What is XSS?

XSS stands for Cross Site Scripting, but to distinguish it from “CSS”, XSS is used for short. XSS attack refers to a method in which hackers inject malicious scripts into HTML files and run malicious scripts to attack users while they are browsing the page.

When a malicious JavaScript script is injected into a page, the browser cannot tell whether it is a malicious script or a normal script, so the maliciously injected JavaScript script also has all script permissions.

If a page is injected with a malicious JavaScript script, what can a malicious script do?

  • Stealing Cookie information

    • Cookie information is obtained through malicious JS script, and then data is sent to the malicious server through Ajax and CORS function. After the malicious server gets the user’s Cookie information, it can simulate the user’s login and then operate the account.

  • Monitoring user behavior

    • Through malicious JS scripts, you can monitor various events of users, such as obtaining the login of the input string to complete hack user information.

  • Changing the DOM structure

    • It is common to add floating window advertisements through operators or routers to increase their income.

How do I conduct an XSS attack?

XSS is mainly divided into three types: storage XSS attack, reflection XSS attack and DOM based XSS attack

1. Storage XSS attack

Stored XSS attack

From the figure above, we can see that stored XSS attack generally needs to go through the following steps:

  1. First, a hacker takes advantage of the site’s vulnerability to submit a piece of malicious JavaScript code to the site’s database.
  2. The user then requests a page from the site that contains a malicious JavaScript script;
  3. When the user browses the page, the malicious script uploads the user’s Cookie information and other data to the server.

An example:

Take the storage TYPE XSS vulnerability exposed by Ximalaya in 2015 as an example to look at the whole XSS attack process.

When the user sets the album name, the server does not strictly filter the keywords, so when editing the album name, it can be set as a JavaScript, as shown in the following figure:

Submitting malicious Scripts

When Hacker sets the album name to a piece of JavaScript code and submits it, Ximalaya’s server saves the JavaScript code to the database. This code is then executed on the user’s page when the user opens the album set by hacker.

The user opens a page that contains malicious code

A malicious script can upload the user’s Cookie data to the hacker’s server using XMLHttpRequest or Fetch.

User cookies on a malicious server

By manually setting cookies, you can bypass and directly log in to Ximalaya.

Successful hacks

This is a typical case of a stored XSS attack. This was revealed by Wuyun in 2015, although it was shut down for some reason. A moment of silence.

2. Reflex XSS attack

In a reflective XSS attack, the hacker needs to find an interface vulnerability where the server returns some of the parameters sent by the user without processing them, giving the hacker an opportunity to send the malicious JavaScript script as parameters to the server. The server simply returns the script string, and the browser DOM parser introduces the malicious script into the hack.

Here’s another example

Now we have a simple service

var express = require('express');

var router = express.Router();

/* GET home page. */

router.get('/'.function(req, res, next{

 res.render('index', {

   title'Express'.

    xss:req.query.xss 

  });

});

module.exports = router;

Copy the code

Take an argument and go back to render it as HTML.


      

<html>

<head>

  <title><% = title% ></title>

  <link rel='stylesheet' href='/stylesheets/style.css' />

</head>

<body>

  <h1><% = title% ></h1>

  <p>Welcome to <% = title% ></p>

  <div>

      <% - xss% >

  </div>

</body>

</html>

Copy the code

Visit: http://localhost:3000/? xss=123

Normal access

Hacker finds the bug and cobbles together a URL like this: **http://localhost:3000/? XSS =< script SRC =” XXX “>< /script>**, and then trick you to click, on the page will run malicious script.

It is worth noting that a particularly obvious difference between stored XSS and reflective XSS is that reflective XSS does not store scripts in the server, and all the ways of deceiving users are also different. Hack stored XSS works mainly on uploading malicious scripts and waiting for users to click on normal web pages. The reflective type needs to trick users into actively clicking on the URL containing the vulnerability.

3. DOM based XSS attack

Normally, hackers can’t hijack the normal transport network, but if a hacker can hijack the HTML transport using a man-in-the-middle proxy, they can modify the HTML file to include any malicious script and send it to the user. In general, this happens with operators, so DOM-based XSS is what I would call an inside-ghost-based XSS attack.

How do I prevent XSS attacks

  1. Both stored and reflective XSS are cases where the server does not rigorously examine user input data, meaning that no user input can be trusted. Filter user input by transcoding: into < scriptscr=’xxx’> < /script> So that the browser’s DOM parser cannot run malicious scripts.

  2. For DOM-based XSS attacks, the HTML is transferred using HTTPS to avoid a middleman changing the HTML file.

  3. Full use of CSP and strict implementation of CSP can effectively defend against XSS attacks.

    1. Restrict the loading of resource files in other domains, so that even if a hacker inserts a JavaScript file, the JavaScript file cannot be loaded;
    2. Do not submit data to third-party domains, so that user data is not leaked.
    3. Prohibit execution of inline scripts and unauthorized scripts; It also provides a reporting mechanism, which helps us discover XSS attacks as quickly as possible so that problems can be fixed as quickly as possible.

  4. Use the HttpOnly attribute. Avoid JavaScript cookies. Even if a page is injected with malicious JavaScript, HttpOnly data cannot be retrieved. So for some important data we recommend setting the HttpOnly flag.

conclusion

An XSS attack is when a hacker injects a malicious script into a page and uploads some important data of the page to a malicious server.

Three common XSS attack modes are storage XSS attack, reflection XSS attack and DOM based XSS attack.

What these three attacks have in common is that they all require injecting malicious scripts into users’ pages and then uploading user data to the hacker’s malicious server. The difference between the three is that the injection method is not the same, through the server vulnerability to inject, and the client directly injected.

There are three main defense strategies against these XSS attacks. The first is to filter or transcode the input content through the server, the second is to make full use of CSP, and the third is to use HttpOnly to protect important Cookie information.

Of course, in addition to the above strategies, we can also add captcha to prevent scripts from posing as users and submitting dangerous operations. For some untrusted inputs, you can also limit the input length, which makes XSS attacks more difficult.

– END –