The principle and prevention of XSS

Xss(cross-site scripting)An attack refers to an attacker inserting a malicious tag or code into a Web page html javascript . For example, an attacker would put a user in a forum
Seemingly secure links that steal users ' private information from a user's clicks, or an attacker who adds a malicious form to the forum,
When the user submits the form, it transmits the information to the attacker's server, rather than the trusted site that the user originally assumed.

How to prevent XSS

1. The code in the user input places and variables need to carefully check the length and the characters to filter, and ”<”,”>”,”;”,”’” then any content written before the page must be done encode , to avoid accidentally get html tag out. This level is well done, at least by blocking more than half of the XSS attacks.
2. Avoid cookie disclosing user privacy directly in, for example email , password and so on.
3. Reduce cookie the risk of exposure by making cookies and system IP bindings. This way the attacker gets a cookie that has no real value and cannot be replayed.
4. Use post rather than get submit form

What is the difference between XSS and CSRF?

XSSis to obtain information that does not need to know the code and packets of other user pages in advance. CSRFis to replace the user to complete the specified action, need to know the other user page code and data package.

To complete a csrf attack, the victim must complete two steps in turn:

1. Log on to trusted Web site A and generate cookies locally. 2. If you do not log out a, visit the dangerous website B.

CSRF's defense

1. The CSRF method of the server is a lot of ways, but the general idea is consistent, is to add pseudo-random number on the client page. 2. Using the Verification code

The principle and prevention of XSS