Shulou(Shulou.com)06/01 Report--

Xiaobian to share with you the example analysis of XSS attack, I believe most people still do not know how, so share this article for everyone's reference, I hope you have a lot of gains after reading this article, let's go to understand it together!

What is an XSS attack?

What is XSS?

XSS stands for Cross Site Scripting. In order to distinguish it from CSS, XSS stands for XSS. In Chinese, XSS stands for Cross Site Scripting

XSS refers to a hacker injecting malicious scripts into a page, thereby using malicious scripts to attack users while browsing the page.

What can XSS do?

Stealing cookies

Monitor user behavior, such as entering account password and sending it to hacker server

Creating floating window ads in web pages

Modify DOM Fake Login Form

XSS implementation

storage-type XSS attack

reflective XSS attack

DOM based XSS attack

How to stop XSS attacks?

Filter or transcode input scripts

Filter or transcode user input information to ensure that user input content cannot be executed during HTML parsing.

Using CSP

The implementation of this security policy is based on an HTTP header called Content-Security-Policy. The core idea is that the server determines which resources the browser loads.

Restrict loading of resource files from other domains, so that even if a hacker inserts a JavaScript file, the JavaScript file cannot be loaded;

Prohibiting the submission of data to third-party domains so that user data is not leaked;

Provide escalation mechanisms to help us detect XSS attacks in a timely manner.

Disable execution of inline scripts and unauthorized scripts;

Using HttpOnly

Since many XSS attacks steal cookies, we can also protect our cookies by using the HttpOnly attribute. In this case, JavaScript cannot read the Cookie value. This is also a good defense against XSS attacks.

Usually the server can set certain cookies to the HttpOnly flag. HttpOnly is set by the server through the HTTP response header. Here is a paragraph in the HTTP response header when Google is opened:

set-cookie: NID=189=M8l6-z41asXtm2uEwcOC5oh9djkffOMhWqQrlnCtOI; expires=Sat, 18-Apr-2020 06:52:22 GMT; path=/; domain=.google.com; HttpOnly

For untrusted input, you can limit the input length

The above is "XSS attack sample analysis" all the content of this article, thank you for reading! I believe that everyone has a certain understanding, hope to share the content to help everyone, if you still want to learn more knowledge, welcome to pay attention to the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.