1. Cross-site scripting attacks
Cross-Site Scripting (XSS) , which can inject code into the web pages that users browse, such code includes
Principle of the attack
For example, there is a forum site on which an attacker could post the following.
The content may then be rendered in the following form.
Another user viewing a page with this content will be redirected to
domain.com with a
cookie for the current scope. If the forum site manages user login status via
Cookie, then the attacker can log in to the attacker’s account via this
- Stealing user
- Forging fake input forms to obtain personal information
- Displaying fake articles or images
1. Set Cookie to HttpOnly
Cookie information via
2. Filtering special characters
< is escaped as
> is escaped as
>, thus avoiding HTML and Jascript code from running.
Rich text editors allow the user to enter HTML code, so that characters such as
< cannot simply be filtered, greatly increasing the likelihood of XSS attacks.
Rich text editors often use
XSS filter to prevent
XSS attacks by defining some tags to be whitelisted or blacklisted, thus disallowing the input of offensive
In the following example, tags such as
script are escaped, while tags such as
p will be preserved.
2. Cross-site request forgery
Cross-site request forgery (CSRF) is a technique by which an attacker tricks a user’s browser into visiting a website that he or she has authenticated before and performing some operations (such as sending emails, sending messages, or even property operations such as transferring money and purchasing goods). Since the browser has been authenticated before, the visited website will think it is a real user action and perform it.
XSS takes advantage of the user’s trust in a given website, while
CSRF takes advantage of the website’s trust in the user’s browser.
Suppose a bank uses the following
URL address to perform a transfer operation.
Then a malicious attacker could place the following code on another website.
If a user with an account named
Alice visits a malicious site, and she has just visited the bank shortly before and her login information has not yet expired, she could lose
Such malicious URLs can take many forms and hide in many places on the Web. Moreover, the attacker does not need to control the site where the malicious URL is placed. For example, he can hide such addresses in forums, blogs, and any other websites with user-generated content. This means that if there are no proper defenses on the server side, users are at risk of being attacked even if they visit a familiar and trusted website.
As you can see from the example, attackers cannot directly gain control of a user’s account through a
CSRF attack, nor can they directly steal any information about the user. What they can do is to trick the user’s browser into performing actions in the user’s name.
1. Checking the Referer initial field
Referer initial field is located in the
HTTP message and is used to identify the address of the request source. Checking this initial field and requiring the address of the request source to be under the same domain name can greatly prevent
This approach is easy to implement, low effort, and requires only one additional step of verification at critical accesses. However, this approach has its limitations, as it relies entirely on the browser sending the correct
Referer field. Although the
HTTP protocol specifies the contents of this field, there is no guarantee that the specific implementation of the visiting browser or that there are no security vulnerabilities in the browser that could affect this field. There is also the possibility that an attacker could attack some browsers and tamper with their
2. Add Checksum Token
When accessing sensitive data requests, the user’s browser is asked to provide data that is not stored in the
cookie and cannot be forged by an attacker as a checksum. For example, the server generates a random number and appends it to the form, and asks the client to pass back this random number.
3. Enter the CAPTCHA
CSRF attacks occur without the user’s awareness, asking the user to enter a CAPTCHA lets the user know what he or she is doing.
3. SQL Injection Attack
The database on the server runs illegal
SQL statements, mainly through splicing.
Principle of attack
For example, the
SQL query code for a website login verification is
If the following is filled in.
Then the SQL query string is as follows.
At this point, the following query can be executed without verification pass.
1. Use parameterized queries
Java is a pre-compiled
SQL statement that can be passed appropriate parameters and executed multiple times. Since there is no splicing process, it prevents
SQL injection from occurring.
2. Single quote conversion
Convert single quotes in the incoming parameter to two consecutive single quotes, the
Magic quote in
PHP can do this.
4. Denial of Service Attack
denial-of-service attack (DoS) , also known as a flood attack, is designed to exhaust the network or system resources of the target computer so that services are temporarily interrupted or stopped, resulting in inaccessibility to its normal users.
distributed denial-of-service attack (DDoS) , which refers to an attacker using two or more compromised computers as bots to launch a denial-of-service style attack on a specific target.
Although a bit insurmountable, there are certain countermeasures.
- Purchase a high security server
- Set up gateway or routing firewall
- Using CDN
- Multiple identification of requesters, don’t let all traffic in without any authentication
- If there is a problem on the line, you can direct the attack to another batch of hosts to ensure that the core hosts are healthy and working