Web安全，向“前”看！——读国内第一本Web前端***书

很久之前在学技术的时候，一直没把Web端的安全当回事。那时候圈子里流行的还是系统级别的exploit，远程溢出和本地提权很红火。“自动传播”、“拿下系统权限”是当时***们的主要目标，那也是网络安全时代最美好的时期。

然而进入2000年之后，Web安全开始得到人们的重视。SQL注入首先成为明星，然后一发不可收拾。各种看似坚固的系统和仅开放80端口的服务器在此类***下变得异常脆弱。Web安全时代来临了。

SQL注入+上传Webshell这样的***成为了业界主流，几乎对动态Web服务无往不利。大中型企业和机构纷纷增加了80端口的检查和封堵。看到一些SQL注入***被挡住的日志，他们脸上露出了满意的微笑……

可是，厉害的Web***方式，就只有一个SQL注入吗？

最近市面上出现的《Web前端***技术揭秘》一书，为大家揭晓了答案。

如果说SQL注入这类Web后端***方式比较直接，那XSS和CSRF、ClickJacking等前端***方式的运用则更为隐蔽。

在这本书中，作者向大家阐述了“草木竹石，均可为剑”的道理。在他们的眼中URL、HTML、JavaScript、CSS、ActionScript……几乎每个地方都可以暗藏杀机。

无论是探究让人头疼的XSS和CSRF、还是解析Web蠕虫和界面操作劫持，这本书都会让人们在惊叹之余眼前一亮。

如果要举几个前端***的例子，大家可以看看近期在互联网上比较火的两个帖子——《雅虎邮箱DOM XSS漏洞》与《如何通过***老师邮箱拿到期末考卷和修改成绩》，里面用的XSS hack就是前端***技术。当然，还有之前在Twitter上肆虐的跨站***蠕虫，堪称前端***的经典案例。而这些技术，都只是《Web前端***技术揭秘》所包含的一部分而已。更多如百度、Google、人人网等真实案例的剖析，会让人目不暇接。

而对于2012年底确认新标准的HTML5，书中也单独开辟了一个章节以飨读者。可能是玩过一段时间HTML5视频技术的关系，我个人对这个章节印象比较深——提醒了我在书写HTML5代码的时候需要注意哪些地方。

书中介绍的很多HTML5跨站方式，足以让现有的一些IPS***防御系统和WAF策略被绕过。formaction、onformchange、onforminput、autofocus等新属性的加入，让跨站防御工作变得更富挑战性。

在最后的章节里作者从浏览器厂商和网站技术人员、用户等多个角度集中提出了防御的办法（比如：域分离、安全传输、安全的Cookie、优秀的验证码、谨慎第三方内容、X-Frame-Options防御、使用token等等），让人们在面对这类***之前，可以做好充分准备。另外为了帮助大家更好的理解Web前端***的体系，钟晨鸣（余弦）和徐少培（xisigr）两位作者还专门做了个解析图。

在大集中的云计算时代下，服务器的防护会做的越来越深，更多的骇客会选择由前端入手获取用户的敏感数据。因此，理解前端***、理解用户端***将是未来Web安全人员急需熟悉的内容。

PS：这几乎是国内第一本专注Web前端的***书。之前看了太多的Web后端***，总算有Web前端的***书籍面世了。忍不住先睹为快，解解腻。和以往的***/安全类书籍不同，这本书除了适合安全爱好者与从业者阅读之外，更值得Web前端工程师来一探究竟。当很多人还觉得Web前端安全是窄众的时候，也许这本书会让他们产生新的看法。

When I was learning technology a long time ago, I didn't take the security of the web side seriously. At that time, the system level exploit was still popular in the circle, and remote overflow and local power lifting were very popular. "Automatic propagation" and "taking down system authority" were the main goals of the Communist Party of China at that time, which was also the best period of the era of network security.

However, after 2000, people began to pay attention to web security. SQL injection first becomes a star, then it goes out of control. All kinds of seemingly solid systems and servers with only 80 ports open become extremely vulnerable under this kind of * * *. The era of web security is coming.

SQL injection + upload webshell has become the mainstream of the industry, which is almost unfavourable to dynamic web services. Large and medium-sized enterprises and institutions have increased 80 port inspection and blocking. Seeing some logs blockquoted by SQL injection, they smiled with satisfaction

However, is there only one SQL injection in the powerful web * * mode?

Recently, the book "web front end technology disclosure" appeared on the market, which reveals the answer for you.

If SQL injection is more direct, the application of XSS, CSRF, clickjacking and other front-end methods is more subtle.

In this book, the author expounds the truth that "all plants, bamboos and stones are swords". In their eyes, URL, HTML, JavaScript, CSS, ActionScript Almost every place can hide murders.

Whether it's exploring the headache of XSS and CSRF, or parsing web worms and interface manipulation hijacking, this book will give people a flash of wonder.

If you want to take a few exles of the front-end * * *, you can take a look at two popular posts on the Internet recently - "DOM XSS vulnerability in Yahoo Mail" and "how to get the final examination paper and modification results through the email of the teacher * * *". The XSS hack used in these posts is the front-end * * * technology. Of course, there is the cross site worm that has been rant on twitter before, which can be called the classic case of front-end. These technologies are just a part of the web front end technology disclosure. More such as Baidu, Google, Renren and other real case analysis, people will be dizzying.

For HTML5, which confirmed the new standard at the end of 2012, there is also a separate chapter for readers. Maybe I have played the relationship of HTML5 video technology for a while, and I am deeply impressed by this chapter, which reminds me what I need to pay attention to when I write HTML5 code.

Many of the HTML5 cross site approaches described in the book are enough to allow some existing IPS * * defense systems and WAF strategies to be bypassed. The addition of new attributes such as Formaction, onformchange, onformminput, autofocus, etc., makes cross site defense more challenging.

In the last chapter, the author puts forward the defense methods (such as domain separation, secure transmission, secure cookie, excellent authentication code, careful third-party content, X-FRAME-OPTIONS defense, token use, etc.) from browser manufacturers, website technicians, users and other perspectives, so that people can be fully prepared before facing this kind of ￠. In addition, in order to help you better understand the system of the web front-end, the authors Zhong Chenming (cosine) and Xu Shaopei (xisig) have also made a special analysis chart.

In the era of centralized cloud computing, the protection of servers will be more and more deep, and more hackers will choose to get sensitive data from the front end. Therefore, understanding the front-end and the user-side will be the content that web security personnel need to be familiar with in the future.

PS: This is almost the first Chinese book focusing on Web front-end. I've read too many web back-end books before. Finally, there are some web front-end books. I can't help but see it first and relieve my boredom. Different from the previous security books, this book is not only suitable for security lovers and practitioners, but also worth exploring by web front-end engineers. When many people still think that web front-end security is narrow, maybe this book will give them a new perspective.

--------------------------------------------------------------
主机参考，收集国内外VPS，VPS测评，主机测评，云服务器，虚拟主机，独立服务器，国内外服务器，高性价比建站主机相关优惠信息@zhujicankao.com
详细介绍和测评国外VPS主机,云服务器,国外服务器,国外主机的相关优惠信息,商家背景,网络带宽等等,也是目前国内最好的主机云服务器VPS参考测评资讯优惠信息分享平台

这几篇文章你可能也喜欢：

• 腾讯云，轻量云服务器低至50元/年，高性价比轻量云服务器2核2G内存4Mbps带宽/顶级COM域名1元限量秒杀抢购，服务器免费送/100%抽奖
• LOCVPS，韩国特价免备案VPS云服务器测评报告，KVM虚拟，LOCVPS服务器好不好？LOCVPS韩国VPS云服务器靠谱吗？可选限制流量/不限流量
• 搬瓦工VPS，限量款套餐补货，美国CN2 GIA/日本软银/荷兰AS9929，1Gbps超大高端网络线路，KVM虚拟架构，1核1G内存1Gbps带宽，80美元/年，机房可随意切换
• CloudCone，美国Win系统VPS云服务器少量补货，美国洛杉矶MC机房，KVM虚拟架构，3核4G内存1Gbps带宽，17.49美元/月
• LOCVPS，双12特惠，香港免备案VPS云服务器终身65折，香港葵湾机房，CN2+BGP/CN2网络，KVM虚拟架构，1核2G内存2Mbps带宽不限流量，29.25元/月

本文由主机参考刊发，转载请注明：Web安全，向“前”看！——读国内第一本Web前端***书 https://zhujicankao.com/12665.html