Main content
- What is XSS? {: &.movein}
- What are the dangers of XSS?
- Common XSS Vulnerabilities
- How to prevent XSS?
What is XSS?
Cross Site scripting attacks (Scripting), a WEB application vulnerability, is handled when the application is not authenticated and reflected back to the browser without encoding or escaping, when the user's non-trusted data is processed. Causes the browser engine to execute code.
What are the dangers of XSS?
- Stealing all kinds of user accounts, such as machine login account, user network Bank account, all kinds of administrator account
- Control of enterprise data, including the ability to read, tamper, add, and delete sensitive enterprise data;
- Theft of important business-value information;
- illegal transfer;
- Force the sending of e-mails;
- website Hanging Horse;
- Control the victim machine to launch attacks on other websites.
- ...
Common XSS Vulnerabilities
- Reflection Type XSS
- Storage-Type XSS
- DOM XSS
- Mutation XSS
Reflection Type XSS
Also called non-persistent XSS, an XSS vulnerability that code executes in the browser when untrusted user input is processed by the server without any validation and is reflected back in the response without encoding or escaping.
Normal effect
XSS effect
xss攻击参数:";alert(‘xss‘);//产生原因:服务端未对参数就行编码或者转义导致采用任何一种php提供的方法进行编码都可以过滤XSS$name = htmlspecialchars($_GET[‘name‘]);
Storage-Type XSS
Also known as persistent XSS is when untrusted user input is processed and saved in a file or database without any validation, and the untrusted data is fetched from the store and then reflected back in the response without encoding or escaping. An XSS vulnerability that causes persistent data to be reflected back to the response text code in the browser every time it is stored.
DOM XSS
The data source is in the DOM, and the receiver is in the DOM, and the data flow never leaves the browser. It occurs when an untrusted data is given and executed in the source, resulting in the modification of the DOM's "environment" in the browser. DOM XSS attacks occur when untrusted data is not encoded or escaped relative to the context.
Effect Address
General Image address: Http://p1.qhimg.com/t010c1d27667bbe0417.png
XSS地址:http://p1.qhimg.com/t010c1d27667bbe0417.png" onload="javascript:alert(document.cookie);
Mutation XSS
MXSS or Mutation XSS is an XSS vulnerability that occurs when the context of the InnerHTML attribute of the DOM is processed by the non-trusted data and mutated through the browser, which results in becoming an effective XSS vector. In Mxss, a seemingly harmless user-specified data that can be passed through the browser execution engine through a client or server XSS filter can reflect back a valid XSS vector. XSS filters do not prevent MXSS. In order to prevent MXSS, an effective CSP should be implemented, the framework should not be allowed, the HTML document should define the document type, force the browser to follow the standard rendering content, and execute the script.
Hard to understand!!! To put it simply
No problem with normal input, there is a problem when the browser resolves again.
It's still pretty round.
Look at this.
Extended
- UXSS: "Creating an XSS vulnerability through a browser or browser extension vulnerability"
- CSRF: Cross-site request forgery
Reference
How to guard against it?
Validating input and escaping non-trusted data based on context and in the correct order
Browser parsing order: Html->css->js
Browser decoding order: Html->url->js
Always follow the white list better than the blacklist practice
Because the Blacklist collection is infinite, we can't take into account all kinds of situations
Use UTF-8 as the default character encoding and set content to text/html {: &.movein}
- Do not place text that the user can control in front of the label. The use of different character set injections can lead to XSS.
Use
Use the recommended HTTP response header for XSS protection
HTTP response Header |
Description |
X-xss-protection:1; Mode=block |
The response header will open the browser's anti-XSS filter. |
X-frame-options:deny |
The response header prevents the page from being loaded into the frame. |
X-content-type-options:nosniff |
The response header will prevent the browser from doing mimetype |
Content-security-policy:default-src ' self ' |
This response header is one of the most effective solutions to prevent XSS. It allows us to define policies that load and execute objects from URLS or content |
Set-cookie:key=value; HttpOnly |
The Set-cookie response header via the HttpOnly tag setting will restrict JavaScript access to your Cookie. |
Content-type:type/subtype;charset=utf-8 |
Always set the content type and character set of the response |
- Prevents CRLF injection of/http response splits
Reference address
The ultimate Solution
- Encoding {: &.bouncein}
- Escape
- Specification writing
- Prevent changes to HTTP request headers
- XSS Monitoring and escalation
Resources
The ultimate XSS protection memo for developers
Front-end XSS firewall 1
Front-end XSS firewall 2
Front-end XSS firewall 3
Front-end XSS firewall 4
Front-end XSS firewall 5
XSS First Experience