Web security, starting from the front-end, summarizes several web Front-end security technologies:
1, XSS
XSS stands for Cross Site Scripting, which indicates Cross-Site Scripting. The XSS principle is to inject scripts into HTML. HTML specifies the script tag.
XSS attacks are divided into two categories. One is internal attacks, which mainly refers to the use of program vulnerabilities to construct cross-site statements.
The other type is external attacks. It mainly refers to the Construction of XSS Cross-Site vulnerability web pages or the search for webpages with cross-site vulnerabilities other than the target machine. For example, when we want to penetrate a website, we construct a webpage with cross-site vulnerabilities, and then construct cross-site statements. By combining other technologies, such as social engineering, the Administrator of the target server is spoofed to open it.
Prevention: actively filter user input and never trust users
2, CSFR
CSRF (Cross-site request forgery, also known as "one click attack" or session riding, usually abbreviated as CSRF or XSRF, is a type of malicious use of websites. Although it sounds like XSS, it is very different from XSS, and the attack method is almost different. XSS uses trusted users in the site, while CSRF uses trusted websites by disguising requests from trusted users. Compared with XSS attacks, CSRF attacks are often less popular (so the resources to prevent them are quite scarce) and difficult to prevent. Therefore, XSS attacks are considered to be more dangerous than XSS attacks.
Specific reference this article: http://www.bkjia.com/Article/201205/130728.html
Prevention: use an http post request to perform all important operations, or use a dynamically generated token: a hidden field is allocated with a dynamic value, which is also added to the user session information, after the server receives the client request, the server checks whether the hidden variables of the POST are the same as the user session information.
3. SQL injection attacks
SQL injection attacks are one of the common means for hackers to attack databases. A considerable number of programmers did not judge the legitimacy of user input data when writing code, posing a security risk to the application. You can submit a piece of database query code and obtain the desired data based on the results returned by the program. This is called SQL Injection, that is, SQL Injection.
Refer:
Http://baike.baidu.com/view/983303.htm
Http://baike.baidu.com/view/3896.htm
4. javascript hijacking
5. XPath Injection
Conclusion: XSS is an illegal use of the website's trust in users, and CSRF is the illegal use of users' trust in the website.