one. xss attack (cross site scripting)
1. Principle: The attacker embeds a malicious script program in a web page, and when the user opens the web page, it will be automatically executed on the browser of the client, thereby obtaining the user's information.
cookies, usernames, passwords, etc.
2. Prevention: HTML escaping the data entered by the user
In-depth understanding:
http://www.cnblogs.com/bangerlee/archive/2013/04/06/3002142.html
2. csrf attack (cross site reqeust forgery)
1. Principle: Forge requests from trusted users and initiate requests from outside the site
2. Prevention:
Method 1: Judging the source (referer)
Method 2: Set the cookie to HttoOnly, so that the attacker cannot obtain the user's cookie through js, applet, etc.
reponse.setHeader("Set-Cookie","name=test;HttpOnly);
Method 3: Add a token to the request, so that requests without a token are illegal
3. sql injection
1. Principle: disguised as normal http request parameters, passed to the server, and deceived the server to finally execute malicious sql
2. Prevention: escape special characters
Method 1: PreparedStatement with jdbc
Method 2: Use the orm framework
`
Method 3: Important information encryption (md5, md5+salt)
4. File upload vulnerability
1. Upload the file to be renamed
2. Upload files to limit the size
3. The type of the file cannot be judged simply by the suffix name of the file.
For many types of files, the first few bytes are fixed, because according to the content of these bytes, the file can be determined,
These few bytes are called magic numbers. FileType api in java represents file type
4. After uploading the picture, scale the picture accordingly to destroy the structure of the binary executable file uploaded by malicious users.
Recommended
imagemagick
(image scaling, watermark generation, sharpening, interception, formatting)
Fives. DDOS attack (distributed denial of service) distributed denial of service attack