XSS

What is the XSS

XSS is a computer security vulnerability commonly found in Web applications that allows malicious Web users to insert code into pages intended for use by other users. For example, this code includes HTML code and client-side scripts. Attackers exploit XSS vulnerabilities to bypass access controls — such as the same Origin policy. This type of vulnerability has become well known because it is used by hackers to write more damaging Phishing attacks. For cross-site scripting attacks, the hacker community consensus is: cross-site scripting attacks is a new “buffer overflow attack”, and JavaScript is a new “ShellCode”.

Example: < script > alert (document. Cookies) < / script >Copy the code

The characteristics of

Can inject malicious HTML/JavaScript code to the user’s browsing web page, so as to achieve Cookie data theft, session hijacking, phishing and other attacks. < Attack code doesn’t have to be in >

why

  • Web browsers are inherently insecure by design. Browsers can parse and execute code such as JS, but do not determine whether the data and program code are malicious.

  • Input and output are the most basic interactions of Web applications, and Web sites are becoming more and more interactive. If you don’t do a good job of security during this process, XSS vulnerabilities can easily occur.

  • The level of programmers is uneven, and most of them have not had formal security training, there is no relevant security awareness.

  • XSS attacks are flexible and flexible.

harm

  • Steal all kinds of user accounts, such as machine login account, user network bank account, all kinds of administrator account
  • Control of enterprise data, including the ability to read, modify, add, and delete sensitive enterprise data
  • Stealing important data of commercial value from the enterprise
  • Illegal transfer
  • Force E-mail to be sent
  • Website hang a horse
  • Control the victim’s machine to launch attacks on other sites

How to prevent

  • Mark important cookies as HTTP only so that the document.cookie statement in Javascript cannot fetch cookies.
  • The type of the specified value of the form data, for example: age should only be int, name can only be alphanumeric…
  • Perform Html Encode processing on the data
  • Filter or remove special Html tags, such as
  • Tags that filter JavaScript events. For example, “onclick=”, “onfocus”, etc.

References:

References -XSS Cross-site scripting attacks References References