The front security
Attack form
XSS cross-site scripting attacks
CSRF cross-site pseudo request attack
Man-in-the-middle attack
XSS cross-site scripting attacks:
1. Durable
For example, if you write a blog and you write an attack script to the blog, other people can click on it and execute the attack script.
2. DOM based XSS attack
Dom-based XSS attacks do not involve the page Web server. Specifically, hackers inject malicious scripts into users’ pages through various means, such as network hijacking to modify the content of HTML pages during page transmission. There are many types of hijacking, including WiFi router hijacking, local malware hijacking. What they have in common is modifying the data of a Web page during the transfer of Web resources or during the user’s use of the page.
3, reflection shape
From the URL to the server and back to the browser
It is found that a user submits a request containing malicious code to the Web server. When the Web server receives the request, the malicious code is reflected back to the browser. This is a reflective XSS attack. In real life, hackers often induce users to click on these malicious links through QQ groups or emails, so we must be very careful about some links.
Defense:
Where there’s an input, you need it
Set cookies to be browser readable only
Format to check
CSRF cross-site pseudo request attack
CSRF attack: the user logs in site A, obtains the cookies of site A, and then visits A dangerous website without logging out of A. Then, the dangerous website initiates A request to site A with the cookies of user A, and A only recognizes the cookies sent by himself, thus completing A CSRF attack.
CSRF is generally implemented by XSS, and is often referred to as XSRF (CSRF can also be implemented by direct command line requests, etc.).
XSS is a code injection problem and CSRF is an HTTP problem. XSS is content that is not filtered causing the browser to execute the attacker’s input as code. CSRF is because the browser automatically carries cookies when sending HTTP requests, and most websites’ sessions are stored in cookies.
Defense: Verification code, Token