Home > Developer > Web Develop

Common web attacks and defenses

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

XSS attacks:

Cross-site scripting attacks, where an attacker embeds malicious code in a webpage, when a user opens a webpage, the script starts executing on the client's browser to steal the client cookie, the user name password, the download to execute the virus trojan, or even to get the client admin permission.

The principle is that when the user enters, enter some executable code, for example <input name= "username" value= "<script>alert (' haha ') </script>"/>

The reason that XSS occurs is because the data entered by the user becomes code. So we need to do an HTML escape of the user's input data, and escape the code with special characters such as parentheses and quotation marks.

CRSF attacks, cross-site request forgery, an attacker who steals your identity, sends a malicious request to a third-party website on your behalf, CRSF can do things including emailing, texting, trading transfers, and even stealing your account.

Attack value do 2 things to complete the CSRF attack:

1, Login to trusted site A, and produce cookies locally;

2, without logging out of site A (clearing the cookie from site a), visit rogue site B. At this point, a page of malicious site B sends a request to site A, which takes the cookie of site a saved by the browser, and site A is identified as a user's legitimate behavior based on the cookie that is requested.

CSRF defensive means:

1, set the cookie to HttpOnly

2, form submission add hidden token submission

3, using HTTP Referer to identify the source of the request

SQL injection attack, is to pass the SQL command as normal HTTP request parameters, passed to the server, to deceive the servers to finally execute a malicious SQL command, to achieve the purpose of the intrusion, the current large number of data breaches involved in the attack, most of which are implemented through SQL injection.

Defensive means:

1, using precompiled statements

2, using an ORM model

3, avoid password plaintext storage

3, handle the related anomalies, avoid the error exposing too much information.

File Upload Vulnerability

Defense: Verify the Upload file type

Common web attacks and defenses

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More