XSS prevention

Others 2019-11-15 13:48:53 views: null

XSS stands for Cross Site Scripting

Cross-site scripting attacks

  • XSS (Cross-Site Scripting), cross-site scripting attacks, because the abbreviations and CSS overlap, so can only be called XSS. Cross-site scripting attack is an attack to run in the registered users through the Web site security vulnerability browser unlawful conduct of HTML tags or JavaScript.
    To put it plainly: that is, to the inside pages to append html or js

The impact are:

  • The use of false entry form cheat the user's personal information.
  • Cookie value using the script to steal user, the victim unknowingly help the attacker to send malicious requests.
  • Show fake articles or pictures.

Classification of XSS

  • Reflective
    direct injection through url, cookie, etc. may be acquired
http://localhost:3000/?from=<script src="xxx">  //例如这段脚本
  • Storage-type
    injection when stored in the DB after reading
    such as after the first use cookie to log in to account the comments section of the script is injected into the inside, then later enter a comment or to refresh the page will automatically execute the script

What harm does XSS

  • Get cookies
  • Deceive users
  • Steal the user's password and login status
  • Request
  • Hijack the preceding logic
  • Get the page data

  • Affect the page layout
    So how do we prevent it?

    1 general assembly can now prevent

    For example, you can set vue v-htmldirect him to filter out text html

    2 Set HEAD

    ctx.set('X-XSS-Protection', 0) // 禁用XSS过滤

    3 manually set the black list

    For example, to filter content received by a string string

    This is to prevent XSS attacks to steal cookie most effective defense the watch segment. Web application at the time of cookie settings, its property to HttpOnly, you can avoid the user's cookie is malicious JavaScript client theft, protect the user cookie information. (Generally enabled by default)
    using: response.addHeader ( "Set-Cookie" , "uid = 112; Path = /; HttpOnly")

To sum it up: XSS attack is a basic way is to face additional html page and js, the current mainstream frameworks have provided the defense or default

Guess you like

Origin www.cnblogs.com/sunhang32/p/11865709.html
xss
Recommended
TIOBE May list: Fortran “resurrected” into Top 10
GCC 14.1 released
Ranking
B. Little Girl and Game【1300 / 回文字符串 博弈论】
CIKERS Shane 20190613
"Javascript advanced programming" study notes - the constructor and prototype
beeline hiveserver2 start
springboot - Automatically backup mysql data every day
Data Storage Full Solution--Detailed Persistence Technology
Detailed Explanation of Spring Web MVC DispatcherServlet—Official Original
TCP / IP protocol layers structure and function
Command type literal pos: unknown; Fallback type literal pos: unknown] with root cause
Design of multifunctional curtain controller with indoor anti-theft alarm
Daily
More
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)

Code World

© 2018 codetd.com