What is XSS attack?
XSS
Full name is Cross Site Scripting
(i.e., 跨站脚本
), and to distinguish CSS, so call XSS
. XSS attack is to execute malicious script (either the same domain or across domains) browser, so users get the information and instructions.
These operations generally can be done the following things:
- Theft
Cookie
. - Monitor user behavior, such as directly after enter the account password to a hacker server.
- Modify the DOM fake login form.
- Floating window to generate ad on the page.
Typically, XSS attacks achieved in three ways - storage type , reflective type , and document type . Principles are relatively simple, let's have introductions.
Storage type
存储型
, By definition is malicious script is stored up, indeed, storage type XSS script is stored in the server's database, then the client to execute these scripts, so as to achieve the effect of the attack.
Common scenario is a script to submit comments section of code message, if the front and rear end does not do a good job of escaping, and that the comment content saved to the database, the page rendering process 直接执行
, equivalent to execute an unknown logic of JS code is very scary. This is the storage type XSS attacks.
Reflective
反射型XSS
It refers to the malicious scripts as part of a network request .
For example, I typed:
http://sanyuan.com?q=<script>alert("你完蛋了")</script>
复制代码
This is Yang, the server will get the q
parameters, then the contents were returned to the browser, the browser will parse HTML content as part of discovery is a script, direct the implementation of, so it was attacked.
The reason why call it 反射型
, is because the malicious script is by parameters as a network request, through the server, and then reflected to the HTML document, the implementation of resolution. And 存储型
not the same, the server does not store these malicious scripts.
Document type
Document type of XSS attack and does not pass through the server, but as a middleman in the process of data transmission to hijack network packets, and then modify the inside of the html document !
Such embodiment includes a hijacking WIFI路由器劫持
or 本地恶意软件
the like.
Precautions
Understand the three XSS
principles of the attack, we can find one thing in common: both allow malicious scripts can be executed directly in the browser.
So to prevent it is to avoid executing these script code.
To accomplish this, we must do a conviction, two use .
A conviction
Do not believe that any user input!
Both at the front and the server, the user must input transcoding or filtering .
Such as:
<script>alert('你完蛋了')</script>
复制代码
After transcoding becomes:
<script>alert('你完蛋了')</script>
复制代码
This code html parsing process is not performed.
Of course, you can use keyword filtering way, the script tag to delete. So now the only content:
复制代码
With nothing :)
Use CSP
CSP, that is, the browser content security policies, its core idea is to determine what resources a server browser loads, specifically, you can perform the following functions:
- Limiting resource loading in other domains.
- Prohibit submission of data to other domains.
- Provide reporting mechanisms, it can help us to detect XSS attacks.
Use HttpOnly
After a lot of scripting XSS attacks are used to steal Cookie, Cookie set the HttpOnly attribute, JavaScript can not read the Cookie value. This also can be a good guard against XSS attacks.
to sum up
XSS
Attack is to execute malicious script browser, and then get the information of the user to operate. Divided into 存储型
, 反射型
and 文档型
. Prevention measures include:
- A conviction: Do not trust user input, the input content transcoding or filter, let it not be executed.
- Two use: the use of CSP, use HttpOnly Cookie's property.