简介
XSS(Cross Site Scripting, 跨站脚本攻击)又称是 CSS, 在 Web攻击中比较常见的方式, 通过此攻击可以控制用户终端做一系列的恶意操作, 如 可以盗取, 篡改, 添加用户的数据或诱导到钓鱼网站等
攻击原理
比较常见的方式是利用未做好过滤的参数传入一些脚本语言代码块通常是 JavaScript, PHP, Java, ASP, Flash, ActiveX等等, 直接传入到页面或直接存入数据库通过用户浏览器阅读此数据时可以修改当前页面的一些信息或窃取会话和 Cookie等, 这样完成一次 XSS攻击
例子
http://example.com/list?memo=<script>alert(“Javascript代码块”)</script> http://example.com/list?memo=<strong οnclick=‘alert(“惊喜不断”)’>诱惑点击语句</strong> http://example.com/list?memo=<img src=’./logo.jpg’ οnclick=‘location.href=“https://blog.csdn.net/qcl108”;’/ alt="XSS attack principles and protection" >
以上例子只是大概描述了方式, 在实际攻击时代码不会如此简单
防御方法
防止 XSS安全漏洞主要依靠程序员较高的编程能力和安全意识
去掉任何对远程内容的引用 如 样式或 JavaScript等
Cookie内不要存重要信息为了避免 Cookie被盗, 最好 Cookie设置 HttpOnly属性防止 JavaScript脚本读取 Cookie信息
不要信任用户的输入, 必须对每一个参数值做好过滤或转译: (& 转译后 &), (
本文来自 web服务器安全_网站安全防护教程 栏目。欢迎学习
The above is the detailed content of XSS attack principles and protection. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
mPDF
mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),
VSCode Windows 64-bit Download
A free and powerful IDE editor launched by Microsoft
EditPlus Chinese cracked version
Small size, syntax highlighting, does not support code prompt function
MantisBT
Mantis is an easy-to-deploy web-based defect tracking tool designed to aid in product defect tracking. It requires PHP, MySQL and a web server. Check out our demo and hosting services.
SublimeText3 Chinese version
Chinese version, very easy to use
