“This is the 12th day of my participation in the First Challenge 2022. For details: First Challenge 2022”

Bug summary

Xiaoming’s example is finished, let’s take a systematic look at XSS injection methods:

  • In text embedded in HTML, malicious content is injected as script tags.
  • In inline JavaScript, concatenated data breaks through the original constraints (strings, variables, method names, etc.).
  • In tag attributes, malicious content includes quotes to override attribute values and inject other attributes or tags.
  • In the href, SRC and other attributes of the tag, it contains javascript: and other executable codes.
  • Inject uncontrolled code in events such as onload, onError, and onClick.
  • In the style attribute and tag, include something like background-image:url(“javascript:…”) ); (newer versions of browsers are already defensible).
  • In the style attribute and tag, contain something like expression(…) CSS expression code (newer versions of browsers are already defensible).

XSS classification

According to the attack sources, XSS attacks can be classified into storage, reflection and DOM attacks.

Storage XSS attack steps:

1 The attacker submits malicious code to the database of the target website. 2 When the user opens the target website, the website server takes out the malicious code from the database, splices it into HTML and returns it to the browser. 3 The user’s browser parses and executes the response, and the malicious code mixed in the response is also executed. 4 Malicious code steals user data and sends it to the attacker’s website, or impersonates the user and calls the target website interface to perform the operations specified by the attacker.

This kind of attack is common in website functions with user-saved data, such as forum posts, product reviews, and user messages.

Attack steps of reflective XSS:

1 The attacker constructs a special URL that contains malicious code. 2 When a user opens a URL with malicious code, the web server takes the malicious code out of the URL and splices it into HTML to return it to the browser. 3 The user’s browser parses and executes the response, and the malicious code mixed in the response is also executed. 4 Malicious code steals user data and sends it to the attacker’s website, or impersonates the user and calls the target website interface to perform the operations specified by the attacker.

The difference between reflective XSS and stored XSS is that the stored XSS malicious code is stored in the database, while reflective XSS malicious code is stored in the URL. Reflective XSS vulnerabilities are common in functions that pass parameters through urls, such as website search, jump, etc. Because users need to take the initiative to open malicious URL to take effect, attackers often combine a variety of means to induce users to click. Reflective XSS can also be triggered by the contents of a POST, but the trigger condition is more stringent (the form submission page needs to be constructed and the user is directed to click), so it is very rare.

DOM XSS attack steps:

1. The attacker constructs a special URL that contains malicious code. 2. The user opens the URL with malicious code. 3. The user browser parses the response and executes it. The front-end JavaScript takes out the malicious code in the URL and executes it. 4. Malicious code steals user data and sends it to the attacker’s website, or impersonates the user and calls the target website interface to perform the operations specified by the attacker.

DOM XSS differs from the previous two types of XSS: DOM XSS attacks, in which malicious code is extracted and executed by the browser side, are security vulnerabilities of the front-end JavaScript itself, while the other two types of XSS are security vulnerabilities of the server side.

XSS attack prevention

The input filter

Protects against stored and reflective XSS attacks

Pure front-end rendering

  1. The browser first loads a static HTML that does not contain any business-related data.
  2. The browser then executes the JavaScript in the HTML.
  3. JavaScript loads the business data through Ajax and calls the DOM API to update it to the page.

Prevents DOM XSS attacks

Be careful when using.innerhtml,.outerhtml, and document.write(). Do not insert untrusted data as HTML. Instead, use.textContent,.setAttribute(), etc. 2. If use Vue/React technology stack, and do not use the v – HTML/dangerouslySetInnerHTML function, on the front end render phase avoid innerHTML, outerHTML XSS concerns. 3. Inline event listeners in DOM, such as location, onclick, onError, onload, onmouseover, etc. JavaScript eval(), setTimeout(), setInterval(), etc., can all run strings as code. If untrusted data is concatenated into strings and passed to these apis, it is easy to create a security risk that must be avoided.