How to Defend against XSS Attacks

Everyone often hears the term XSS attack, so what exactly is XSS attack and how to defend it? Today I will tell you about the definition, types and defense methods of XSS attacks. What is XSS attack? XSS attack, the full name of cross-site scripting attack, is a computer security vulnerability in web applications, which allows malicious web users to implant code into pages that are provided to other users.


What are the types of XSS attacks? There are three common XSS attacks:
Reflected XSS attacks, DOM-based XXS attacks, and stored XSS attacks.
1. Reflected XSS attack
Reflected XSS is generally used by an attacker to induce users to visit a URL containing malicious code through specific methods (such as email). When the victim clicks on these specially designed links, the malicious code will be directly on the victim's host. Browser execution. Reflective XSS usually appears in the search bar of a website, user login port, etc., and is often used to steal client cookies or phishing.
2. Stored XSS attacks
Also called persistent XSS, the XSS code is mainly submitted and stored on the server side (database, memory, file system, etc.), and there is no need to submit the XSS code when the target page is requested next time. When the target user accesses the page to obtain data, the XSS code will be loaded from the server after being parsed, and returned to the browser for normal HTML and JS parsing and execution, and the XSS attack will occur. Stored XSS generally appears in interactions such as website messages, comments, and blog logs, and malicious scripts are stored in the database of the client or server.
3. DOM-based XSS attack
A DOM-based XSS attack refers to modifying the DOM structure of a page through malicious scripts, which is an attack that occurs purely on the client side. In DOM-type XSS attacks, the removal and execution of malicious code is done by the browser side, which is a security hole in the front-end JavaScript itself.


How to defend against XSS attacks?
1. Encode specific characters of the input content, such as symbols such as <> representing html tags.
2. Set httpOnly for important cookies to prevent the client from reading cookies through document.cookie. This HTTP header is set by the server.
 3. Before outputting the untrusted value to the URL parameter, perform the URLEncode operation, and for obtaining the value from the URL parameter, the format check must be performed (for example, when you need the URL, judge whether the URL format is satisfied).
4. Do not use Eval to parse and run uncertain data or codes. For JSON parsing, please use the JSON.parse() method.
5. The back-end interface should also do the key character filtering.

The above is all the content about XSS attacks shared for everyone. Nowadays, various types of network attacks are becoming more frequent. In addition to XSS attacks, the more common types of network attacks also include DDoS attacks and CC attacks. They are very difficult to defend. In addition to daily network security protection, they also need to be connected. Into the high defense service, you can access the Mozhe Shield High Defense, through the Mozhe Shield High Defense to hide the source IP, clean the attack traffic, and ensure the normal operation of the corporate network and business.