XSS (Cross Site Script) : translated as “cross domain scripting” attack, it is a common threat in network security. Notice the key word: script, which gives you an immediate idea of what XSS is, through an example.
<div><%= getParams(name) %></div> If we type http://getData in the URL? name="><script>alert('XSS'); </script><" Then getParams will actually return <div><script>alert('XSS'); </script></div> At this point, the front div is injected with malicious script scripts.Copy the code
In plain English, XSS uses HTML splicing to construct script tags such as Script by injecting malicious scripts to retrieve user login information (such as cookies) from the user’s browser.
XSS attacks can be categorized into three types: DOM, reflection, and storage.
1. DOM: usually a front-end JS pan, such as the example above, where getParams is implemented in a front-end JS script.
2, reflection type: usually through the URL to the back end, the back end through parsing, back to the front end, as shown in the above example.
3, storage: this is easier to understand, XSS risk scripts are submitted through the front end to the back end, and saved to the database. The next time a user visits a page and invokes a stored script, an XSS attack will occur.
By understanding the mechanism and common scenarios of XSS attacks, we can take targeted measures to prevent them. (There are many ways to prevent XSS attacks, and we need to consider the specific situation. Rote, sometimes bring negative effects to the web).
1. HTML escape:
< convert to > convert to >Copy the code
2. XSS whitelist: with the help of third-party mature XSS transfer tools
3, set HTTP httpOnly property, do not allow the front-end through JS to obtain cookie content
4. Browser CSP
5. Verification code: Prevents scripts from impersonating users
Summary: So don’t think that XSS attack prevention is all about the back end. The front end also needs to play a role.