Interviewer: what is XSS attack?

1 What is? XSS attack ？

xss The full name is (cross site scripting ( Cross site scripting ), In order to and CSS distinguish , So it's called xss.XSS An attack is the execution of a malicious script in a browser ( Whether it's cross domain or co domain ), So as to get the user's information and operate .
These operations can generally accomplish the following things :

• steal cookie.
• Monitor user behavior , For example, input the account password and send it directly to the hacker server .
• modify DOM Fake login forms .
• Create a floating window ad on the page .
   

General situation ,XSS There are three ways to attack ―— Storage type 、 Reflective and document . The principles are relatively simple , First come — Let me introduce it .
 

（1） Storage type

Storage type , As the name implies, it stores malicious scripts , exactly , Storage type XSS The script is stored in the database of the server , Then execute these scripts on the client side , So as to achieve the effect of attack .

A common scenario is to submit a script code in the comment area , If the front and back ends don't do a good job of escaping , The comments are stored in the database , Execute directly during page rendering , It's equivalent to executing an unknown logic JS Code , It's very scary . This is the storage type XSS attack .
 

（2） reflective

reflective XSS Refers to malicious script as Part of the network request .

So let's say I type in ：

http://sanyuan.com?q=<script>alert(" You're done. ")</script>

such , On the server side, you will get q Parameters , Then return the content to the browser , The browser uses this content as HTML Part of the analysis , Discovery is a script , Direct execution , So it's attacked .
It is called reflective , Because the malicious script is passed as a parameter of the network request , Through the server , And then reflect back to HTML In the document , Execution Analysis . Unlike the storage type , The server does not store these malicious scripts .

（3） Document type

Document type XSS The attack doesn't go through the server , It's the role of an intermediary , Hijack to network packet during data transmission , then Modify the html file !
Such hijackings include WIFI Router hijacking or local malware .

Two Preventive measures

I understand three kinds of XSS Principle attacks , We can find one thing in common ; It's all about allowing malicious scripts to execute directly in the browser .

Then guard against it , It is to avoid the execution of these script code .
To accomplish this , We must have a belief , Two use .

（1） A belief

Never trust any user's input !
Both in the front end and the server end , It's all about user input Transcoding or filtering .

such as

<script>alert(' You're done. ')</script>

After transcoding, it becomes :
 

<script>alert(' You're done. ')</script>

（2） utilize CSP

CSP, That is, the content security policy in the browser , Its core idea is that the server decides which resources the browser loads , Specifically, the following functions can be completed :

1. Restrict resource loading under other domains .
2. Do not submit data to other domains .
3. Provide reporting mechanism , Can help us to find out in time XSS attack .

（4） utilize HttpOnly

quite a lot XSS Attack scripts are used to steal Cookie, And set up Cookie Of HttpOnly After attribute ,JavaScript Can't read Cookie Value . This can also be a good defense XSS attack .
 

summary

XSS An attack is the execution of a malicious script in a browser , Then get the user's information to operate . It is mainly divided into storage type 、( Reflective and document . Precautions include :

1. A belief : Don't trust user input , Transcode or filter the input content , Make it unenforceable .·
2. Two use : utilize CSP, utilize Cookie Of HttpOnly attribute .