User login , Almost all Web Necessary links for application .Web
Applications usually add some verification methods , To prevent attackers from using robots to log in automatically , If the user is required to input the graphic verification code , Drag the slider, etc . however , If the verification logic is only executed on the front end , It's easy to be bypassed by attackers .
iFlow The business security reinforcement platform can make dynamic virtual patches for applications that only use front-end verification , Make it a verification logic that needs to be executed by the front end and the back end , Greatly increase the attack difficulty of attackers .

Take an open source shopping website as an example , The administrator background login only uses the front-end authentication . Let's have a try , How to do without modifying the source code of the website , use iFlow Realize front and back end authentication .

<> One , Original website for front end validation

The original website has slider drag verification , But only front-end verification is used , It is very easy for attackers to bypass users .

<>1.1 Normal user access

After entering the account and password, the webmaster , You must drag the lower slider to the far right , Then click the login button to send the login information .

Reflected in HTTP Agreement level , The interaction is as follows :
Normal users browser Web The server Address bar input :/shopx/admin.php request :/shopx/admin.php return : Login page
request :/shopx/js/drag.js return :drag.js display : Login page Fill in the account and password Drag the slider Set front end elements Click the login button
Front end element verification passed send out : login information return : Login results page display : Login results page Normal users browser Web The server

In terms of implementation , When the user drags the slider to the far right , The front-end code will DOM A data element in validate-status The value of is set to 1.

<>1.2 Attacker access

Use the browser's own developer tools (F12) Or use browser automation tools ( as WebDriver) , Add data elements validate-status The value of is set directly to 1
.

The following figure shows how to modify elements only by using the browser's own tools :

such , The attacker does not need to actually drag the slider to verify , It can also send login information .HTTP The protocol level interaction is as follows :
attacker browser Web The server Address bar input :/shopx/admin.php request :/shopx/admin.php return : Login page
request :/shopx/js/drag.js return :drag.js display : Login page Fill in the account and password 【 Modify front end elements by yourself 】 Click the login button Front end element verification passed
send out : login information return : Login results page display : Login results page attacker browser Web The server

<> Two ,iFlow Website after virtual patch

We are here Web Pre server deployment iFlow Business security reinforcement platform , It has the ability to intercept , Calculation and modification of bidirectional HTTP Message and storage capacity , become Web
Applied virtual patches . In this case ,iFlow Through dynamic code insertion in the front end and session based state saving in the back end , Make the slider verification logic run at the front and back ends at the same time .

<>2.1 Normal user access

iFlow In the front end of the drag slider front-end script dynamically inserted a piece of code , When the user finishes dragging the slider , The browser automatically sends iFlow Send a message and send it iFlow
Save as a tag . When the user sends login information ,iFlow Check the mark , For a normal user , This mark must exist , So the login process continues normally .

Normal user HTTP The protocol interaction process is as follows :
Normal users browser iFlow Web The server Address bar input :/shopx/admin.php request :/shopx/admin.php return : Login page
request :/shopx/js/drag.js return :drag.js modify : stay drag.js Insert code display : Login page Fill in the account and password Drag the slider
Set front end elements request :/iflow/dragged.dummy Set for session drag_ok sign Click the login button Front end element verification passed send out : login information
What's in the conversation drag_ok sign send out : login information return : Login results page display : Login results page Normal users browser iFlow Web The server

<>2.2 Attacker access

As shown before , The attacker forcibly modifies the front-end element , It can be verified by the front end . But when you send a login message, it doesn't work iFlow
When checking marks , Because the attacker did not actually drag the slider to send a marking request before , Therefore, the tag does not exist .iFlow It can be judged that this is an attacker visiting , The login process is terminated .

Attacker's HTTP The protocol interaction process is as follows :
attacker browser iFlow Web The server Address bar input :/shopx/admin.php request :/shopx/admin.php return : Login page
request :/shopx/js/drag.js return :drag.js modify : stay drag.js Insert code in display : Login page Fill in the account and password 【 Modify front end elements by yourself 】
Click the login button Front end element verification passed send out : login information None in conversation drag_ok sign access denied access denied attacker browser iFlow Web The server

<>2.3 code

iFlow Built in W2 Language is a language that is designed to implement Web Class programming language with security reinforcement . It is between configuration and common language , Have the basic elements of programming and aim at HTTP
Protocol specific extensions , Able to write logic involving complex judgment and dynamic modification for business system .

Considering that users of security products are usually non programmers , They are used to facing configuration files rather than a piece of code . therefore ,W2
Language contains language elements , Still rendered as a rule file , And it adopts the method which can reflect the hierarchical structure and facilitate the lexical verification JSON format .

use W2 Language to achieve the above virtual patch code is as follows :
[ { "if": [ "REQUEST_FILENAME == '/shopx/js/drag.js'" ], "then": { "execution":
{ "directive": "alterResponseBody", "op": "string", "target": "function
dragOk(){", "substitute": "function dragOk(){$.get('/iflow/dragged.dummy');" } }
}, { "if": [ "REQUEST_FILENAME == '/iflow/dragged.dummy'" ], "then": {
"execution": [ "SESSION.drag_ok@60 = true" ] } }, { "if": [ "REQUEST_FILENAME
== '/shopx/admin.php'", "@ARGS.s == 'login'", "!SESSION.drag_ok" ], "then": {
"verdict": { "action": "deny", "log": "Drag verifycode is not ok!" } } } ]
There are three rules in the sample code , The effects are as follows ——

Rule one

When browser requests drag.js Time ,iFlow Intercept response message , stay dragOK()
Function to insert a code fragment , Its function is to send a verification request to the server when the user drags the verification box , In the next rule /iflow/dragged.dummy;

The second rule

When browser requests /iflow/dragged.dummy Time ( After the user drag, the dragOK() Function is automatically issued ),iFlow Block this request , Send the session to
(SESSION) In storage drag_ok Flag set to true ;

Rule three

When the user clicks the login button to make a request ,iFlow Block this request , Check session (SESSION) In storage drag_ok Is the logo true
( Normal user action should be set in the previous rule ), If not true be iFlow Prevent the user from continuing .

be careful : In the above conversation drag_ok The flag is stored on the server side iFlow In storage , On the browser side, you can't see the data, let alone modify it .

<> Three , summary

iFlow Use three rules without modifying the server-side code , It transparently implements the drag verification logic executed on the back end .

In addition, we can see that ,iFlow The rules are customized according to the actual situation of the application and the specific requirements of the security function , It does not have the characteristics of out of the box, but it is suitable for the construction of complex protection logic .

of course , This is just an introductory example , The main purpose is to reflect the defense ideas and strategies iFlow The ability of . Smart readers will think of it —— The attacker can take corresponding attack mode against this defense means
( Such as sending back-end authentication request actively ), And defenders can also make their defense methods more sophisticated ( as js confusion , Check sliding speed and time, etc )
, We will expand these slowly in the future examples . at least , Compared with the original website system , Now attackers are less likely to cheat Web Applied .

Technology
©2019-2020 Toolsou All rights reserved,
C Review of basic language knowledge Go Language learning notes (GUI programming )Java Misunderstanding —— Method overloading is a manifestation of polymorphism ? How to achieve low cost and high stability for cloud native applications ?elementui Shuttle box el-transfer Display list content text too long C/C++ Memory model Element-Ui assembly Message Message prompt , alert Popup C# Making a simplified version of calculator Python In pycharm editor Interface style modification Tiktok refresh progress bar ( Two little balls turn ), The code is simple