Cross-site scripting

Injecting client-side scripts contain malicious content (e.g. steal cookies data) into web pages via:

  • Non-Persistent/Reflected: data provided by a web client (query params, form inputs) is used immediately by server-side scripts to parse and display a page of results for and to that user, without properly sanitizing the request.
  • Persistent/Stored: data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping.
  • DOM-based: same as Non-Persistent type, but data is not sent to server. Rather, it is processed by JavaScript code in order to rendering it in the web page content.

Prevent attack

  • Validating untrusted input.
  • Encoding/escaping string output.
  • Cookie security: there are some flags to secure cookies
    • HttpOnly cookie cannot be accessed by client-side APIs, such as JavaScript.
    • secure cookie can only be transmitted over an encrypted connection (i.e. HTTPS).


Bình luận

{{ comment.user.name }}
Bỏ hay Hay
Male avatar
{{ comment_error }}

Hiển thị thử

Chỉnh sửa



5 bài viết.
2 người follow
{{userFollowed ? 'Following' : 'Follow'}}
Cùng một tác giả
1 0
Clojure supports flexible concurrency models for real world complexity: (Link): builtin support. (Link): similar to Golang concurrency model, w...
Quan viết gần 5 năm trước
1 0
Bài viết liên quan
1 5
fCC: Technical Documentation Page note So I have finished the HTML part of this exercise and I want to come here to lament about the lengthy HTML ...
HungHayHo viết hơn 3 năm trước
1 5


{{ comment_count }}

bình luận

{{liked ? "Đã kipalog" : "Kipalog"}}

{{userFollowed ? 'Following' : 'Follow'}}
5 bài viết.
2 người follow

 Đầu mục bài viết

Vẫn còn nữa! x

Kipalog vẫn còn rất nhiều bài viết hay và chủ đề thú vị chờ bạn khám phá!