XSS, CSRF attacks and Prevention

Others 2019-09-22 19:09:00 views: null

A, XSS attack

  XSS stands for cross-site scripting attack, involves running through a security vulnerability within a Web site registered user's browser illegal HTML tags or JavaScript carry out an attack. Scripting attackers set a trap, running on the user's own browser, accidentally it would be passive aggressive.

  Example: If A User comments [hello world] submitted to the server, B user sees this comment when everything is normal. However, if the user reviews C [<script> console.log (document.cookie) </ script>], then when a user access interface B where this comment is, js code string which will be executed in the user's browser B, the output value of the cookie. This constitutes a XSS attack.

  Prevention:

                1) Use XSS Filter

      For the data submitted by the user, only accept a predetermined length or submit content to filter out other types of input. For example, form submission aged only accepts int type, filter out the special HTML tag <script> and other events such as filtration JS onclick, onfocus and so on.

     2) insertion of HTML tags untrusted HTML data encoding the Entity.

       

 

 

       3) JavaScript encoding \ \\ converted into the / came / \, full-width half-width turn sign symbol  

       4) HTTP Only Cookie many XSS attacks is to get the user's cookie information, cookie information will be important mark http only, so when the browser cookie think it will bring the server-side initiated the request, but can not be accessed in the script cookie information, to avoid XSS attacks exploit js code document.cookie get cookie information.

 

 

 

Two, CSRF attacks

  CSRF stands for cross-site request forgery, identity theft can understand the user's attacker, in the name of the user sending malicious requests.

  principle:

    • User C opens access to trusted sites A, enter your user name and password requests go to the website A
    • After the user information is verified, the site A cookie information is generated and returned to the browser, when users visit the Web site A successful, and can normally send a request to the site A.
    • Before the user does not exit the site A, in the same browser, open a TAB page visit B
    • Site B after receiving a user request, return some of the code attack, and issues a request requires access to a third-party site A
    • Upon receiving the browser attacks ye of the code, according to a request of the site B, carrying Cookie information in the user's knowledge request to Site A, Site A does not know that the request is initiated by the B, C, so that the user can permission to process the request, leading from the site of the only B code is executed.

 

  Prevention:

    • Verify HTTP Referer field
    • Request address and add authentication token
    • Use code

Guess you like

Origin www.cnblogs.com/pingzi-wq/p/11567624.html
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com