PHP Vulnerability Full Solution (iv)-XSS cross-site scripting attack

Source: Internet
Author: User

This article mainly introduces the XSS cross-site scripting attack for PHP websites. Cross-site scripting attacks are through the addition of malicious code to Web pages, where malicious code is executed when a visitor browses a webpage, or by convincing an administrator to browse through a message to the administrator, thereby gaining administrator privileges to control the entire site. Using cross-site request forgery, an attacker can easily force a user's browser to make unsolicited HTTP requests, such as fraudulent wire requests, password changes, and downloading of illegal content.

XSS (Cross site Scripting), which is intended to be an XSS attack, in order to distinguish it from style sheet css (cascading style Sheet)

Cross-site scripting is primarily used by attackers to read Web site users ' cookies or other personal data, and once an attacker obtains such data, he can impersonate the user to log on to the site and gain access to the user.

General steps for cross-site scripting attacks:

1. An attacker sends an XSS HTTP link to the target user in some way

2. The target user logs on to this website, which opens an XSS link sent by the attacker during the login

3. The website executes this XSS attack script

4, the target user page jumps to the attacker's website, the attacker obtains the target user's information

5, the attacker uses the target user's information to log on the website, completes the attack

When a program with a cross-site vulnerability appears, an attacker could construct a similar http://www.sectop.com/search.php?key= "method=" POST ">

Cross-site scripting is plugged in.

The defense method also uses Htmlspecialchars to filter the output variables, or the form that is submitted to its own file

This directly avoids the $_server["php_self") variable being cross-site

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.