XSS First Experience

Main content

• What is XSS? {: &.movein}
• What are the dangers of XSS?
• Common XSS Vulnerabilities
• How to prevent XSS?

What is XSS?

Cross Site scripting attacks (Scripting), a WEB application vulnerability, is handled when the application is not authenticated and reflected back to the browser without encoding or escaping, when the user's non-trusted data is processed. Causes the browser engine to execute code.

What are the dangers of XSS?

• Stealing all kinds of user accounts, such as machine login account, user network Bank account, all kinds of administrator account
• Control of enterprise data, including the ability to read, tamper, add, and delete sensitive enterprise data;
• Theft of important business-value information;
• illegal transfer;
• Force the sending of e-mails;
• website Hanging Horse;
• Control the victim machine to launch attacks on other websites.
• ...

Common XSS Vulnerabilities

• Reflection Type XSS
• Storage-Type XSS
• DOM XSS
• Mutation XSS

Reflection Type XSS

Also called non-persistent XSS, an XSS vulnerability that code executes in the browser when untrusted user input is processed by the server without any validation and is reflected back in the response without encoding or escaping.

Normal effect
XSS effect

xss攻击参数：";alert(‘xss‘);//产生原因：服务端未对参数就行编码或者转义导致采用任何一种php提供的方法进行编码都可以过滤XSS$name = htmlspecialchars($_GET[‘name‘]);

Storage-Type XSS

Also known as persistent XSS is when untrusted user input is processed and saved in a file or database without any validation, and the untrusted data is fetched from the store and then reflected back in the response without encoding or escaping. An XSS vulnerability that causes persistent data to be reflected back to the response text code in the browser every time it is stored.

DOM XSS

The data source is in the DOM, and the receiver is in the DOM, and the data flow never leaves the browser. It occurs when an untrusted data is given and executed in the source, resulting in the modification of the DOM's "environment" in the browser. DOM XSS attacks occur when untrusted data is not encoded or escaped relative to the context.

Effect Address

General Image address: Http://p1.qhimg.com/t010c1d27667bbe0417.png

XSS地址：http://p1.qhimg.com/t010c1d27667bbe0417.png" onload="javascript:alert(document.cookie);

Mutation XSS

MXSS or Mutation XSS is an XSS vulnerability that occurs when the context of the InnerHTML attribute of the DOM is processed by the non-trusted data and mutated through the browser, which results in becoming an effective XSS vector. In Mxss, a seemingly harmless user-specified data that can be passed through the browser execution engine through a client or server XSS filter can reflect back a valid XSS vector. XSS filters do not prevent MXSS. In order to prevent MXSS, an effective CSP should be implemented, the framework should not be allowed, the HTML document should define the document type, force the browser to follow the standard rendering content, and execute the script.

Hard to understand!!! To put it simply

No problem with normal input, there is a problem when the browser resolves again.

It's still pretty round.

Look at this.

Extended

• UXSS: "Creating an XSS vulnerability through a browser or browser extension vulnerability"
• CSRF: Cross-site request forgery

Reference

How to guard against it?

• Validating input and escaping non-trusted data based on context and in the correct order
  Browser parsing order: Html->css->js
  Browser decoding order: Html->url->js

• Always follow the white list better than the blacklist practice
  Because the Blacklist collection is infinite, we can't take into account all kinds of situations

• Use UTF-8 as the default character encoding and set content to text/html {: &.movein}

• Do not place text that the user can control in front of the label. The use of different character set injections can lead to XSS.

• Use

• Use the recommended HTTP response header for XSS protection

HTTP response Header	Description
X-xss-protection:1; Mode=block	The response header will open the browser's anti-XSS filter.
X-frame-options:deny	The response header prevents the page from being loaded into the frame.
X-content-type-options:nosniff	The response header will prevent the browser from doing mimetype
Content-security-policy:default-src ' self '	This response header is one of the most effective solutions to prevent XSS. It allows us to define policies that load and execute objects from URLS or content
Set-cookie:key=value; HttpOnly	The Set-cookie response header via the HttpOnly tag setting will restrict JavaScript access to your Cookie.
Content-type:type/subtype;charset=utf-8	Always set the content type and character set of the response

• Prevents CRLF injection of/http response splits
  Reference address

The ultimate Solution

• Encoding {: &.bouncein}
• Escape
• Specification writing
• Prevent changes to HTTP request headers
• XSS Monitoring and escalation

Resources

The ultimate XSS protection memo for developers
Front-end XSS firewall 1
Front-end XSS firewall 2
Front-end XSS firewall 3
Front-end XSS firewall 4
Front-end XSS firewall 5

XSS First Experience