XSS stands for Cross Site Scripting
Cross-site scripting attacks
- XSS (Cross-Site Scripting), cross-site scripting attacks, because the abbreviations and CSS overlap, so can only be called XSS. Cross-site scripting attack is an attack to run in the registered users through the Web site security vulnerability browser unlawful conduct of HTML tags or JavaScript.
To put it plainly: that is, to the inside pages to append html or js
The impact are:
- The use of false entry form cheat the user's personal information.
- Cookie value using the script to steal user, the victim unknowingly help the attacker to send malicious requests.
- Show fake articles or pictures.
Classification of XSS
- Reflective
direct injection through url, cookie, etc. may be acquired
http://localhost:3000/?from=<script src="xxx"> //例如这段脚本
- Storage-type
injection when stored in the DB after reading
such as after the first use cookie to log in to account the comments section of the script is injected into the inside, then later enter a comment or to refresh the page will automatically execute the script
What harm does XSS
- Get cookies
- Deceive users
- Steal the user's password and login status
- Request
- Hijack the preceding logic
- Get the page data
Affect the page layout
So how do we prevent it?1 general assembly can now prevent
For example, you can set vue
v-html
direct him to filter out text html2 Set HEAD
ctx.set('X-XSS-Protection', 0) // 禁用XSS过滤
3 manually set the black list
For example, to filter content received by a string string
4httpOnly Cookie
This is to prevent XSS attacks to steal cookie most effective defense the watch segment. Web application at the time of cookie settings, its property to HttpOnly, you can avoid the user's cookie is malicious JavaScript client theft, protect the user cookie information. (Generally enabled by default)
using: response.addHeader ( "Set-Cookie" , "uid = 112; Path = /; HttpOnly")
To sum it up: XSS attack is a basic way is to face additional html page and js, the current mainstream frameworks have provided the defense or default