XSS and Csrf (i.)

1. XSS
2. Concept

XSS(crosssite Scripting) Multi-site Scripting attack refers to an attacker who uses a Web site program to filter user input and enter HTML that can be displayed on the page to affect other users code to steal user data, take advantage of a user's identity to perform some kind of action, or attack a visitor for viruses. Cross-site scripting attacks are usually abbreviated to XSS for the purpose of separating the abbreviated CSS areaof the cascading style sheet (cascading style Sheets) .

The principle is that a malicious attacker inserts malicious HTML code into a Web page and, when the user browses to the page, embeds the Web The HTML code is executed to achieve the special purpose of malicious attacks on the user.

Note:XSS attacks are targeted at site clients, not the site itself.

1. category

according to the forms and effects of the XSS cross-site scripting attack, it can be divided into the following three categories :

• Reflective XSS Cross-site scripting attack

The data entered by the user is output in the browser directly or without complete security filtering, resulting in code data that can be executed by the browser in the output data .

For example, the following Web address accepts a txtsearch query parameter, which is displayed on the page after the server receives the parameter. Normally, the page appears normal, and when the user enters the code with JS, the problem comes. The user cookie information is directly obtained. You might say, it's just a pop-up box, nothing. Here is a simple, easy-to-understand example, of course, no harm. When a hacker is tricked into sending a link with malicious code to the user, the user clicks on the link and is likely to be able to steal the cookie data. See the endangerment section specifically.

 

Normal input

 

input that contains malicious code

• Storage-Type XSS cross-site scripting attack

Storage-Type XSS script attack means that the Web application will store the data information entered by the user in the database or other file form of the server, and when the Web page makes the data query and display, the data content will be obtained from the database and the data content will be displayed in the Web page. Therefore, the storage-type XSS has strong stability.

In a blog or news release system, a hacker writes data that contains malicious code directly into an article or article comment, and all users who browse the article or comment will execute the inserted malicious code in their client browser environment . as an example:

 

in the Http://test.com/hack.js contains the following code:

 

 

 

 

 

when another user accesses a page that contains this comment, your username password is sent to the http://test.com/index.php

Note: The src of the script tag can be called across domains, which is also the principle of JSONP.

• DOM-based XSS cross-site scripting attack

the DOM-based XSS cross-site scripting attack is an XSS cross-site scripting attack that is formed by modifying the data information of the page DOM nodes. Unlike reflective XSS and storage-type XSS, the DOM-based XSS cross-site scripting attack often requires analysis of specific JavaScript DOM code and the use of XSS cross-site scripting attacks based on the actual situation .

We enter an image URL in input of this page and display it on the page. The code is as follows:

 

How does a hacker use this type of code to implement an XSS cross-site scripting attack? The hacker can construct the following data, enter "# ' onerror= ' Javascript:alert (/dom Based XSS test/)", after committing in the browser, found that the code is executed, there is a popup window prompt :

1. Hazard

• Online Fishing

 

• stealing Cookies(Session hijacking)

Hppt is a stateless protocol, in order to keep the state information of the client (browser) and the server. The server side generates a session identifier in the session, commonly referred to as sessionId. The first time the client requests the server, the server passes the sessionId through http to the browser, and the browser passes the cookie Save this information.

From the previous example of hack.js , we see that we can get The sessionId in the cookie by the following code Information

                &NBSP, =cookiehelper.getcookie ('

then send this information to the hacker's server, hackers can easily use some tools, using the resulting sessionId fake legitimate users access to the normal site. So that their own backyard is the other people do whatever they like.

 

use Chrome 's developer tools to modify cookies.

 

we can see the increased sessionId

 

• XSS Worm

compared to user privacy disclosure, the SNS network of XSS worm is more harmful. Worms are malignant viruses that can spread and infect through the network, and the most important feature is that they can replicate themselves and infect themselves through the network environment.

For detailed analysis, you can refer to the following articles:

the security of SNS websites viewed from the attack of Sina Weibo

http://www.rising.com.cn/newsletter/news/2011-08-18/9621.html

1. guard against

• using httponly

originally proposed by Microsoft, HttpOnly has been adopted by a variety of popular browser vendors. HttpOnly's role is not to filter XSS cross-site scripting attacks, but instead the browser will disallow JavaScript on the page to access cookies with the HttpOnly attribute, resolving cookie session hijacking behavior after an XSS cross-site scripting attack.

HttpOnly is marked at Set-cookie, the cookie header format is set as follows:

Set-cookie: <name>=<value>[; <name>=<value>]

[; expires=<date>][; Domain=<domain_name>]

[; path=<some_path>][; secure][; HttpOnly]

The implementation of each language can be self-Baidu, in Java Implementation can refer to the following information:

http://coffeesweet.iteye.com/blog/1271822

 

• input and output filter metacharacters

<>,(),&,#,%, ? wait

• input and output escape meta characters

'<'---> $lt,'&'- --->& etc.

• verifying the legitimacy of belonging information

to the user name, mobile phone number, e-mail address and so on client & server side of the regular validation.

Common validation Regular expressions are collected here

Note: Why can't I filter keywords, such as <script>,alert ()

because there are many ways to bypass:

<scRIpt>

<scr%00ript>

<scr\nript>

eval (' <scr ' + ' ipt> ')

< script >

XSS and Csrf (i.)