Web Security Series (i): the basis and principle of XSS attack

Cross-site scripting attacks (XSS) are the number one enemy of client-side scripting security. This article delves into the principles of XSS attacks, and the next chapter (Advanced XSS attacks) will discuss the advanced methods of XSS attacks in depth.

This series will be updated continuously.

Introduction to XSS

XSS (Cross site script), the universal Universal Scripting attack, is called XSS in the security realm in order to be different from CSS (cascading Style Sheet).

XSS attacks, often referred to as hackers through HTML injection Tamper Web pages, insert malicious script, so that when users browse the Web page, control the user browser an attack behavior. When this behavior initially occurs, all of the demo cases are cross-domain, so called " cross-site scripting ." Today, with the complexity of web-side functionality, application, whether the cross-site is not important, but the name of XSS has been preserved.

With the rapid development of the WEB, JavaScript all-in-one and back-end, and even can develop apps, so in the case of more and more applications, more and more complex situations, XSS is increasingly difficult to unify, now the industry consensus is that the different scenarios produced by different XSS, Need to differentiate treatment. Even so, complex applications are still breeding grounds for XSS, especially when many companies are developing fast, one-week version, two-week version, ignoring the important attribute of security, once attacked, the consequences will be disastrous.

So what is XSS? Let's take a look at the following example.

<!DOCTYPE html>

This time when we click on the button on the page 获取数据 , the following message appears on the page:

You will find that the content that should be displayed on the interface as data is actually executed, which is obviously something developers don't want to see.

XSS Attack type

XSS can be divided into the following categories depending on the effect:

Reflection Type XSS

Simply put, reflective XSS just shows the user input data to the browser (from where to go), that is, the need for a initiator (user) to trigger a hacker's trap (such as a link, a button, etc.), in order to attack success, generally easy to appear in the search page, message section. This reflective type of XSS is also known as non-persistent XSS (no-persistent XSS) .

For example:

<!DOCTYPE html>

Let's say this is a message section, when loaded into this page, the page will output:

Hackers can easily steal all kinds of information stored in your local browser, and then simulate the login information, black into the account, for various operations.

Storage-Type XSS

Storage-type XSS keeps the data entered by the user on the server side, which is very stable, effective and durable. Stored XSS is often referred to as " persistent XSS (persistent XSS)", which is a long time to exist.

A more common scenario is when a hacker writes an article containing malicious code, and when the article is published, all users who visit the blog post execute the code for malicious attack.

For example:

<!DOCTYPE html>

Direct output of the browser information, hackers can obtain this information, sent to their own server, arbitrary operation.

DOM Based XSS

In fact, this type of XSS and whether it is stored on the server side regardless, from the effect is also reflected XSS, separate out because this type of XSS is more specific reasons.

Simply put, by modifying the page DOM nodes formed by XSS, called Dom Based XSS.

Examples are as follows:

<!DOCTYPE html>

The purpose of this page is to enter a content in the input box, jump out of the search results can jump directly, the effect is as follows:

Click to find the results, the page will automatically jump to Baidu (poison) page, but careful we will find that the string splicing has an opportunity ah, enter " onclick=alert(/XSS/) // :

Sure enough, the page executes what we entered, above the first double quotation mark closing the first double quotation mark href , then inserting the onclick event, // commenting out the second double quote, clicking the jump link, and the script is executed.