I only let you know what xss is. In layman's terms, the links, URLs, pictures, etc. I bring in the url contain malicious scripts, which will be executed as long as you click.
I only understand here, and don’t talk about implementation, because this technology has developed to this day, and there are N ways to solve and prevent it. Just like the hospital has overcome many viruses, you are not afraid of infection, you can have medicine, you can not die, you can also fight. Vaccines prevent disease.
Then why do we need to understand? First, because many boring people will use old technology to spoof and purposefully attack, we must at least know how to prevent it, otherwise even those junior high school students will do it, you don’t know yet. How to crack, is it shameful. The second is to use this technique to test whether your product can withstand attacks.
Therefore, if you want to be a safety testing expert, you must have a thorough understanding of these technologies and how to discover hidden risks before you can prevent and treat them.
First of all, the two necessary conditions for xss to run can be implemented as follows:
1. Malicious code needs to be injected into the web page;
2. These malicious codes can be successfully executed by the browser.
We also need to know what xss can do
1. Steal cookies, read the cookies of the target website and send them to the hacker’s server
2. Read the user's undisclosed information, if: mailing list or content, system customer information, contact list, etc., such as code:
Solution:
One method is to check the needs before the form is submitted or the url parameter is passed. Parameters for filtering, please see the following XSS filtering tool code to check whether the code contains malicious code;
What is xxs?
For example, whether the url has parameters, if you have parameters, you can take some scripts, you can also find the user input, such as text box, construct the script, then upload, submit to the server, when the user clicks, it will be recruited.
First, XSS reflection type attack, the malicious code is not stored on the target website, and the attack is carried out by enticing the user to click a malicious link to the target website.
Second, XSS storage type attacks, malicious code is stored in the server of the target website, this kind of attack has strong stability and persistence. The more common scenarios are on social networking sites such as blogs and forums, but OA systems, and It can also be seen on the CRM system. For example, there is an XSS storage vulnerability in the customer complaint function of a CRM system. The hacker submits malicious attack code. When the system administrator views the complaint information, the malicious code executes and steals the customer's information. However, the administrator has no knowledge, this is a typical XSS storage attack.
Copy the script and paste it into a website. This website is made by yourself, such as imitating a Taobao website, and then you click in and enter your account and password, then I can get your account and password, and you can send it back remotely Here I am, here is the local way;
The following page is rough, and the real page is very realistic. This is just a demonstration, when you enter your password, it will directly display what your password is.
The simple explanation of the script just now is: show the password you just entered
The following code is a jpg image, nested in the website. If it's a link, then click it and it will be tricked.
Knowing these attack methods, you know how to protect! So for xxs, don't click on inexplicable URL links, pictures, etc.
Or adjust the security level of your computer, install anti-virus software, and install a reliable browser, which will automatically filter out illegal websites. Learn to identify genuine and fake websites.
SQL injection: it is very harmful and can cause website data leakage;
Redirection attack: Similar to xxs, the malicious code is redirected to other illegal websites, and the next step is performed;