Web Front-end security XSS cross-site scripting CSRF Cross-Site Request Forgery SQL Injection

Source: Internet
Author: User

Web security, starting from the front-end, summarizes several web Front-end security technologies:
1, XSS
XSS stands for Cross Site Scripting, which indicates Cross-Site Scripting. The XSS principle is to inject scripts into HTML. HTML specifies the script tag.
XSS attacks are divided into two categories. One is internal attacks, which mainly refers to the use of program vulnerabilities to construct cross-site statements.
The other type is external attacks. It mainly refers to the Construction of XSS Cross-Site vulnerability web pages or the search for webpages with cross-site vulnerabilities other than the target machine. For example, when we want to penetrate a website, we construct a webpage with cross-site vulnerabilities, and then construct cross-site statements. By combining other technologies, such as social engineering, the Administrator of the target server is spoofed to open it.



Prevention: actively filter user input and never trust users
2, CSFR
CSRF (Cross-site request forgery, also known as "one click attack" or session riding, usually abbreviated as CSRF or XSRF, is a type of malicious use of websites. Although it sounds like XSS, it is very different from XSS, and the attack method is almost different. XSS uses trusted users in the site, while CSRF uses trusted websites by disguising requests from trusted users. Compared with XSS attacks, CSRF attacks are often less popular (so the resources to prevent them are quite scarce) and difficult to prevent. Therefore, XSS attacks are considered to be more dangerous than XSS attacks.
Specific reference this article: http://www.bkjia.com/Article/201205/130728.html
 
Prevention: use an http post request to perform all important operations, or use a dynamically generated token: a hidden field is allocated with a dynamic value, which is also added to the user session information, after the server receives the client request, the server checks whether the hidden variables of the POST are the same as the user session information.
3. SQL injection attacks
SQL injection attacks are one of the common means for hackers to attack databases. A considerable number of programmers did not judge the legitimacy of user input data when writing code, posing a security risk to the application. You can submit a piece of database query code and obtain the desired data based on the results returned by the program. This is called SQL Injection, that is, SQL Injection.
Refer:
Http://baike.baidu.com/view/983303.htm
Http://baike.baidu.com/view/3896.htm
 
4. javascript hijacking
5. XPath Injection
 
Conclusion: XSS is an illegal use of the website's trust in users, and CSRF is the illegal use of users' trust in the website.
 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.