XML injection
XML injection, also known as xxe attack, occurs when the application parses xmls, load external entity is not prohibited.
Rehabilitation program: 1. Disable load external entity
2. user input parameters strictly check
XSS
XSS XSS into storage type, reflective type XSS, DOM type XSS
Storage-type XSS
The user input is stored in the database, processed displayed on the front page, the attacker long-lasting, affecting a wide range, mostly in message boards, comments and other feedback area among editors
Reflective XSS
With different storage type XSS, the contents of which will not be entered by the user is stored in the database, but submitted to the server for processing and then returned to the front page of them. Usually attack by url
DOM XSS type
DOM by url type XSS attacks, without the server process, but the operation of the front page directly inserted directly into the HTML DOM the script which the script.
Rehabilitation program:
1. strict parameters of the user input filter
2. The output of the user's HTML encoding filter, JS escape like
CSRF
An attacker induce the victim entering third party websites, enter the third-party websites, cross-site request is sent to the site was attacked, the use of user login credentials at the site of attack, bypass the login authentication background, to log in to be attacked websites the purpose of the operation.
Rehabilitation program:
1.referer verification
2.token verification