Web security, starting from the front, summarizes several technologies for Web front-end security:
1,xssthe full name of the XSS is Cross site Scripting, which means that the principle of XSS is to inject scripts into HTML, which specifies script tagsXSS attacks are divided into two categories, one is from internal attacks, mainly refers to the use of the program's own vulnerabilities, the construction of cross-site statements. The other is the attack from the outside, mainly refers to the construction of the XSS cross-Site Vulnerability Web page or to find a non-target outside the Web site has a cross-site vulnerability. If we are going to infiltrate a site, we construct a Web page with a cross-site vulnerability, and then construct the cross-site statement, which, by combining other technologies, such as social engineering, will trick the administrator of the target server into opening. Prevention: Actively filter user input, never trust users2,CSRFCSRF (Cross-site request forgery cross-site solicitation forgery, also known as "one click Attack" or session riding, usually abbreviated as CSRF or XSRF, is a malicious use of the site. Although it sounds like a cross-site script (XSS), it is very different from XSS and is almost at odds with the way it is attacked. XSS leverages trusted users within the site, while CSRF leverages trusted sites by disguising requests from trusted users. Compared to XSS attacks, csrf attacks are often less prevalent (and therefore have very few resources to protect against them) and are difficult to guard against, so they are considered more dangerous than XSS. specifically refer to this article:Http://www.cnblogs.com/hyddd/archive/2009/04/09/1432744.htmlPrevention: Use the POST request of HTTP to perform all important operations, or use a dynamically generated token: A hidden field is assigned a dynamic value that is also added to the user session information, and the server side receives the client request. The server checks whether the hidden variables for post and user session information get the same. 3,sql Injection AttackSQL injection attack is one of the common means for hackers to attack the database. Quite a few programmers write code without judging the legality of the user's input data, so that the application has a security risk. The user can submit a database query code, according to the results returned by the program, to obtain some of the data he wants to know, this is called SQL injection, that is, SQL injection. Reference:http://baike.baidu.com/view/983303.htmhttp://baike.baidu.com/view/3896.htm 4,javascript Hijacking 5,xpath Injection
Web Front end Security XSS cross-site Scripting Csrf cross-site request forgery SQL injection