What is an XSS attack

Cross-site Scripting (XSS) is a code injection attack. The attacker injects malicious scripts on the target website to run on the user’s browser. Using these malicious scripts, attackers can obtain sensitive user information such as cookies and sessionIDS, thus compromising data security.

Common injection methods for XSS:

  • In text embedded in HTML, malicious content is injected as script tags.
  • In inline JavaScript, concatenated data breaks through the original constraints (strings, variables, method names, etc.).
  • In tag attributes, malicious content includes quotes to override attribute values and inject other attributes or tags.
  • In the href, SRC and other attributes of the tag, it contains executable codes such as javascript (pseudo-protocol).
  • Inject uncontrolled code in events such as onload, onError, and onClick.
  • In the style attribute and tag, include something like background-image:url(“javascript:…”) ); (newer versions of browsers are already defensible).
  • In the style attribute and tag, contain something like expression(…) CSS expression code (newer versions of browsers are already defensible).

Classification of XSS attacks

According to the attack sources, XSS attacks can be classified into storage, reflection and DOM attacks.

  1. Stored: Attacks are stored on the server. The attack script is inserted in the comment area. If the attack script is stored on the server, all users who see the corresponding comment are attacked.
  2. Reflection type: The attacker mixes the script in the URL. The server receives the URL and takes out the malicious code as a parameter, splices it into HTML and returns it. The browser parses the HTML and executes the malicious code
  3. DOM type: The attack script is written in the URL to induce the user to click the URL. If the URL is parsed, the attack script will be run. The main difference is that DOM attacks do not go through the server

The difference between reflective XSS and stored XSS is that the stored XSS malicious code is stored in the database, while reflective XSS malicious code is stored in the URL.

DOM XSS differs from the previous two types of XSS: DOM XSS attacks, in which malicious code is extracted and executed by the browser side, are security vulnerabilities of the front-end JavaScript itself, while the other two types of XSS are security vulnerabilities of the server side.

XSS common defense methods

  • HttpOnly: After the httpOnly attribute is set in cookie, the JS script cannot read cookie information.
  • Input filtering: Generally used to check input formats, such as email, phone number, user name, and password. Etc., input in accordance with the specified format. Not only is the front end responsible, but the back end does the same filtering check. Because an attacker can bypass the normal input process and send the Settings directly to the server using the relevant interface.
  • Escape HTML: If concatenating HTML is necessary, you need to escape quotes, Angle brackets, and slashes, but this is not perfect. To fully escape the insertion points of the HTML template, you need to use the appropriate escape library.
function escape(str) { str = str.replace(/&/g, '&amp; ') str = str.replace(/</g, '&lt; ') str = str.replace(/>/g, '&gt; ') str = str.replace(/"/g, '&quto; ') str = str.replace(/'/g, '&#39; ') str = str.replace(/`/g, '&#96; ') str = str.replace(/\//g, '&#x2F; ') return str }Copy the code
  • Whitelist: For displaying rich text, you cannot escape all characters as this will filter out the required format. In this case, whitelist filtering is usually adopted. You can also filter through the blacklist. However, because there are too many tags and tag attributes to be filtered, whitelist filtering is recommended.

What is CSRF

Cross-site request forgery Cross-site Request Forgery, also known as one-click attack or session riding, usually abbreviated as CSRF or XSRF, Is a method of hijacking a user to perform unintended actions on a currently logged Web application. For example, the attacker induces the victim to enter a third party website, where he or she sends a cross-site request to the attacked website. Using the victim in the attacked website has obtained the registration certificate, bypassing the background user authentication, to impersonate the user to perform a certain operation on the attacked website.

CSRF defense method

  • Captcha: Forces the user to interact with the application before completing the final request. This method can contain CSRF well, but the user experience is poor.
  • Referer check: Request source restriction. This method has the lowest cost, but is not 100% effective because the server does not always get the Referer, and there is a risk that older browsers will forge the Referer.
  • Token: The CSRF defense mechanism for token authentication is recognized as the most appropriate solution. If the site also has XSS vulnerability, this method is also empty.

CSRF is different from XSS

  • CSRF is generally implemented by XSS, and is often referred to as XSRF (CSRF can also be implemented by direct command line requests, etc.).
  • Essentially, XSS is a code injection problem and CSRF is an HTTP problem. XSS is content that is not filtered causing the browser to execute the attacker’s input as code.
  • CSRF is because the browser automatically carries cookies when sending HTTP requests, and most websites’ sessions are stored in cookies (Token authentication can be avoided).

Clickjacking

Clickjacking is the use of transparent buttons or links to create traps over a Web page. An attack that induces the user to click on the link to access content without their knowledge. This behavior is also known as INTERFACE dressing.

Clickjacking can be done in two ways:

  • An attacker uses a transparent IFrame, overlays it on a web page, and then induces the user to operate on the page, where the user unknowingly clicks on the transparent IFrame page.
  • An attacker uses an image to overlay a web page, obscuring its original location.

Click on the hijacking defense

  • X-FRAME-OPTIONS

The X-frame-options HTTP response header is a flag used to indicate to the browser whether to allow a page to be displayed in, or. Sites can use this feature to ensure that their content is not embedded in someone else’s site, and thus avoid clickjacking attacks.

X-frame-options HTTP has three values:

  • DENY: indicates that pages are not allowed to be displayed in frame, even if they are nested in pages of the same domain name.
  • SAMEORIGIN: indicates that the page can be displayed in the frame of the same domain name page.
  • Allow-from URL: indicates that the page can be displayed in the frame FROM the specified source.