XSS attack

Scoring point XSS It's a cross site scripting attack 、 Insert malicious code into the target website 、 When a large number of users visit the website, they run malicious scripts to get information Standard answer

XSS It's a cross site scripting attack (Cross Site Scripting), Don't write as CSS To avoid cascading style sheets （Cascading Style Sheets） Confusion of abbreviations , So the cross site scripting attack is written as XSS. An attacker can attack by Web Insert... In the page script Code , When users browse this page , It will run Inserted script Code , To achieve the attacker's purpose .

XSS The harm of is generally to disclose the user's login information cookie, Attackers can get through cookie Bypass the login step and go directly to the site .XSS Is divided into reflection type and storage type . Reflective is temporary passage url Visit website , Website server will malicious code from url Remove from , Spliced in HTML Back to browser , The user will execute malicious code . Storage type is to save malicious code in the server database in the form of message , Anyone who visits the website will be attacked . The prevention of XSS The basic attack scheme is to strictly output code the data , such as HTML Element encoding ,JavaScript code ,css code ,url Encoding, etc. .

The bonus answer is XSS Hazards of ：

- obtain cookie： The login in the website is generally in cookie As a proof of identity of a user , This is a string of characters returned by the server . If cookie Got... By the attacker , Then you can bypass the password to log in . When space 、 If the forum can be inserted script Code , Then the account of the person who enters the space or forum can be easily obtained by the attacker . - Malicious jump ： Insert... Directly into the page window.location.href To jump .

XSS The classification of ：

- reflective XSS（ Non-durable type XSS）： adopt URL Parameters are injected directly

- Storage type XSS（ A persistent XSS）： After being stored in the database, it is injected on reading XSS The prevention of ：

- Browser defense and “X-XSS-Protection” of , The default value is 1, That is, open by default XSS defense , Can defend against reflective XSS, But the effect is limited , Only defense can be injected into HTML The content or attribute of the node XSS, for example URL Parameter contains script label . It is not recommended to rely solely on this means of defense .

- defense HTML Node content , By means of escape < by < as well as > by > To achieve defense HTML Node content .

- The prevention of HTML attribute , By means of escape "->&quto To achieve defense , Generally do not escape spaces , But this requires the attribute to be quoted .

- The prevention of JavaScript Code , By comparing the data JSON serialize .

- Defending against rich text is a complex project , Because rich text can contain HTML and script, These are difficult to predict and defend , The suggestion is to filter the allowed through the white list HTML Tag and tag attributes to defend , The approximate implementation is ： - take HTML The code segment is transformed into tree level data - Traverse every node of the tree , Filter the types and attributes of nodes , Or special treatment - After processing , Transform the tree level structure into HTML Code - Open browser XSS defense ：Http Only cookie, prohibit JavaScript Read some sensitive Cookie, The attacker completes XSS It can't be stolen after injection Cookie.