[Security] Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) 是一種injection attack, 將一些程式代碼加到網頁上. 若果注入成功, 當其他人開啟網頁時, 注入的代碼便會執行, 從而盜取資料.

通常用作測試的script如下:

  • ><script>alert(document.cookie)</script>
  • "><script>alert(document.cookie)</script>
  • <script>alert(document.cookie)</script>
  • <script>alert (vulnerable)</script>
  • %3Cscript%3Ealert('XSS')%3C/script%3E
  • <script>alert('XSS')</script>
  • <img src="javascript:alert('XSS')">
  • <img src="http://xxx.com/yyy.png" onerror="alert('XSS')"> 

對Developer而言, 最佳的保護方法就是內容過濾, 將其encoded 或validation error. 

Reference

About C.H. Ling 262 Articles
a .net / Java developer from Hong Kong and currently located in United Kingdom. Thanks for Google because it solve many technical problems so I build this blog as return. Besides coding and trying advance technology, hiking and traveling is other favorite to me, so I will write down something what I see and what I feel during it. Happy reading!!!

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.