XSS attack &sql injection attack &CSRF attack?

-XSS (Cross site script, multi-site scripting attack) is an attack that injects malicious script into a Web page to execute malicious script in the user's browser when the user browses the Web page. There are two types of cross-site scripting attacks: A reflective attack that convinces a user to click on a link that embeds a malicious script to reach the target of an attack, and there are many attackers who use forums, tweets to publish URLs containing malicious scripts, and persistent attacks that commit malicious script to the database of the compromised site. When a user browses a webpage, malicious script is loaded from the database to the page execution, and the earlier version of the QQ mailbox has been exploited as a platform for persistent cross-site scripting attacks. Although XSS is not a novelty, the attack has been constantly revamped, and there are two main aspects of preventing XSS: disinfection (escaping of dangerous characters) and httponly (preventing XSS attackers from stealing cookie data).

-SQL injection attacks are the most common form of injection attacks (in addition to OS injection attacks (the high-risk vulnerability of Struts 2 is caused by OGNL implementation of OS injection attacks), and when the server constructs SQL statements using request parameters, malicious SQL is embedded in SQL to be executed by the database.

SQL injection attacks require an attacker to have an understanding of the structure of the database in order to make it possible for an attacker to obtain a table structure in several ways:

(1) If the use of open source system to build a website, the database structure is also open (there are many ready-made systems can be directly built forum, e-commerce website, although convenient and fast but the risk must be carefully evaluated);

(2) Error echo (if the error message of the server is displayed directly on the page, an attacker can raise a page error through an illegal argument to understand the database structure through error messages, the Web application should set up a friendly error page, on the one hand, in line with the least surprising principle, On the one hand, to shield the system may bring dangerous error echo information);

(3) Blind note. It is also possible to prevent SQL injection attacks by using a regular expression to validate request parameters, and parameter binding is a good way to do so, so that malicious SQL is executed as a parameter to SQL rather than as a command. PreparedStatement in JDBC is a statement object that supports parameter binding, and is significantly better than statement in terms of performance and security.

-Csrf Attack (cross site request forgery, multi-site requests forgery) is an attacker who, through cross-site requests, illegally operates as a legitimate user (such as a transfer or posting). The principle of CSRF is to use the browser's cookie or server session to steal the identity of the user, as shown in the principle.

The main means to prevent CSRF is to identify the requester's identity, mainly in the following ways:

(1) Add a token to the form (tokens);

(2) Verification code;

(3) Check the referer in the request header (previously mentioned anti-picture hotlinking is also used in this way). Tokens and authentication have a consumer characteristics, so the principle is consistent, but the verification code is a bad user experience, not necessary to not easily use the verification code, many of the current practice is that if a short period of time to submit a form is not successful after the request to provide a verification code, This will get a better user experience.

XSS attack &sql injection attack &CSRF attack?