Home  >  Article  >  Backend Development  >  The difference between php csrf attack and xss attack

The difference between php csrf attack and xss attack

(*-*)浩
(*-*)浩Original
2019-10-12 10:20:383147browse

The difference between php csrf attack and xss attack

The basic concept, abbreviation, and full name of CSRF

CSRF (Cross-site request forgery): Cross-site request forgery. (Recommended learning: PHP video tutorial)

PS: Be sure to remember the Chinese name. The full English name, if you can’t remember it, forget it.

CSRF attack principle

The user is a registered user of website A and logs in, so website A issues a cookie to the user.

As can be seen from the above figure, to complete a CSRF attack, the victim must meet two necessary conditions:

The difference between php csrf attack and xss attack

(1) Login is trusted Website A, and generate cookies locally. (If the user is not logged in to website A, then website B will prompt you to log in when requesting the API interface of website A during induction)

(2) Visit dangerous websites without logging out of A B (actually exploiting the vulnerability of website A).

When we talk about CSRF, we must make the above two points clear.

As a reminder, cookies ensure that users can be logged in, but website B cannot actually get cookies.

Basic concepts of XSS

XSS (Cross Site Scripting): Cross-domain scripting attack.

XSS attack principle

The core principle of XSS attack is: you do not need to do any login authentication, it will pass legal operations (such as entering in the url , enter in the comment box), inject scripts (maybe js, hmtl code blocks, etc.) into your page.

The final result may be:

Stealing cookies to destroy the normal structure of the page, inserting advertisements and other malicious content D-doss attacks

## The difference between #CSRF and XSS

Difference 1:

CSRF: The user needs to log in to website A first to obtain the cookie. XSS: No login required.

Difference 2: (Difference in principle)

CSRF: It uses the vulnerability of website A itself to request the API of website A. XSS: Injects JS code into website A, and then executes the code in JS to tamper with the content of website A.

The above is the detailed content of The difference between php csrf attack and xss attack. For more information, please follow other related articles on the PHP Chinese website!

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn