XSS:Cross-site Scripting
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
Also, it's crucial that you turn off HTTP TRACE support on all webservers. An attacker can steal cookie data via Javascript even when document.cookie is disabled or not supported on the client. This attack is mounted when a user posts a malicious script to a forum so when another user clicks the link, an asynchronous HTTP Trace call is triggered which collects the user's cookie information from the server, and then sends it over to another malicious server that collects the cookie information so the attacker can mount a session hijack attack. This is easily mitigated by removing support for HTTP TRACE on all webservers.
link:https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
解決方式:
1赤屋、后臺(tái)數(shù)據(jù)過(guò)濾關(guān)鍵標(biāo)簽趁矾,Django中用mark_safe 顯示相關(guān)數(shù)據(jù)
2徘六、前端數(shù)據(jù)用管道符+safe渲染。
CSRF (Cross-site Request-Forgery):
official site:
https://en.wikipedia.org/wiki/Cross-site_request_forgery
Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf[1]) or XSRF, is a type of malicious exploit of a websitewhere unauthorized commands are transmitted from a user that the web application trusts.[2] There are many ways in which a malicious website can transmit such commands; specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests, for example, can all work without the user's interaction or even knowledge. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.
本質(zhì)上是防止從別的網(wǎng)站向自己網(wǎng)站發(fā)post請(qǐng)求, 客戶(hù)來(lái)訪(fǎng)問(wèn)網(wǎng)站懂扼,網(wǎng)站會(huì)向客戶(hù)發(fā)送隨機(jī)字符串,然后客戶(hù)帶隨機(jī)字符串發(fā)送post請(qǐng)求
只有帶隨機(jī)字符串來(lái),網(wǎng)站才認(rèn),一般是post請(qǐng)求才要求帶隨機(jī)字符串琼梆,其它網(wǎng)站第一次來(lái)不會(huì)帶隨機(jī)字符串羔杨。
如何防御捌臊?
首先服務(wù)器端要以某種策略生成隨機(jī)字符串,作為令牌(token)兜材,保存在 Session 里理澎。然后在發(fā)出請(qǐng)求的頁(yè)面,把該令牌以隱藏域一類(lèi)的形式曙寡,與其他信息一并發(fā)出糠爬。在接收請(qǐng)求的頁(yè)面,把接收到的信息中的令牌與 Session 中的令牌比較举庶,只有一致的時(shí)候才處理請(qǐng)求执隧,處理完成后清理session中的值,否則返回 HTTP 403 拒絕請(qǐng)求或者要求用戶(hù)重新登陸驗(yàn)證身份