Vulnerability Type: Cross-Site Scripting (XSS)
1. Cross-site scripting attack means that a malicious attacker inserts a piece of malicious code into a web page. When a user browses the web page, the malicious code embedded in the web page will be executed, so as to achieve the special purpose of malicious users (usually used to steal browser cookies).
2. Cross-site scripting vulnerability, English name Cross Site Scripting, CSS for short, also known as XSS. It refers to a malicious attacker inserting a piece of malicious code into a web page. When a user browses the page, the malicious code embedded in the web page will be executed, so as to achieve the special purpose of the malicious attacker.
harm:
1. Malicious users can use this vulnerability to steal user account information, impersonate other users to log in, and even modify the content of web pages presented to other users.
2. For example, one day you open a website, and suddenly a window pops up prompting you to log in. You thought it was this website that let you log in. After you entered your account password, all your operations were recorded by hackers, and Xiaobai asked "Stealing." What is the use of browser cookies? Hackers steal your browser cookies and then use your cookies to log in to your account on a specific website or forum.
3. Most of the common cross-site places on the website are in the message book, search, and comment . Pay attention to these places, especially the places with messages and comments. There is cross-site in these two places on your website. Hackers can directly submit cross-site attack scripts in these two places. After you log in to the background to view the messages and comments, you will be attacked. .
solution:
One of the ways to avoid XSS is to filter the input and output of the content provided by the user. Many languages provide HTML filtering.
You can add XssHttpFilter filter.