What you should know about XSS and CSRF

Of the personal blog website welcome communication: firefly: https://blog.xkongkeji.com

In the field of Web security, XSS and CSRF are the most common attacks. Here’s a quick look at what they should do to prevent it.

What is a XSS

XSS attack refers to an attack in which an attacker injects malicious client code into a website and tampers the client’s web page through malicious scripts, so as to control the user’s browser or obtain the user’s private data when browsing the web page.

XSS attack defense

Mainstream browsers now have built-in safeguards against XSS, such as CSP. But it is also important for developers to find reliable solutions to prevent XSS attacks.

• HttpOnly prevents Cookie hijacking

  HttpOnly was first proposed by Microsoft and has since become a standard. The browser will prohibit the page’s Javascript from accessing the Cookie with the HttpOnly attribute. Strictly speaking, HttpOnly does not prevent XSS attacks, but rather prevents cookiehijacking attacks after XSS attacks.

• Input inspection

  Don’t trust any input from the user. Any input from the user is checked, filtered, and escaped. Creates a trusted whitelist of characters and HTML tags, and filters or encodes characters or tags that are not in the whitelist.

  Supplementary: Input check is generally used to check whether special characters such as <, > are contained in the data entered by users. If so, special characters are filtered or encoded. This method is also called XSS Filter.

• Output check

  There will be problems with the user’s input, and problems with the server’s output. In general, with the exception of rich text output, you can use encoding or escaping to defend against XSS attacks when a variable is output to an HTML page.

What is a CSRF

CSRF, or Cross Site Request Forgery, is an attack that jacks a trusted user to send an unexpected Request to the server.

Under normal circumstances, CSRF attack means that the attacker uses the victim’s Cookie to win the trust of the server and sends forged requests to the attacked server in the victim’s name without the victim’s knowledge, so as to perform operations under permission protection without authorization.

CSRF attack defense

• Verification code

  Captchas are considered to be the simplest and most effective defense against CSRF attacks.

  As you can see from the examples above, CSRF attacks often construct network requests without the user’s knowledge. Captcha forces the user to interact with the application in order to complete the final request. In general, captchas are a good deterrent against CSRF attacks.

  But captcha is not a panacea, because for the sake of users, you can’t add captcha to every operation on the site. Therefore, captchas can only be used as an adjunct to CSRF defense, not as a primary solution.

• Referer check

  According to the HTTP protocol, there is a field in the HTTP header called Referer that records the source address of the HTTP request. With the Referer Check, you can Check whether the request is from a legitimate “source.”

• Adding token Authentication

  The reason why CSRF attack can be successful is that the attacker can completely forge the user’s request, and all the user authentication information in the request is in the Cookie, so the attacker can directly use the user’s own Cookie to pass the security authentication without knowing the authentication information. The key to defending against CSRF is to put information in the request that an attacker cannot forge and that does not exist in a Cookie. A randomly generated token can be added to the HTTP request as a parameter, and an interceptor can be established on the server side to verify the token. If there is no token in the request or the token content is incorrect, the request may be rejected as a CSRF attack.