What is it

XSS(Cross-Site Scripting) is a term used to describe a type of attack, which allows an attacker to inject client scripts into other users’ browsers through websites to obtain users’ information, such as cookies, and steal users’ money and privacy. For example, if you enter a JS script in a comment box and pass it to the server unprocessed and then display it directly on the page, XSS attacks may be triggered.

The way XSS works is that the malicious code is unfiltered and mixed in with the normal code on the site, so the browser can’t tell which scripts are trusted and the malicious scripts can be executed.

Second, the classification of

Reflex XSS attack

This attack occurs when user data passed to the server is immediately returned and displayed as is in the browser, which is usually a one-time attack.

Persistent XSS attack

Malicious scripts stored in the site are executed without the user’s knowledge and then returned to other users as is. Such attacks are persistent and do great harm because scripts are stored in the database by the server and spliced into HTML in the form of strings.

XSS attack example

1, how to attack the web page directly using the browser input string

Here’s the rule. Attack this instance and tell the browser to do prompt(1)

function escape(input) {
  // warm up
  // script should be executed without user interaction
  return '<input type="text" value="' + input + '" >';
}
Copy the code

The above example is very simple and prints what you get and does nothing, so you can just write a script:

"><script>prompt(1);</script>
Copy the code

Since the instance concatenates the input value directly into the value attribute, we can close the attribute and tag with “> “and then write to our script to execute normally.

2, the page on the input box string to do closed label filtering, and directly use the filtered string, how to attack

The second level is a bit more careful, add a filter rule, when closed Angle brackets to replace the content with empty, that is, the above direct script tag method does not work

function escape(input) {
  // tags stripping mechanism from ExtJS library
  // Ext.util.Format.stripTags
  var stripTagsRE = / < / /? [^>]+>/gi;
  input = input.replace(stripTagsRE, ' ');

  return '<article>' + input + '</article>';
}
Copy the code

If it doesn’t work inside a script tag, you can write the script inside an event, like this

<img src=# onerror="prompt(1)"
Copy the code

The above code will execute even if Angle brackets do not match, and the onError event will be executed if the image referenced by SRC does not exist

<body onload="prompt(1)//"
Copy the code

Onload is executed when the page has loaded all of the DOM, so the code above also works

Fourth, prevention methods

  • To solve the problem of using tags to inject code, escapeHTML input values, such as using escapeHTML escape
  • For link jumps, create a whitelist for content verification, for example, do not start with the included value in the whitelist['http','https','scheme','javascript:',location.href="xxx"]
  • Front end separation
  • CSP
  • Input length control
  • HTTP-only Cookie
  • Verification code

Reference Documents:

Website security

How do I prevent XSS attacks?