Do you know cross-site scripting attacks? This article will help you understand what XSS is

Link: https://juejin.cn/post/7313941093876088886

1. Introduction to XSS

(1) Introduction to XSS

XSS is one of the OWASP TOP 10.

XSS is called cross-site scripting in Chinese, and its original name should be abbreviated to CSS. However, because CSS (Cascading Style Sheets) has the same name, it was renamed XSS. XSS (cross-site scripting attack) is mainly based on javascript (js) to complete malicious attacks.

XSS is a computer vulnerability that often appears in web applications and is also the most mainstream attack method on the web. So what is XSS?

XSS means that malicious attackers use the website to escape or filter the data submitted by users, and then add some code and embed it into the web page. The corresponding embedded code will be executed when other users access it.

This is an attack method that steals user information, uses the user's identity to perform certain actions, or allows visitors to carry out virus infringement.

(2) XSS principle

We use all kinds of black magic we know to insert js code into the web page, so that the js code can be executed by the browser, and users who visit the page are attacked.

(3) The harm of XSS

Session phishing for users to steal cookies and hijack them for mining, advertising to increase traffic, hijacking the background of web services (common), tampering with pages to spread worms, and intranet scanning (common)

(4)XSS type

Reflective type:

Reflective scripts are also called non-persistent scripts. This type of script is the most common and widely used. It is mainly used to append malicious scripts to the parameters of URL addresses.

Storage type:

The attacker sends the constructed malicious page to the user, and the user receives the attack after visiting a seemingly normal page. This type of XSS usually cannot directly see the malicious code in the URL, and has strong persistence and concealment.

DOM

DOM-type XSS does not need to interact with the backend, but is based on JavaScript. JS parses the malicious parameters in the URL and causes the execution of JS code.

2. Detailed explanation of XSS classification

(1) Stored XSS

stored time to trigger code execution. This kind of XSS is more dangerous and can easily cause worms and cookie theft. Every user who visits a specific page will be attacked.

Features:

The XSS attack code is stored on the web server; attackers generally store the attack code on the web server through the website's messages, comments, blogs, logs and other functions (all places where content can be input to the web server). This is a stored XSS attack. process:

(2) Reflected XSS

Reflected cross-site scripting is also called non-persistent and parameter-based cross-site scripting. This type of script is the most common and widely used type. It is mainly used to append malicious scripts to the parameters of URL addresses .

  http://www.test.com/search.php?key="><script>alert("xss")</script>

Generally used, the constructed URL is sent to the victim, which is triggered by the victim's click, and is only executed once and is not persistent.

Reflected XSS attack process:

Reflected XSS-DVWA:

  Payload：  Low:<script>alert(1)</script>  Mid:<SCRIPT>alert(1)</SCRIPT>  High:<img  src=1  οnerrοr=alert(1)>

(3) Introduction to JS

JavaScript is a literal scripting language, a dynamically typed, weakly typed, prototype-based language with built-in support for types. Its interpreter is called the JavaScript engine, which is part of the browser and is widely used in client-side scripting languages. It was first used on HTML (an application under Standard Universal Markup Language) web pages to add dynamic functions to HTML web pages. . In 1995, it was first designed and implemented on the Netscape Navigator browser by Brendan Eich of Netscape. Because Netscape was working with Sun, Netscape management wanted it to look like Java, hence the name JavaScript. But in fact its grammatical style is closer to Self and Scheme. In order to gain technical advantages, Microsoft launched JScript, and CEnvi launched ScriptEase, which can also run on the browser like JavaScript. In order to unify specifications, JavaScript is also called ECMAScript because it is compatible with the ECMA standard.

3.XSS discovery and protection

(1) Five defense methods of XSS

XSS defense for HTML node content

Escape << and >>, that is, escape <>. There are two ways to escape. One is to escape when writing to the database, and the other is to escape when parsing. Here is Escape when displaying

var escapeHtml = function(str){    str = str.replace(/>/g,'<')    str = str.replace(/>/g,'>')    return str}escapeHtml(content)

XSS defense escaping of HTML attributes " &quto; that is, escaping double quotes, ' escaping single quotes, (another thing to note is that in fact, html attributes do not need to include quotes, so strictly speaking we also need to add spaces Escape, but this will cause the wrong number of spaces during rendering, so we do not escape the spaces, and then write all the html attributes with quotation marks) so that the attributes will not be closed in advance.

var escapeHtmlProperty = function(str){    str = str.replace(/"/g,'&quto;');    str = str.replace(/'/g,''');    str = str.replace(/ /g,' ');    return str;}
escapeHtmlProperty(content);

In fact, the above two functions can be combined into one function, so that both content and attributes can be filtered using one function.

HTML escape function

var escapeHtmlProperty = function(str){    if(!str) return '';    str = str.replace(/&/g,'&');    str = str.replace(/>/g,'<');    str = str.replace(/>/g,'>');    str = str.replace(/"/g,'&quto;');    str = str.replace(/'/g,''');    return str;}escapeHtml(content);

js escape

Escape "" or replace it with json

var escapeForJs = function(str){    if(!str) return '';    str = str.replace(/\\/g,'\\\\');    str = str.replace(/"/g,'\\"');}

rich text

Since complete HTML is required, it is not easy to filter. Generally, some tags and attributes are retained for filtering according to the whitelist. Except for the allowed tags and attributes, all others are not allowed (there is also a blacklist method, but due to the complex effect of html It’s relatively poor, the principle is the previous regular replacement) In fact, you can use the XSS component written by others, which is called xss, directly

npm install xss

Whitelist - Use third-party library XSS to support specified whitelist

var xssFilter = function(html){    if(!html) return '';    var xss = require('xss');    var ret = xss(html,{        whileList:{            img:['src'],            a:['href'],            font:['size','color']        },        onIgnoreTag: function(){            return '';        }    });
    console.log(html,ret);
    return ret;}

(2) XSS worm attack

The destructive power and impact of XSS worms are huge. XSS worms mainly occur in pages where there is interaction between users. When the web application does not strictly filter the data information entered by the user, by combining the asynchronous submission of Ajax, it can be achieved while implanting malicious code. Sending malicious code to the outside world realizes the infection and spread of the code, which forms an XSS worm.

(3) Digging XSS vulnerabilities

Scanning tool automatically detects AWVS AppScan JSKy manual test source code analysis

(4) Prevention of XSS vulnerabilities

XSS cross-site scripting attack vulnerability prevention

client user

IE8 and advanced versions, turn on the XSS filter function Firefox uses CSP, Noscript and other extended functions Rising Personal Firewall 2012 version turns on the XSS interception function

Web application programmer

Use HttpOnly to complete input and output checks

HttpOnly

HttpOnly was originally proposed by Microsoft and has been adopted by many popular browser manufacturers. The function of HttpOnly is not to filter XSS cross-site scripting attacks, but the browser will prohibit the Javascript of the page from accessing cookies with the HttpOnly attribute to solve the cookie session hijacking behavior after XSS cross-site scripting attacks.

Input and output checks

Since the three types of XSS cross-site scripting attacks have different causes of vulnerabilities, part of the input and output checks are suitable for reflected XSS and stored XSS, while other checks are suitable for DOM-based XSS. Most of the time, they are for vulnerable Check letter characters or input data format check. For example, the registered account information entered by the user is only allowed to include letters, numbers, underscores, Chinese characters, etc. All characters entered that are not in the whitelist are considered illegal input. Data formats such as IP addresses, phone numbers, email addresses, dates and other data have certain format specifications. Only input information that meets the data specifications is allowed to pass inspection. Output inspection is mainly for the data display process. The data information should be HTML encoded, and malicious characters that may cause XSS cross-site scripting attacks should be encoded. Malicious characters should be filtered without affecting normal data display. Common characters and their HTML encoding that may cause XSS cross-site scripting attacks are:

  "  ---  &quot  '  ---  &apos  &  ---  &amp  <  ---  &It  >  ---  &gt
除了常用的编码外，任何字符都可以使用其ASCII码进行HTML编码，如：
  %  ---  &  *  ---  &

DOM Based XSS input and output inspection

- 特殊性  - 基于DOM的XSS跨站脚本攻击发生时，恶意数据的格式与传统的XSS跨站脚本攻击数据格式有一定的差异，甚至可以在不经过服务器端的处理和响应的情况下，直接对客户端实施攻击行为。- 输入检查  - 在客户端部署相应的安全检测代码的过滤效果要比在服务器端检测的效果更加明显。  - 客户端检测代码来保证用户输入的数据只包含字母、数字和空格。  - 服务端实现上述数据检查的功能    - URL参数名称、个数检测    - 参数值类型及内容检测- 输出检查  - 在将用户可控的DOM数据内容插入到文档之前，Web应用程序应对提交的数据中可能存在的各种危险字符和表达式进行过滤以安全的方式插入到文档中进行展现。

Recently, many friends have asked me for some essential information for programmers, so I dug out the treasures at the bottom of the box and shared them with everyone for free!

Scan the QR code of the poster to get it for free.