What is an XSS attack? What is a SQL injection attack? What is a csrf attack?

For:
-XSS (Cross site script, multi-site scripting attack) is an attack that injects malicious script into a Web page to execute malicious script in the user's browser when the user browses the Web page. There are two types of cross-site scripting attacks: A reflective attack that convinces a user to click on a link that embeds a malicious script to reach the target of an attack, and there are many attackers who use forums, tweets to publish URLs containing malicious scripts, and persistent attacks that commit malicious script to the database of the compromised site. When a user browses a webpage, malicious script is loaded from the database to the page execution, and the earlier version of the QQ mailbox has been exploited as a platform for persistent cross-site scripting attacks. Although XSS is not a novelty, the attack has been constantly revamped, and there are two main aspects of preventing XSS: disinfection (escaping of dangerous characters) and httponly (preventing XSS attackers from stealing cookie data).
-SQL injection attacks are the most common form of injection attacks (in addition to OS injection attacks (the high-risk vulnerability of Struts 2 is caused by OGNL implementation of OS injection attacks), and when the server constructs SQL statements using request parameters, malicious SQL is embedded in SQL to be executed by the database. SQL injection attacks require an attacker to understand the structure of the database in order to make it possible for an attacker to obtain a table structure in several ways: (1) If you use an open source system to build a website, the database structure is also open (there are many existing systems can be directly built forum, e-commerce website, Although it is convenient but the risk must be carefully evaluated); (2) Error echo (if the server's error message is displayed directly on the page, an attacker can raise a page error through an illegal argument to understand the database structure via an error message, and the Web application should set up a friendly error page that meets the minimum surprise principle, On the one hand, to shield the system may bring dangerous error echo information); (3) blind. It is also possible to prevent SQL injection attacks by using a regular expression to validate request parameters, and parameter binding is a good way to do so, so that malicious SQL is executed as a parameter to SQL rather than as a command. PreparedStatement in JDBC is a statement object that supports parameter binding, and is significantly better than statement in terms of performance and security.
-Csrf Attack (cross site request forgery, multi-site requests forgery) is an attacker who, through cross-site requests, illegally operates as a legitimate user (such as a transfer or posting). The principle of CSRF is to use the browser's cookie or server session to steal the identity of the user, as shown in the principle. The main means to prevent CSRF is to identify the requester's identity, mainly in the following ways: (1) Add tokens (token) to the form, (2) Verify the Code, (3) Check the referer in the request header (which is also used in the previous reference to anti-image hotlinking). Tokens and authentication have a consumer characteristics, so the principle is consistent, but the verification code is a bad user experience, not necessary to not easily use the verification code, many of the current practice is that if a short period of time to submit a form is not successful after the request to provide a verification code, This will get a better user experience.

Add: Firewall is an important guarantee of web security, Modsecurity is the leader in open source Web firewall. The enterprise firewall should be set up with a level two firewall, the Web server and some application servers can be set up in the DMZ between the level two firewalls, and the data and resource servers should be set up behind the second level firewall.

What is an XSS attack? What is a SQL injection attack? What is a csrf attack?