Cross-Site Scripting (XSS)
XSS is less of a direct attack and more like an ambush. Rather than directly attacking victims, the attacker exploits a vulnerability in a website that victims are likely to visit, and when they do, the attack begins.
First, the attacker finds a website that has the vulnerability. A typical example of this would be a website that accepts comments from visitors but doesn't validate the comments that are actually entered.
The attacker then enters a
How can you prevent this? The most effective way to prevent this type of attack is to never, ever trust user input. Validate everything. At every point in your website or application, always put validation in place to sanitize the input, making it virtually impossible to include any type of unwanted or malicious code from being uploaded to your database.
Cross-site Request Forgery (CSRF)
Closely related to XSS attacks are CSRF attacks. Phil Haach has a good analogy in his article Anatomy of a Cross-site Request Forgery Attack."
Phil considers browsers like people in a prison. If you want to attack another inmate in another cell, it's quite difficult. However, if you could somehow convince the prison guard to do something on your behalf, it would be much easier, because the prison guard will have much more access that you yourself would have.
A CSRF attack works in a similar fashion. The attacker doesn't directly try to make changes to your authorized accounts. Rather, he or she tricks you and your browser into making those changes -- all without your knowledge.
Here's how it works. When you visit a site that requires authorization, your web browser is issued an authorization cookie. This cookie contains pieces of data that tells the server that your browser is allowed access the site.
How can you prevent this type of attack? The main method to avoid this type of attack is to use some form of authorization token. These tokens are encrypted, and they basically tell the server that whichever action is being requested, is being requested from the correct page. In other words, it tells the server that you're currently viewing the page and that the requested changes are being initiated from that page and not from somewhere else (i.e. the attacker’s page).
Protect Your Intellectual Property
Enforcing License Agreements
Your reputation is closely tied to how satisfied users are with your applications. How well your application performs and how reliable it are the key components of their satisfaction. Does it work like as it is designed every time?
Let’s first look at reliability. You don’t just want the application to run smoothly,you also want it perform correctly every time. By securing your source code through obfuscation you help to keep curious code tinkerers from poking around the code, making changes here and there in the hopes of "customizing" it to their liking.
It won't stop it completely but obfuscation can help to significantly reduce issues. For instance obfuscation can prevent users from cheating in a game.