1. What is XSS

Cross-site Scripting (XSS) is a code injection attack. The attacker injects malicious scripts on the target website to run on the user’s browser. Using these malicious scripts, attackers can obtain sensitive user information such as cookies and sessionIDS, thus compromising data security.

2. XSS classification

1. Storage XSS

Example (nodejs) :

const http = require('http'); const server = http.createServer(); server.on('request', function(req, res) {res.setHeader('Content-Type', 'text/html; charset=utf-8'); Const sqlCnt = '<script>console.log(1)</script>'; const html = `<! DOCTYPE HTML >< HTML ><body> </ HTML > res.write(html); res.statusCode = 200; res.end(); }); server.listen('8888'); console.log('Server is running at: http://localhost.meetsocial.cn:8888');Copy the code

Attack steps:

1. The attacker submits malicious code to the database of the target website.

2. When the user opens the target website, the website server takes out the malicious code from the database, splices it into HTML and returns it to the browser.

3. Executed the script in the malicious code.

Web features that are common for users to save data, such as forum posts, product reviews, and user messages.

For example, if you publish a post with malicious code in it, then the administrator logs in the administrator background to review the content of the post. The content in the post is executed by script and steals the cookies of the website, so that the bad guys can log in with the administrator.

2. Reflective XSS

Example (nodejs) :

// Site search examples // open: http://localhost:8888/? s="><script>alert(1)</script>const http = require('http'); const server = http.createServer(); const url = require('url'); server.on('request', function(req, res) {res.statusCode = 200; res.setHeader('Content-Type', 'text/html; charset=utf-8'); const obj = url.parse(req.url, true); const query = obj.query; const html = `<! DOCTYPE HTML > < HTML > < body > is the content of the current search: < input type = "text" value = "${query. S | | '}" / > < / body > < / HTML > `; res.write(html); res.end(); }); server.listen('8888'); console.log('Server is running at: http://localhost.meetsocial.cn:8888');Copy the code

Attack steps:

1. The attacker constructs a special URL that contains malicious code.

2. The attacker induces the user to open the URL with malicious code, and the website server takes out the malicious code from the URL, splices it into HTML and returns it to the browser.

3. Executed the script in the malicious code.

Common site search, jump, etc. Site jump code example:

// redirect <? phpecho "<script>window.location.href = $_GET['url']</script>"; ? >Copy the code

3. Type the DOM XSS

Example (nodejs) :

/ / open: http://localhost.meetsocial.cn:8888/?t= < img SRC = '1' onerror = "alert (1)" / > = const HTTP the require (" HTTP "); const server = http.createServer(); server.on('request', function(req, res) {res.statusCode = 200; res.setHeader('Content-Type', 'text/html; charset=utf-8'); const html = `<! DOCTYPE HTML >< HTML ><body> hahaha ~<div id='tttt'></div><script>document.getElementById("tttt").innerHTML=decodeURIComponent(location.search.substr(3)); </script></body></html>`; res.write(html); res.end(); }); server.listen('8888'); console.log('Server is running at: http://localhost.meetsocial.cn:8888');Copy the code

Attack steps:

1. The attacker constructs a special URL

2. The attacker induces users to open urls with malicious code

3. The front-end JavaScript picks up the malicious code in the URL and executes it.

3. XSS prevention

1. Prevent storage and reflection XSS attacks (server)

1. Change to pure front-end rendering, separating code from data.

The data is all data that is obtained through Ajax and then rendered on the page.

2. Fully escape HTML.

Use common template engines such as dot.js, EJS, FreeMarker, etc. For example, in Java projects, the commonly used escape library is org.owasp. Encoder.

2. Preventing DOM TYPE XSS attacks (client)

Use.innerhtml,.outerhtml, document.write(). Be careful not to insert untrusted data into the page as HTML. Instead, try using.textContent,.setAttribute().

When using the Vue/React technology stack, use the v – HTML/dangerouslySetInnerHTML function.

The following code can all execute strings, so it’s easy to create a security breach if you pass unsafe data **** to these apis.

<! <img onclick="UNTRUSTED" onerror="UNTRUSTED" SRC ="data:image/ PNG,"><! <a href="UNTRUSTED">1</a><script>// setTimeout()/setInterval() SetTimeout ("UNTRUSTED")setInterval("UNTRUSTED")// location Eval ("UNTRUSTED")</script>Copy the code

To sum up: be careful when executing js code with mutable data.

4. XSS encounters an actual encounter example

1. If YOU open HTTP with wifi, you will find advertisements. If there are advertisements, you can also use JS injection, but HTTPS will not have this problem. 2. Before, I found that I often followed some other disorderly people on my microblog, and my microblog should also be attacked by XSS. 3. Why does the bank website need to input the password twice to check the relevant balance? It is also to prevent XSS attack.

4. XSS attack of Hong Kong Bookstore online store (do not do illegal things)