Security verification issues that you have to pay attention to in web development #2-xss

Source: Internet
Author: User

Objective

The XSS is also called the CSS (cross site script), which is an attack by the site.

Malicious attackers insert malicious HTML code into a Web page. When the user browses to the page, the embedded HTML code inside the Web will be run to achieve the special purpose of malicious attack users.

Environment preparation
As in previous times, use PHP as a demonstration. Since the generation of XSS is accompanied by the input and output, so I casually wrote a message board small application.

May not write very well. It's just for testing. Message Board code (interested in the ability to test) index.html

<! DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 transitional//en" "Http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd ">

Submit to receive page add.php

Show the show.php of the message
<?php $conn =mysql_connect (' localhost ', ' root ', ' wzw123 ') or Die ("database connection Failed") mysql_query ("Set names gb2312"); mysql_ select_db ("MyTest"); $sql = "SELECT * from message ORDER by id DESC"; $result =mysql_query ($sql), while ($all =mysql_fetch_ Array ($result)) {echo $all [' ID ']. " ==> ". $all [' name ']." ==> ". $all [' content '];echo ' 

>



Because it is a test, so the code is a bit unreasonable. Forgive me, do look.

This is the output of the message content. Did not do no matter what beautification. Alas. Don't mind the details. Hey

watermark/2/text/ahr0cdovl2jsb2cuy3nkbi5uzxqvawjletbuza==/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/ Dissolve/70/gravity/southeast ">

Then we come to the place of the message, we enter the normal message content must be no problem. So what if we had the wretched input of JavaScript code?


The effect is very obvious, for example

watermark/2/text/ahr0cdovl2jsb2cuy3nkbi5uzxqvawjletbuza==/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/ Dissolve/70/gravity/southeast ">


What about the other JavaScript code we're typing? For example, to obtain a client's cookie, etc... are capable of.


Suppose you think these are too chicken, that assumes the direct input of an embedded JS outside the chain? Suppose there is some code in the outer chain that gets all sorts of information? Wouldn't it be easy to get information?


If the administrator is in the background to review the message, someone else gets a cookie or other information. In the combination of CSRF the consequences are also very serious.


Just do a demo. Not for the convenience of people who are not practical. Please do not use for illegal purposes



PS: This article is only to improve the security awareness of programmers. Safety precautions, please do not use for illegal use! Because of the limited level, this article only to make a reference, reproduced please indicate the source, thank you.


Security verification issues that you have to pay attention to in web development #2-xss

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.