Zero, reference materials
First, the concept
Cross-site scripting attacks Cross-site scripting (XSS) is a security vulnerability, an attacker could exploit this vulnerability client code to inject malicious on the site. When the landing site attacker to run malicious code automatically, so an attacker can break through the access permissions for the site, posing as victims. (Transfer from the MDN ).
In the following two cases, prone XSS attack: 1) data entered from an unreliable link to a web application. 2) not filtered dynamic content malicious code is transmitted to the web user.
Malicious content typically includes JavaScript , however, sometimes including HTML, FLASH. In the form of XSS attacks vary widely, however, they have in common are: some private data like cookie, session to the attacker, the victim is redirected to a site controlled by the attacker, some malware on victims' machines operating.
Second, the attack
xss attacks are divided into three kinds: reflective, persistent, DOM type.
1. reflective
Reflective attacks generally appear in the URL. This is a non-persistent attacks, xss codes are typically added to the request URL, as a parameter submitted to the server, and the server parses the response. If the response contains the results xss code, the browser may be parsed and executed. Therefore, this type of attacks xss divided into three stages: url implanted xss code and server-side parsing, last browser parses and executes the code xss.
for example:
http://localhost:8080/helloController/search?name=<script>alert("hey!")</script>
http://localhost:8080/helloController/search?name=<img src='w.123' onerror='alert("hey!")'>
http://localhost:8080/helloController/search?name=<a onclick='alert("hey!")'>点我</a>
Node.js server using a simple built:
; var = the require HTTP ( 'HTTP')
; var = the require URL ( 'URL')
var = http.createServer Server ((REQ, RES) => {
res.writeHead (200 is, {
the value // Note Content-type of ,
// text / Plain code is contained in the <pre> </ pre> block the effects reach attack
"the Content-type": "text / HTML; charset = UTF-. 8"
});
var = the params url.parse (req.url, to true) .query;
IF (params.name) res.write ( `<div> params.name $ {} </ div>`);
res.end ();
});
Server .listen (9999);
The use of chromium browser engine (chrome, 360 fast mode) have made special treatment, will intercept, firefox, ie there is no blocking, it is suggested that the test in firefox.
The results are as follows:
2. Storage Type
Storage type XSS, also known as persistent XSS type, mainly to send XSS code to the server (whether it be a database, memory or file system, etc.), then the next time the page is requested would not have put XSS code. The most typical is the message board XSS. User submits a message containing XSS code into the database. When the target user query message, the content of those messages is loaded from the server after parsing. Browser found XSS code, you as a normal HTML and JS parsing execution. XSS attacks occurred.
Used to obtain user information, such as:
Joe Smith made a post, John Doe reply: but the content is a js script, this post has been viewed when others would have got, just an example of alert (), but the script can write a bit more complicated theft the user cookie, etc. operations.
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>Document</title>
</head>
<body>
<table border="1" width="80%">
<tr>
<td>张三</td>
<td>1楼</td>
</tr>
<tr>
<td colspan="2">xss 攻击三</td>
</tr>
<tr>
<td>李四</td>
<td>2楼</td>
</tr>
<tr>
<td colspan="2">try it again<script>alert('持久化 xss')</script></td>
</tr>
</table>
</body>
</html>
In addition to this there is a very hacker usual tricks, such as storage-type XSS generate some attractive pictures, text (you know!), Then the user to click on when you can perform some bad things, steal information or induce to phishing sites, such as:
< img onclick="window.location.href='http://www.baidu.com'" width='300' src='img/webwxgetmsgimg.jpg'/>
Hijack flow may also be achieved by scriptl implant malicious redirection jump in the <head> </ head>, as:
<script>window.location.href="http://www.baidu.com";</script>
Third, prevention
- Into the reference character filtering:
in source control, some illegal things are filtered out of the input, so as to ensure safety. As submitted by the user to remove DOM attributes onerror, remove Style node users to upload, <iframe>, <script> , <a> node and the like; - A reference to encode:
Late remedy: Like some common symbols such as <> when you want to convert the output encoding, this does not explain the browser is performed on the label, while not affecting display . For example: The <> do encoding: "<" as used: "& lt;", " >" with: "& gt;" in place; - Into the reference length limit:
the above cases we find that to be able to reach xss attacks often require a longer string, so you can expect some input may be forced to cut defense by limiting the length. - Set to true cookie httponly
Fourth, other
1. But how about it, thousands of miles of dikes, as long as there is a colony, the entire dam is not safe. Security offensive and defensive sides of the game never stops, so that the birth of a security information field that is constantly evolving. Or anything since the beginning of the birth defects have its own, so it was a constantly transforming sides of the conflict.
2. Web For Pentester - a web scripting vulnerability exercise platform, introduction and installation see: web for pentester Introduction and installation .