XSS attacks
The full name XSS (Cross Site Scripting), in order not with Cascading Style Sheets (CSS) the same name, so called XSS;
It is one of the most common Web attacks attacks!
harm
Attacker to embed malicious script (code) in the site, when the user opens the page, the script automatically, it can
- Steal the user cookie, username and password
- Download Trojan virus
- Forced to jump page
- Other terrible thing.
principle
Suppose a user needs to fill in a form on the page, fill out the form is the result of:
<input type="text" name="nick" value="xiaomao">nick is the user name entered by the user, this is normal, but when the input is:
"/><script>alert("haha")</script><!-This time, it will be treated as a bunch of user names submitted to the server, the server usually limits the user name length or character type, then it will not pass validation. Well, then the server will be redirected to the page login page and bring the user name just entered, because behind the input box input is put on a script, the browser will execute the effect here is a prompt box will pop up "haha", and there is no harm, the degree of harm depends entirely on what the user entered.
1. How to steal the user cookie, username and password?
For example, when in a blog, the attacker in the comments section of malicious code enter a "comments", the contents of the code is such content includes CookieHelper.getCookie ( 'xxx'), then the other users access this blog, will load "comments" == execution of malicious code, attackers can "review" by the way jsonp cross-domain cookie information is sent to your server and then obtain other user's cookie information, some sites will directly save the username and password in cookie , so that leaked account information, even if the information is not stored in plain text, the attacker after the other to get the user cookie can also perform other malicious actions, such as modifying personal data, an attacker can get to bring in a http request cookie, request to modify personal data interfaces blog, and can be successful. This user, the site caused a relatively large hazard.
2. How do I download Trojan virus?
Since the user can inject script on the site, then he can modify the contents of the script, the script to download a specific virus Trojan. By a similar principle to achieve mandatory pop-up ads, visit a website, and so is not a problem.
3. How to force a jump page?
When injected into the js as "<script> window.location.href =" www.bug.com "</ script>", the browser when accessing the current page will be forced to jump to www.bug.com this site, this also website is called hijacking.
Prevention
XSS attacks are originated from the input page, so we just
1. The user input content filtering at the front end, such as a telephone number, a user name can be directly input corresponds to the character limit.
2. The user input is stored HTML escape, such as angle brackets, slashes, single / double quotes.
3. For cookie hijacking, we can key in the cookie field set to http-only, then you can not get through the document cookie object, but does not affect its load the page.