Cross-site Scripting, abbreviated to XSS so as not to confuse the acronym for Cascading Style Sheets (CSS). XSS is a web application security vulnerability attack, is a type of code injection. It allows malicious users to inject code into web pages that can affect other users when they view them. Such attacks often involve HTML and client-side scripting languages.
harm
-
Stealing cookies to get sensitive information.
-
By embedding Flash, obtain higher permissions through crossDomain permission setting; Or use Java, etc., to get similar operations.
-
Using iframe, frame, XMLHttpRequest, or Flash as described above, users can perform administrative actions or perform general operations such as tweeting, adding friends, and sending private messages. Sina Weibo suffered from XSS recently.
-
By taking advantage of the fact that the domain that can be attacked is trusted by other domains, the trusted source requests some operations that are not normally allowed, such as improper voting activities.
-
XSS on heavily visited pages can attack small websites to achieve the effect of DDoS attacks
The principle of
The cause of XSS vulnerability is that Web applications do not fully check and filter the data submitted by users, allowing users to add HTML codes (mainly “>” and “<“) into the submitted data, and output the unescaped malicious codes to the third party users’ browsers for interpretation and execution.
classification
-
Reflection TYPE XSS, the main approach is to add script code into the URL address request parameters, request parameters into the program directly output in the page, users click similar malicious links may be attacked. Such attacks are usually one-off and non-persistent
-
Stored XSS is a place where users can enter data for other users to view, including messages, comments, blog entries, and forms. The application queries data from the database and displays it on the page. After an attacker enters malicious script data on the related page, the user may be attacked while browsing such page. This process can be described as simple: malicious user Html input Web program -> enter database ->Web program -> user browser. This kind of attack is generally persistent, the corresponding harm and harm area is larger.
example
1. Reflective XSS
The attacker sends the following link to the victim:
Code:
http://www.XXXX.com/search.asp?input=<script>alert(document.cookie); </script>Copy the codeWhen the victim clicks on the link, the injected script is sent to the search.asp page of the target server as the search keyword, and the script is embedded as the search keyword on the return page of the search results. This way, when the user gets the search results page, the script is executed. This is the principle of the reflective XSS attack. As you can see, the attacker cleverly uses the reflective XSS attack to execute scripts on the victim’s browser. Because the code injects a dynamically generated page rather than a persistent page, this attack only works when a link is clicked, which is why it is called non-persistent XSS.
2. Storage XSS
A malicious attacker can do this by Posting a post that contains malicious code.
(The post contains malicious code,)
At this time a and B saw the malicious attacker’s raiser, when viewing the post will be tricked, their cookie information is sent to the malicious attacker’s server, the attack is successful!
As you can see, stored XSS attacks can permanently embed malicious code into a page, victimizing all users who visit the page. Reflective XSS attacks won’t do much if we’re careful about undiscovered links, unlike stored XSS, which injects pages we trust, so we’re vulnerable no matter how careful we are.
XSS defenses
Where there is a spear, there is a shield
Filter the input
Never trust user input. Only valid values are allowed to be entered. All other values are filtered out.
The filter output
When you need to output a string to a Web page and are not sure whether the string contains XSS special characters, to ensure the integrity and correctness of the output content, you can use HTMLEncode to output HTML attributes
| Before escaping | After the escape |
|---|---|
| < | < |
| > | > |
| & | & |
| “ | " |
| The blank space |   |
For example, the user enters:
< script > window. The location. Href = "http://www.baidu.com"; </script>Copy the codeAfter saving, the final storage will be:
< script> window.location.href=" http://www.baidu.com" < /script>Copy the codeThese characters are rendered as text rather than executable code by the browser.
### Use HttpOnly cookies
Mark important cookies as HttpOnly, so that when the browser makes a request to the Web server, the cookie field is attached, but the cookie cannot be accessed in the JS script. This avoids XSS attacks that use JavaScript document.cookie to get cookies.
Since the company uses the VUE framework for client development, when using VUE, it is important to note that dynamically rendering arbitrary HTML on a website is very dangerous because it can lead to XSS attacks. Remember, use HTML interpolation only for trusted content, never for user-submitted content.