Security verification issues that you have to pay attention to in web development #2-xss

Objective

The XSS is also called the CSS (cross site script), which is an attack by the site. A malicious attacker inserts malicious HTML code into a Web page, and when the user browses to the page, HTML code embedded inside the Web is executed to achieve the special purpose of the malicious attacker.

Environment preparation
as in previous times, use PHP as a demonstration. Because the production of XSS is accompanied by the input and output, so I casually wrote a message board small application. may not be very well written, just provide test use. Message Board code (interested can be tested) index.html

<! DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 transitional//en" "Http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd ">

Submit to receive page add.php

Show the show.php of the message
<?php $conn =mysql_connect (' localhost ', ' root ', ' wzw123 ') or Die ("database connection Failed") mysql_query ("Set names gb2312"); mysql_ select_db ("MyTest"); $sql = "SELECT * from message ORDER by id DESC"; $result =mysql_query ($sql), while ($all =mysql_fetch_ Array ($result)) {echo $all [' ID ']. " ==> ". $all [' name ']." ==> ". $all [' content '];echo ' 


Because it is a test, the code is a little bit unreasonable. Forgive me, do look.
This is the output of the message content, did not do any landscaping. Oh, don't mind the details, hey

Then we come to the place of the message, we enter the normal message content must be no problem. And what if we had the wretched input of JavaScript code?

The effect is obvious, such as


What about the other JavaScript code we enter? such as obtaining the client's cookie, etc... It's all possible.

If you think these are too chicken, then if you directly input an embedded JS outside the chain? What if there is some code in the outer chain that gets all sorts of information? Wouldn't it be easy to get information?

If the administrator reviews the message in the background, the person gets a cookie or other information. The consequences of combining csrf are also very serious.

Just a demonstration, not for the convenience of the ulterior motives, please do not use for illegal purposes


PS: This article is only for the purpose of improving the safety awareness of the ape, and to strengthen the security protection, please do not use for illegal use! Due to the limited level, this article only to do, reproduced please indicate the source, thank you.