The principle and prevention of XSS

Source: Internet
Author: User
Tags csrf attack

Xss(cross-site scripting)An attack refers to an attacker inserting a malicious tag or code into a Web page html javascript . For example, an attacker would put a user in a forum
Seemingly secure links that steal users ' private information from a user's clicks, or an attacker who adds a malicious form to the forum,
When the user submits the form, it transmits the information to the attacker's server, rather than the trusted site that the user originally assumed.

How to prevent XSS

1. The code in the user input places and variables need to carefully check the length and the characters to filter, and ”<”,”>”,”;”,”’” then any content written before the page must be done encode , to avoid accidentally get html tag out. This level is well done, at least by blocking more than half of the XSS attacks.
2. Avoid cookie disclosing user privacy directly in, for example email , password and so on.
3. Reduce cookie the risk of exposure by making cookies and system IP bindings. This way the attacker gets a cookie that has no real value and cannot be replayed.
4. Use post rather than get submit form

What is the difference between XSS and CSRF?

XSSis to obtain information that does not need to know the code and packets of other user pages in advance. CSRFis to replace the user to complete the specified action, need to know the other user page code and data package.

To complete a csrf attack, the victim must complete two steps in turn:

1. Log on to trusted Web site A and generate cookies locally. 2. If you do not log out a, visit the dangerous website B.

CSRF's defense

1. The CSRF method of the server is a lot of ways, but the general idea is consistent, is to add pseudo-random number on the client page. 2. Using the Verification code

The principle and prevention of XSS

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.