当前位置:网站首页>Interviewer: what is XSS attack?
Interviewer: what is XSS attack?
2022-07-04 21:34:00 【SS, shuaihai】
1 What is? XSS attack ?
xss The full name is (cross site scripting ( Cross site scripting ), In order to and CSS distinguish , So it's called xss.XSS An attack is the execution of a malicious script in a browser ( Whether it's cross domain or co domain ), So as to get the user's information and operate .
These operations can generally accomplish the following things :
- steal cookie.
- Monitor user behavior , For example, input the account password and send it directly to the hacker server .
- modify DOM Fake login forms .
- Create a floating window ad on the page .
General situation ,XSS There are three ways to attack ―— Storage type 、 Reflective and document . The principles are relatively simple , First come — Let me introduce it .
(1) Storage type
Storage type , As the name implies, it stores malicious scripts , exactly , Storage type XSS The script is stored in the database of the server , Then execute these scripts on the client side , So as to achieve the effect of attack .
A common scenario is to submit a script code in the comment area , If the front and back ends don't do a good job of escaping , The comments are stored in the database , Execute directly during page rendering , It's equivalent to executing an unknown logic JS Code , It's very scary . This is the storage type XSS attack .
(2) reflective
reflective XSS Refers to malicious script as Part of the network request .
So let's say I type in :
http://sanyuan.com?q=<script>alert(" You're done. ")</script>
such , On the server side, you will get q Parameters , Then return the content to the browser , The browser uses this content as HTML Part of the analysis , Discovery is a script , Direct execution , So it's attacked .
It is called reflective , Because the malicious script is passed as a parameter of the network request , Through the server , And then reflect back to HTML In the document , Execution Analysis . Unlike the storage type , The server does not store these malicious scripts .
(3) Document type
Document type XSS The attack doesn't go through the server , It's the role of an intermediary , Hijack to network packet during data transmission , then Modify the html file !
Such hijackings include WIFI Router hijacking or local malware .
Two Preventive measures
I understand three kinds of XSS Principle attacks , We can find one thing in common ; It's all about allowing malicious scripts to execute directly in the browser .
Then guard against it , It is to avoid the execution of these script code .
To accomplish this , We must have a belief , Two use .
(1) A belief
Never trust any user's input !
Both in the front end and the server end , It's all about user input Transcoding or filtering .
such as
<script>alert(' You're done. ')</script>
After transcoding, it becomes :
<script>alert(' You're done. ')</script>
(2) utilize CSP
CSP, That is, the content security policy in the browser , Its core idea is that the server decides which resources the browser loads , Specifically, the following functions can be completed :
- Restrict resource loading under other domains .
- Do not submit data to other domains .
- Provide reporting mechanism , Can help us to find out in time XSS attack .
(4) utilize HttpOnly
quite a lot XSS Attack scripts are used to steal Cookie, And set up Cookie Of HttpOnly After attribute ,JavaScript Can't read Cookie Value . This can also be a good defense XSS attack .
summary
XSS An attack is the execution of a malicious script in a browser , Then get the user's information to operate . It is mainly divided into storage type 、( Reflective and document . Precautions include :
- A belief : Don't trust user input , Transcode or filter the input content , Make it unenforceable .·
- Two use : utilize CSP, utilize Cookie Of HttpOnly attribute .
边栏推荐
猜你喜欢
PS vertical English and digital text how to change direction (vertical display)
华为ensp模拟器 给路由器配置DHCP
SolidWorks工程图添加材料明细表的操作
输入的查询SQL语句,是如何执行的?
Daily question -leetcode1200- minimum absolute difference - array - sort
【C语言】符号的深度理解
[C language] deep understanding of symbols
【公开课预告】:视频质量评价基础与实践
LambdaQueryWrapper用法
Gobang go to work fishing tools can be LAN / man-machine
随机推荐
2021 CCPC 哈尔滨 I. Power and Zero(二进制 + 思维)
Embedded TC test case
Foxit pdf editor v10.1.8 green version
Compréhension approfondie du symbole [langue C]
Roast B station charges, is it because it has no money?
宝塔 7.9.2 宝塔控制面板绕过 手机绑定认证 绕过官方认证
Shutter textfield example
Use of redis publish subscription
Flutter 返回按钮的监听
minidom 模塊寫入和解析 XML
华为ensp模拟器实现通信安全(交换机)
Learning breakout 3 - about energy
Jerry's ad series MIDI function description [chapter]
[micro service SCG] use of predict
FastDfs的快速入门,三分钟带你上传下载文件到云服务器
[C language] deep understanding of symbols
Huawei ENSP simulator configures ACL access control list
【活动早知道】LiveVideoStack近期活动一览
Le module minidom écrit et analyse XML
Kubeadm初始化报错:[ERROR CRI]: container runtime is not running