1 XSS is a computer security vulnerability that often occurs in web applications, allowing malicious web users to implant code into pages that are served to other users. Such code includes HTML code and client-side scripting, for example. Attackers exploit XSS vulnerabilities to bypass access controls - such as the same origin policy . This type of vulnerability has become widely known for being used by hackers to write more damaging phishing attacks. For cross-site scripting attacks , the hacker community consensus is: cross-site scripting attacks are a new type of " buffer overflow attack ", and JavaScript is a new type of "ShellCode".
2 Classification of XSS Vulnerabilities
There are three types of XSS vulnerabilities as follows:
Type A, a local exploit, exists in the client-side script itself in the page. The attack process is as follows:
Alice sends Bob a maliciously constructed
URL
for the Web .
Bob clicked and viewed this URL.
The JavaScript in the malicious page opens a vulnerable HTML page and installs it on Bob's computer.
The vulnerable HTML page contains JavaScript that executes on the local domain of Bob's computer.
Alice's
malicious
script can execute commands under Bob's authority on Bob's computer.
Type B, reflection vulnerability, this kind of vulnerability is somewhat similar to Type A, the difference is that when the Web client uses the server-side script to generate the page to provide the user with data, if the unauthenticated user data is included in the page without
HTML Entity
encoding, client code can be injected into
dynamic
pages . The attack process is as follows:
Alice frequently visits a website owned by Bob. Bob's site runs Alice using username/password to log in and stores sensitive information (like bank account information).
Charly discovered that Bob's site contained a reflective XSS vulnerability.
Charly writes an exploit URL and sends it to Alice pretending to be an email from Bob.
Alice browses to the URL provided by Charly after logging into Bob's site.
The
malicious
executed in Alice's browser as if it came directly from Bob's server. This script steals sensitive information (authorization, credit card, account information, etc.) and then sends this information to Charly's Web site without Alice's knowledge.
Type C, storage vulnerability, this type is the most widely used vulnerability and may affect the security of the web server itself. The
hacker
uploads the attack script to the web server, making all users who visit the page face the possibility of information leakage. This also includes the administrator of the Web server. The attack process is as follows:
Bob owns a web site that allows users to post information/browse the posted information.
Charly notices that Bob's site has a Type-C XSS vulnerability.
Charly publishes a hot message that attracts other users to read it.
If Bob or any other person like Alice browses the information, his session cookies or other information will be stolen by Charly.
Type A directly threatens individual users, while the objects threatened by Type B and Type C are enterprise-level web applications.
3 Defense
Step 1. Perform reliable input verification on all user-submitted content, including URLs, query keywords, HTTP headers, POST data, etc., only accept content submissions within the specified length range, in appropriate formats, and in expected characters. Everything else is filtered.
Step 2. Implement session tokens, CAPTCHA system or HTTP referrer checking to prevent functions from being executed by third-party websites.
Step 3. Confirm that the received content is properly normalized, contains only minimal, secure tags (no javascript), removes any references to remote content (especially style sheets and javascript), and uses HTTP only cookies.
Of course, the above operation will reduce the usability of the Web business system, users can only input a small number of specified characters, and the interaction between people and the system is reduced to the extreme, which is only suitable for information publishing sites. And given that few web coders have formal security training, it is difficult to completely avoid XSS vulnerabilities in pages.
From Baidu Encyclopedia.