Brief introduction
XSS also known as CSS (Cross-Site Script), cross-site scripting attacks. A malicious attacker to insert malicious Web page in html code, when a user browsing the page, embedded Web inside the html code will be executed to achieve the malicious user's specific purpose.
principle
HTML is an HTML, by special treat some characters to distinguish between text and numerals, for example, less than symbols (<) is seen as the beginning of the HTML tags, <title>and </title>the character is between the title of the page and so on. When inserted in a dynamic page content that contain these special characters (such as <), the user's browser will be mistaken for the insertion of HTML tags, HTML tags when these introduced when a piece of JavaScript scripts in the user program will the browser execution. So, when these special characters can not be a mistake dynamic page to check or inspection, it will have a XSS vulnerability.
Type of attack
First, XSS reflection-type attacks, malicious code is not stored in the target site by tricking the user clicks on a link to a malicious Web site link to the target of attack.
Second, XSS storage-type attacks, malicious code is saved to the server in the target site
Attack
Common XSS attacks and purpose are:
1, stolen cookie, access to sensitive information.
2, the Flash implantation using, for further higher authority by crossdomain permissions; Java, or the like obtained using a similar operation.
3, using iframe, frame, XMLHttpRequest or said Flash like manner, the identity (attack) the user perform some management actions, or perform some general, such as micro-blog, add friends, send private messages and other operations.
4, the use of the domain can be attacked by other trusted domain characteristics, as a trusted source of request usually do not allow some operations, such as the improper conduct of voting.
5, XSS in some great views of the page can attack a number of small sites, to achieve the effect of DDoS attacks.
solve
Are there illegal content content filtering user input to check user input. The <> (angle brackets), "(quotation marks), '(single quote),% (percent sign),; (semicolon), () (parentheses), & (ampersand), + (plus) and the like. strict control output
可以利用下面这些函数对出现xss漏洞的参数进行过滤
1、htmlspecialchars() 函数,用于转义处理在页面上显示的文本。
2、htmlentities() 函数,用于转义处理在页面上显示的文本。
3、strip_tags() 函数,过滤掉输入、输出里面的恶意标签。
4、header() 函数,使用header("Content-type:application/json"); 用于控制 json 数据的头部,不用于浏览。
5、urlencode() 函数,用于输出处理字符型参数带入页面链接中。
6、intval() 函数用于处理数值型参数输出页面中。
7、自定义函数,在大多情况下,要使用一些常用的 html 标签,以美化页面显示,如留言、小纸条。那么在这样的情况下,要采用白名单的方法使用合法的标签显示,过滤掉非法的字符。
各语言示例:
PHP的htmlentities()或是htmlspecialchars()。
Python的cgi.escape()。
ASP的Server.HTMLEncode()。
ASP.NET的Server.HtmlEncode()或功能更强的Microsoft Anti-Cross Site Scripting Library
Java的xssprotect(Open Source Library)。
Node.js的node-validator。
Several examples
Xie Gongzi Gangster summary of the good, turn about https://blog.csdn.net/qq_36119192/article/details/82469035
