Hack the world

do u know any attacks? and the mitigation? XSS persistent XSS: upload malicious code in the database, like the comment box or profile.  reflected XSS: send a URI with malicious script to the victim Dom-based XSS: change the element of the DOM, it happend at the browser, the client  mitigation: CSP, filter or encode the special characters,  when the XSS has been executed, we can also set http-only to avoid cookie being stolen  phishing: spoofing an email or message or dicrect users to enter personal information at  fake website. mitigation: firewall, update the latest browser, use google or other trust-worthy browser. install antivirus software. CSRF: make the victim to submit a crafeted web request. forge a URI , crafted image tags, hidden forms, and JavaScript XMLHttpRequests.  mitigation： CSRF token， check the referer to ensure the source website.  Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exp...

How the packet goes? from Application -> transport layer (UDP or TCP) -> network layer(IP)-> pick interface card ->data linker layer(ARP according to the MAC address to find where to send) IP header(IPV4 as example) Version: 4 Header Length: divided by 4 Each role has 32 bits = 4bytes, we have 5 roles, so totally we have 4*5=20. Then 20/4,we get header length= 4. It actually shows how many roles.  Protocol can specify the UDP/ TCP/ICMP as number, like 17 is UDP, it will in the header as 8 bit, will not occupy the data part. Data part UDP protocol, it should be specified in the 1st packet and take 8 bit of the data payload. 1st packet is (8+ payload) actually.  First packet: IP/UDP/payload 2nd packet's data part don’t need claim UDP protocol, only need to claim in the header as 17, it specifies in the header.  Other packet: IP/payload If 1 fragment is missing, the packet will not be reassembled and will not show on the screen, it will stay in the buffer. Ping...

TCP(transmission control protocol ) Process ---> Application Layer Host-to-Host ---->Transport Layer Internet Layer Network Access/Link Layer It needs connection before transmit data, and close after transmitting data. It has listen(), connect(),  It is reliable,  The data is transmitted in-order. If some package lost,  it will re-transmit it again. The header is much longer than UDP. It can only support one-to-one transmission. Includes Telnet(remote login), FTP(file transfer protocol), SMTP(Simple Mail Transfer Protocol). TCP is used in applications with large amount of data transmission and high reliability requirements. The POP3 mail Retrieve protocol. UDP It don’t need the connection before transmit data. Some data maybe lost in the transmition. The header is only 8 bytes. It support one-to-multiple, multiple-to-multiple, multiple-to-one. UDP is used by DNS, DHCP, TFTP, SNMP, RIP, and VoIP. UDP is efficient for broadcast and multicast type of network transmis...

Flags field  (6 bits) contains the various flags: URG—Indicates that some urgent data has been placed. ACK—Indicates that acknowledgement number is valid. PSH—Indicates that data should be passed to the application as soon as possible.(even the buffer is not full, the data will also be sent) RST—Resets the connection. SYN—Synchronizes sequence numbers to initiate a connection. FIN—Means that the sender of the flag has finished sending data. Sequence Number field  (32 bits) specifies the number assigned to the first byte of data in the current message. Under certain circumstances, it can also be used to identify an initial sequence number to be used in the upcoming transmission. Acknowledgement   Number field  (32 bits) contains the value of the next sequence number that the sender of the segment is expecting to receive , if the ACK control bit is set. Note that the sequence number refers to the stream flowing in the same direction as the segment, while the acknowl...