XSS: Cross Site Scripting Attack (Scripting). XSS leverages trusted users within the site. Malicious attackers insert malicious HTML code into a Web page when the user browses to the page
, HTML code embedded inside the web will be executed to achieve the special purpose of malicious attacks on the user. The fundamental way of XSS is to filter user input. An attack is accessed by an authorized user
Pages that contain links or scripts work in a way that
CSRF: Cross-site request forgery (Cross-site requests forgery) impersonating the user within the station's normal operation.
Most websites identify users by means of cookies, including websites that use server-side sessions, because session IDs are also mostly stored in cookies.
), which is then authorized. Therefore, to forge the normal operation of the user, the best way is through XSS or link spoofing, etc., so that the user in the local (that is, the browser with the identity cookie
End) initiates a request that the user does not know. CSRF does not have to have input from the station, because it is not an injection attack, but a request for forgery. A forged request can be any source,
And not necessarily in the station. So we have only one way to do that is to filter the request processor. Using cookie information, the browser accesses the server with cookie information.
1. Once you have logged into a website, open a tab page and visit another site.
2. Visit another dangerous website in the event that the session is invalid, the dangerous website automatically submits the request or when the click submits the request.
Precautions: through token, but not 100% to prevent CSRF attack, because the user's cookie is easy to be stolen by the website XSS vulnerability.
XSS and CSRF attacks