Browser Fundamentals - Security: Cross-Site Scripting (XSS)

Language 2023-07-01 05:18:08 views: null

XSS Cross Site Scripting (Cross Site Scripting):

concept:

XSS attack refers to a method in which hackers inject malicious scripts into HTML files or DOM, and use the injected malicious scripts to attack users when they browse the page.

Method to realize:

At first, this kind of attack was realized through cross-domain, so it was called "cross-domain scripting". But now, there are more and more ways to inject malicious code into HTML files.

effect:

  1. Steal Cookie Information
  2. Monitor user behavior
  3. Modify the DOM to fake pages, such as login windows
  4. Generate floating ads in the page

Injection method of malicious script:

  1. Stored XSS attack

Attack process:

  • First, the hacker submits a piece of malicious JavaScript code to the database of the website by exploiting the site vulnerability;
  • The user then requests a page from the website that contains the malicious JavaScript script;
  • When the user browses the page, the malicious script will upload the user's cookie information and other data to the server.

Example: For example, in the stored XSS attack that broke out in Himalaya in 2015, hackers imported malicious programs by setting the user’s album name, so that when other users opened the album, they could obtain the user’s Cookie and other data

  1. Reflected XSS attack

Attack process:

The user submits a request containing malicious code to the web server, and when the web server receives the request, it reflects the malicious code to the browser

Example: Hackers induce users to click on these malicious links through channels such as QQ groups or emails

Note: The server will not store malicious scripts for reflected XSS attacks

  1. DOM-based XSS attack

Attack process:

DOM-based XSS attacks do not involve the web server of the page. The data of the web page is modified during the transmission of web resources or during the process of using the page by the user.

Examples: such as modifying the content of HTML pages during page transmission through network hijacking. Hijacking through WiFi routers, hijacking through local malware.

Prevent XSS attacks:

  1. The server filters or transcodes the input script

    For example, the transmitted content contains

Reference: Geek Time - How Browsers Work and Practice

Guess you like

Origin blog.csdn.net/CaptainDrake/article/details/131408284
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com