XSS attack principle / classification / defense of Web Security

What is? XSS attack ？

• Full name Cross-Site Scripting Cross-site scripting attacks , Abbreviation to avoid and CSS Conflict and change to XSS
• principle ： By typing in the browser （ Like the comment bar 、 Search bar 、 Address bar, etc ） Inject script （JS、HTML Code block, etc ）, Get the user's cookie、sessionID Etc , So as to destroy or steal website data .

Common injection methods

It may be a little hard to understand , No problem , Make an impression first , Just look at the following examples

The injected code is executable , To produce an effect

• stay HTML Embedded text , With script Label form injection
• In-line JS in , The spliced data breaks through the original limit （ character string 、 Variable 、 Method name, etc ）
• In tag properties , Maliciously add quotation marks , Inject other attributes or tags
• On the label href、src And so on , add to JS Executable code
• stay onload、onerror、onclick And so on , Inject code

XSS Attack categories

reflective XSS

• Generally, it returns a constructed URL To server , Form an attack
• give an example

 For example, the user submission form contains  text  Field ：<script>alert(1)</script>
 be  URL  by  www.foolrBird.com?text=<script>alert(1)</script>
 Then the browser will output  1
 If you replace it with other destructive executable code, you can imagine 

 such as  www.foolBird.com/delete  The interface is to delete all data with one click 
 The user visited a malicious link  www.foolBird.com/delete, And the server does not restrict user permissions , It directly causes the data to be deleted （ Is an authenticated user access link , So be trusted ）

Storage type XSS（ Or persistence XSS）

As soon as you hear the name, you know the harm is great , Stored in a database , Can continue to cause damage

1. The attacker submits the malicious code to the database of the target website
2. When users access , The server takes out the malicious code and splices it in HTML Return to the browser to execute
3. Malicious code steals user data and sends it to the attacker's website （ Or pretend to be a user ）, Call the target website interface for operation

• This method is the most harmful . It doesn't need to be triggered by users , Any website that allows users to store data may be attacked

DOM type XSS

• Trick the user into accessing the... Constructed by the attacker URL, Use the script to generate a DOM The node is inserted into the of the current website HTML In file , Form an attack . This is very similar to the reflex type , The only difference is the construction of URL Don't send to the server , You can get around WAF（Web Application Firewall, Website application level intrusion prevention system ） So as to avoid the purpose of server detection

If you want to know more about specific application scenarios, you can refer to [DOM-XSS Attack principle and defense ](DOM-XSS Attack principle and defense - Mysticbinary - Blog Garden (cnblogs.com))

XSS defense

Wherever data can be entered and submitted, there may be XSS dangerous

Commonly used

• HttpOnly： stay cookie After setting this property in ,JS Script （ such as document.cookie） Will not be able to read cookie, Can only be modified on the server side .
• The input filter ： For example, ask for email 、 Telephone 、 Enter the user name in a fixed format . The front end and back end of this filter should do , Double insurance
• escape HTML： Pair of quotation marks 、 Angle brackets 、 Slash escape . It's best to choose the right Escape Library , More complete . for example xss library ,npm i xss -S You can install

Defensive storage and reflective

• Pure front end rendering , Separation of code and data

defense DOM type

Generally, because the front-end code is not rigorous enough , Treat untrusted data as code execution

• multi-purpose innerText/textContent、setAtrribute etc.

  • take innerHTML、outerHTML Replace with innerText/textContent, It will automatically HTML The tag is parsed into a normal file

• Vue、React Don't use v-html/dangerouslySetInnerHTML

If it helps you , A great bai ~

Anyway, posting doesn't make money , Make a friend ~

If you want to reprint , Please indicate the source foolBirdd