XSS defined
XSS, namely (Cross Site Scripting), Chinese called cross-site scripting , occurs in the target user's browser on the level, when rendered into a DOM tree process took place not within the expected time JS code execution occurs XSS attacks.
Key cross-site scripting is not 'cross-site' on, but in the 'script'. The main way most XSS attacks is to embed some JS code on the remote or third-party domains. This actually executes this js code under the scope of the target site.
Attacks:
1. The theft of cookie access to sensitive information
2. destroy structural insert malicious content page (reflective)
3. Use flash (understand)
4.DDOS (strong difficult to defend)
DDOS: Distributed Denial of Service attack (Distributed Denial of Service), it simply is to send a large number of requests is to make the server to its knees. DDos attacks, the popular understanding of the DOS attack can be based on, dos be singled out, and ddos is gang fights, because lethality development of modern technology, dos attack is reduced, so there DDOS, attack resorted to public networks, will a large number of computer equipment together, to attack one or more targets.
On the technical point of view, DDoS attacks can target layers of network communication protocols, it means roughly: TCP class SYN Flood, ACK Flood, Fraggle UDP class, Trinoo, DNS Query Flood, ICMP Flood, Slowloris class and so on. Usually under the circumstances of the attack target, targeted approach to technology mix, in order to achieve the lowest cost most difficult defense, and can be reasonably rhythm control, protection and hiding attack resources.
Here are some SYN attack TCP protocol.
Common web attacks summary: https://www.cnblogs.com/morethink/p/8734103.html#DDOS
Attack:
Reflective
When the request, XSS code is present in the URL , submitted to the server as an input, the server parses the response , with the code content of the response with XSS returned to the browser, and finally browser parses the code execution XSS . This process would like a reflex, so called reflective XSS
Storage type (type persistent XSS vulnerabilities)
Difference storage type XSS and reflective XSS only in that the code is stored on the server side submitted no need to submit XSS codes (databases, memory, file system, etc.), the next page when the request destination
XSS the DOM
the DOM XSS attack than directly involved in a reflection type and storage type XSS XSS, the DOM XSS code does not need to parse the response of the server, but is analyzed by the browser-side DOM. This is entirely the client's matter.
DOM XSS attack code may happen is that we write JS code caused. We know that there is a role eval statement is to convert a string to a real JS statement, so use eval in JS is a very dangerous thing, easily lead to XSS attacks. Avoid using eval statement.
Reflective XSS attack demo
Construction of Node service presentations
-
1. Create a new folder, enter the command line:
express -e ./
Use express scaffolding, with ejs as a template engine, executed in the current directorynpm install
Installation depends
-
2. routes / index.js the setting route:
router.get ( '/', function (REQ, RES, Next) { res.set ( 'X--XSS-Protection', 0); // close the browser of the detection of XSS res.render ( 'index', title {: 'Express' , XSS: req.query.xss}); }); // Query search field is acquired express
-
3. In the views / index.ejs the body portion is added:
<div class = ""> <% -% XSS> <! --'- 'representation allows input html, need to escape -> </ div>
-
4. command line:
npm start
Turn on the server -
5. http: // localhost: 3000 / Enter
?xss=<iframe src="//baidu.com/h.html"></iframe>
或者?xss=<img src="null" onerror="alert("1")">
或者?xss=<p onclick="alert("1")">点我</p>Imitation XSS radiation type attack. The first effect shown below:
XSS defenses
Protection of cookie
Important cookie settings httpOnly, to prevent the client by document.cookie
reading the cookie. The server can set this field.
For user input
1. coded: user data inputted encoded HTML Entity
2. Decoding:
Avoid direct coding of HTML Entity
DOM transcoding using the Parse correction unpaired tag DOM
3. Filter:
Remove user-uploaded DOM attributes, such as onerror, onclick, etc.
Remove users to upload Style node, Script node, iframe nodes, etc.
Comments XSS code injection defense demo
1. Text escaped by the server, the client reverse sense, then DomParse, refiltered
2. Use encode.js and domparse.js third-party libraries to decode the text and DOM parse operation
Project link: https://github.com/ickedesign/XSS_WebSecurity
Extensions: Other web security knowledge
Relevant information: