New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

xss csrf #25

Open

dvlin-dev opened this issue Apr 12, 2022 · 0 comments

Owner

dvlin-dev commented Apr 12, 2022 •

edited

Loading

xss

储存型像评论
反射型恶意脚本作为网络请求的一部分。从服务器返回到客户端 http://xx.com?q=<script>alert("你完蛋了")</script>
文档型 WIFI路由器劫持、本地软件，修改你的html
解决方案：过滤、csp（限制其他域下的资源加载。禁止向其它域提交数据。提供上报机制，能帮助我们及时发现 XSS 攻击。）、httponly

csrf

通过图片自动发送 get 获取你的cookie
恶意表单获取cookie
诱导点击发送get 邮件中的链接
解决方案：
csrftoken
检测Origin和Referer
cookie samesite，Strict其他网站禁止，Lax get表单或者get ，none 无

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment