ……
Common website attack technologies in the field of Web Security


Later, in order to verify the DNS response received at the client, DNSSEC technology appeared, which can solve some of the above problems to a certain extent. However, due to some reasons, this technology has not been used on a large scale, especially in China.

Later, leading Internet manufacturers such as Alibaba and Tencent began to launch httpdns service, which made a drastic move. Although the name of this technology still has three letters of DNS, its implementation is very different from the original DNS. Through this technology, DNS has become an application service based on HTTP protocol.

6. JSON hijacking

JSON is a lightweight data exchange format, Hijacking is to steal data (or it should be called robbery or interception). Malicious attackers intercept JSON data that should have been returned to users through some specific means, and then send the data back to malicious attackers. This is the general meaning of JSON hijacking. Generally speaking, JSON data hijacked contains sensitive information or valuable data.

7. Brute force cracking

This is generally for passwords. Weak passwords are easy to be guessed by others (people who know you well, etc.) or brutally cracked by cracking tools.

The password complexity of the solution should be large enough and hidden enough to limit the number of attempts

8. HTTP header tracking

Http / 1.1 (rfc2616) specification defines HTTP trace method, which is mainly used for clients to test or obtain diagnostic information by submitting trace requests to web servers.

When trace is enabled on the web server, the submitted request header will be returned completely in the content (body) of the server response. The HTTP header is likely to include session token, cookies or other authentication information. Attackers can use this vulnerability to deceive legitimate users and get their private information.


Disable the HTTP trace method.

9. Information disclosure

Because the web server or application does not correctly handle some special requests, it divulges some sensitive information of the web server, such as user name, password, source code, server information, configuration information, etc.

Therefore, general attention should be paid to:

When the application reports an error, it will not generate debugging information externally, filter the data and special characters submitted by the user, and ensure the security of source code and server configuration

10. Directory traversal vulnerability

The attacker sends a request to the web server by appending.. /, in the URL or in a directory of special significance Or add/ Some variants of (such as.. \ or.. / / or even its coding) allow attackers to access unauthorized directories and execute commands outside the root directory of the web server.

11. Command Execution Vulnerability

Command execution vulnerability is to initiate a request through URL, execute unauthorized commands on the web server, obtain system information, tamper with system configuration, control the whole system, paralyze the system, etc.

12. File upload vulnerability

If the file upload path variable is not filtered strictly, and the file suffix and file type uploaded by the user are not strictly limited, the attacker can upload arbitrary files through the directory accessed by the web, including the website backdoor file (webshell), and then remotely control the website server.

Therefore, general attention should be paid to:

In the process of developing websites and applications, it is necessary to strictly restrict and verify the uploaded files, prohibit the uploading of malicious code files, restrict the execution authority of relevant directories, and prevent webshell attacks

13. Other vulnerabilities

  • Sslstrip attack
  • OpenSSL heartbleed security vulnerability
  • CCS injection vulnerability
  • Certificate validity verification vulnerability

14. Business vulnerability

General business vulnerabilities are related to specific applications, such as Parameter Tampering (continuous ID / order, 1 yuan payment), replay attack (disguised payment), authority control (ultra vires operation), etc.

15. Framework or application vulnerabilities

  • WordPress 4.7 / 4.7.1: rest API content injection vulnerability
  • Drupal Module RESTWS 7.x:Remote PHP Code Execution
  • SugarCRM 6.5.23:REST PHP Object Injection Exploit
  • Apache Struts:REST Plugin With Dynamic Method Invocation Remote Code Execution
  • Oracle GlassFish Server:REST CSRF
  • QQ browser 9.6: API permission control problem leads to disclosure of privacy mode
  • Hacking docker: the registry API is not authorized to access

Author: senntyou
Pay attention to me and share more wonderful content from time to time to make your technology more refined.