Xss(Cross-site scripting attacks)
A code injection attack in which the attacker injects malicious scripts into the target website and makes it run on the browser. By using these scripts, the attacker can obtain sensitive information of users, such as cookies and sessionIDS, thus compromising data security
XSS common injection methods
- Pre-prepared malicious scripts are injected into benign, trusted websites by submitting forms, Posting comments, etc
- Include the script code in the href, SRC, and other attributes of the tag
- In the style attribute and tag, include something like background-image:url(“javascript:…”) ); The code of
XSS classification
According to the source of the attack, XSS attacks can be classified as storage type, reflective type, and Dom type
Type stored XSS
It is the most dangerous type of cross-site script, and more insidious than both reflective and DOM-type XSS. Because it does not require manual triggering by the user, any Web application that allows the user to store data is likely to have stored Xss vulnerability. If a page is attacked by storage Xss, all users accessing the page are attacked by Xss
Attack steps:
- The attacker submits malicious code to the database of the target website
- The user opens the target website, and the website server takes the malicious code out of the database, splices it into HTML and returns it to the user
- The user’s browser receives the response parsing execution, and the malicious code mixed in is executed
- Malicious code steals sensitive user data and sends it to the attacker, or impersonates the user’s behavior and calls the target website interface to perform the operations specified by the attacker
Stored XSS(also known as persistent XSS) attacks are common on web features with user-saved data, such as forum posts, product reviews, and user messages.
Reflective Xss
The difference between reflective XSS and stored XSS is that the stored XSS malicious code is stored in the database, while reflective XSS malicious code is stored in the URL.
Attack steps:
- The attack constructs special urls that contain malicious code
- The user opens the URL with malicious code, and the web server takes out the malicious code from the URL, splices it into HTML and returns it to the user
- The user’s browser receives the response parsing execution, and the malicious code mixed in is executed
- Malicious code steals sensitive user data and sends it to the attacker, or impersonates the user’s behavior and calls the target website interface to perform the operations specified by the attacker
Reflective XSS (also known as non-persistent XSS) vulnerabilities are common in functions that pass parameters through urls, such as web site searches, jumps, and so on. Because users need to take the initiative to open malicious URL to take effect, attackers often combine a variety of means to induce users to click.
The Dom model Xss
The attack steps are similar to reflective Xss, but the fetching and execution of malicious code is done by the browser, and the first two are done by the server. It is the front-end’s responsibility to guard against Dom Xss.
| type | Storage area | The insertion point |
|---|---|---|
| Type stored XSS | Back-end database | HTML |
| Reflective XSS | URL | HTML |
| The DOM model XSS | Back-end database/front-end storage /URL | The front-end JavaScript |
Defense Xss
Wherever there is input data, there can be XSS hazards.
Common prevention methods:
- HttpOnly: After httpOnly is set in cookie, the JS script cannot read cookie information
- Input filtering: Check the input format so that scripts cannot appear
- Escape Html: When concatenating Html, you need to escape Angle brackets, slashes, quotes, and so on.
Prevent storage and reflective Xss
Malicious code is taken from the server and inserted into Html. Switch to pure front-end rendering, separating the code from the data (rendering the page using Ajax to fetch business data) and fully escaping the HTML
Prevent Dom type Xss
Avoid using.innerhtml,.outerhtml, document.write(), inline event listeners in the V-HTML DOM, such as location, onClick, onError, onLoad, onMouseover, etc. The href attribute of the a tag, JavaScript eval(), setTimeout(), setInterval(), etc., can all run strings as code