Concept:
XSS (Cross Site Script) cross-site scripting attacks. A malicious attacker inserts malicious HTML code into a web page. When a user browses this page, the HTML code embedded in the web page is executed, to achieve the Special Purpose of malicious users. This article introduces the attack method and provides some preventive measures.
Principle:
XSS is a passive attack. The attacker first constructs a Cross-Site Page, and triggers an HTTP request to the attacked site when the user browses the page in various ways, such as script, , and <IFRAME>. At this point, if the attacker has logged on to the attacked site, the website cookie will be held. In this way, the website will be considered as an HTTP request initiated by the attacker. In fact, this request was initiated without the knowledge of the attacker. Thus, the attacker can impersonate the attacker to a certain extent. By carefully constructing this attack request, you can impersonate a document, gain permissions, and perform other attacks. In common attack instances, this request is initiated by a script, and thus called Cross Site Script. The yamanner worm that attacks Yahoo Mail is a famous XSS attack instance. Yahoo Mail has a vulnerability. When you view a letter on the web, JavaScript code in the letter may be executed. Attackers can exploit this vulnerability to run virus scripts. At the same time, Yahoo Mail uses Ajax technology, so that virus scripts can easily initiate Ajax requests to Yahoo mail to get users' address book and send viruses to others.
XSS There are two types of attacks:
First, internal attacksIt refers to the use of web program vulnerabilities to submit special strings so that cross-site pages exist directly on the attacked site. This string is called a cross-site statement. The vulnerabilities exploited by these attacks are very similar to the SQL injection vulnerability, because web programs do not fully check and filter user input. The preceding yamanner is an example.
another type is external attacks. , it mainly refers to constructing XSS Cross-Site vulnerability web pages by yourself or searching for webpages with cross-site vulnerabilities other than the target machine. For example, when we want to penetrate a website, we construct a cross-site webpage and place it on our own server. Then, we use other technologies, such as social engineering, to trick the administrator of the target server into opening the webpage. This type of attacks pose relatively low threats. At least it is very difficult for Ajax to initiate cross-site calls.
summarize common attack methods :
1. depending on Cross-Site vulnerabilities, You need to input scripts on the page of the attacked website
1.1. cookie Stealing: attackers can use JavaScript to obtain the cookies planted by the attacked website and send them to attackers.
1.1.1. Extract password and other privacy information from cookies
1.1.2. Use cookies to forge sessions and initiate replay attacks
1.2. Ajax information is stolen and Ajax requests are initiated through JavaScript.
1.2.1. Obtain privacy information from ajex results.
1.2.2. Simulate the user to complete the multi-page form.
2. no cross-site vulnerability is required. The R & D center of Sohu is copyrighted and only for technical exchange. Reprinted in the preceding text
2.1. one-way HTTP action, through IMG. SRC and other methods to initiate cross-site access, impersonate attackers to perform privileged operations. However, it is difficult to obtain the return value of the server.
2.2. Two-way HTTP action. If the server generates a dynamic script, you can use the script. SRC method to initiate cross-site access and obtain the return value of the server.
defense methods:
1. the anti-blocking cross-site vulnerability prevents attackers from publishing cross-site attack statements on the attacked website and cannot trust any content submitted by users, first, the code needs to carefully check the length and filter the characters such as <","> ","; ", and" '"For the places and variables entered by the user; second, encode must be used before any content is written to the page to avoid accidentally extracting the HTML Tag. At this level, at least half of the XSS attacks can be blocked.
2. Cookie Theft
first, avoid directly disclosing user privacy in cookies, such as email and password.
Second, the risk of cookie leakage is reduced by binding the cookie to the system IP address. In this way, the Cookie obtained by the attacker has no actual value and cannot be used for replay.
3. Try to use post instead of get to submit the form
The post operation cannot bypass the use of JavaScript, which increases the difficulty of attackers and reduces the number of cross-site vulnerabilities that can be exploited.
4. Check refer strictly
Check whether HTTP refer comes from the expected URL. This can prevent HTTP requests initiated by 2nd types of attacks, and also prevent most 1st types of attacks, unless cross-site access is deployed on the authorization pages of privileged operations.
5. Change the single-step process to multi-step, and introduce the verification code in the multi-step process.
In each step of the multi-step process, a verification code is generated as a hidden form Element embedded on the intermediate page.
When the verification code is submitted to the server, the server checks whether the verification code matches. First, this greatly increases the trouble for 1st type of attackers. Second, the attacker must obtain the verification code generated in the previous step in the multi-step process to initiate the next request. This is almost impossible in the 2nd class attacks.
6. Introducing a simple visual representation of user interaction can block almost all unexpected privileged operations.
7. Use Dynamic JavaScript only when anonymous access is allowed.
8. check whether any suspicious operations, such as redirection back to the site or not, are performed on IMG and other links in the information submitted by the user.
9. When there are many problems with the internal management of websites, the internal management websites tend to focus less on security issues, but simply restrict access sources. This type of website often has no resistance to XSS attacks and requires more attention.
Security issues require long-term attention and have never been a big deal. Compared with other attack methods, XSS attacks are more concealed and changeable, and are related to business processes and code implementations. There is no permanent solution. In addition, in the face of XSS, it is often necessary to sacrifice the convenience of products to ensure full security. How to balance security and convenience is also a matter of consideration.
XSS cross-site scripting attack principles and protection methods