Series of introductory security – How dangerous is the xss security hole?

About XSS

XSS (Cross Site Scripting) is a security error that allows hackers to embed malicious code (javascript) on another website . Hackers can take advantage of this malicious code to defrag the site, install keylogs, take control of the user, entice users to download the virus to the computer. You can see more demo in the Lotte Cinema hack before.

This is one of the most common security flaws on Web sites. Large to small systems such as Facebook, Twitter, some Vietnamese forums , … have been stuck with this error . Due to its popularity and danger, XSS is always honored to be in the top 10 most serious security errors on OWASP ( Open Web Application Security Project ).


To summarize, please quote a few sentences from the security saint Juno_okyo, who just hacked 3 million server X accounts.

“Well, it sounds dangerous, but why do I see him writing about XSS? Isn't it too cool !? ”

Ah … a common mistake, located in the top 10 OWASP, is both dangerous and can be combined well with other errors. But easy to find, easy to fix, it is still counted bug bounty.

XSS forms

Previously, XSS usually aimed at HTML render code from Server, we called XSS Server. Two common XSS Server types are Persistent XSS and Reflected XSS.

Here, I will take a young man named Khoa as an example. Khoa is a student of FPT University , a fan of toidicodedao, likes to go to thiendia to find a massage place.

1. Persistent XSS

On the forum thiendia, when you post a comment on the topic, the server will save the comment you posted and display it in HTML. When Khoa post "I want to find JAV", the server will save and display the following:


However, Khoa is not so gentle. Because I just learned about XSS, Khoa did not enter the text and entered the alert script ('XXX') into the comment box. At this point, the HTML of the website will become:


The browser will run this script, displaying an alert window. Khoa has inserted the malicious code into thiendia, successfully executed the XSS attack. (Note: I just gave the example, thiendia doesn't have XSS error, you shouldn't try).

In this type of attack, malicious code is stored in the database on the server , displayed to the entire user, so we call it Persistance XSS.

Anyone who sees the comment of Khoa is infected with this malicious code, so this type of attack has a great effect, quite dangerous.

2. Reflected XSS

With this attack, the hacker inserts the malicious code into the URL in the form of a query string. When users click on this URL silently, the site will read the query string, render malicious code into HTML, and the user "traps".


Back to Faculty. Do ask for a massage address forever but not share, Khoa spicy, decided to take revenge on the seniors. Khoa sent a fake JAV link to his seniors mail. Link content: <scrit> deleteAccount () ; </scrit>.

When the men click this link, they will go to thiendia. Then the server will render <scrit> deleteAccount (); </scrit>, call deleteAccount function in JavaScript to delete their account .

The influence of ReflectedXSS is not as wide as that of Persistance XSS, but the level of danger is equivalent . Hackers often send links with malicious code via email, messages, … and entice users to click. So you do not need to ham JAV but click the wrong link ,

(Since wordpress automatically filters the script tag , I have to be scrit . Read about "Anti-XSS" below).

3. Client XSS

Recently, when JavaScript is used more and more, Client XSS errors are also taken advantage of more. Because JavaScript is used to handle DOM, malicious code is inserted directly into JavaScript.

These format holes are much harder to find and detect than XSS Server (See for example: ).



The principle of the "Introduction Security" series is: Hack to learn, not to hack. My goal is not to instruct you to hack and disrupt other sites, but to teach you and prevent these attacks.

Because XSS is a common attack, it is highly effective, so most popular Web Frameworks (Spring, Django, ASP.NET MVC) have built-in prevention. Even if you are an outsider, don't know anything about XSS, just use the latest version framework to prevent it from being quite wrong.


This XSS error is also quite easy to fix, it is important that this error is often encountered in many pages, easy to omit, so after fixing we must verify carefully. There are 3 methods to fix this error:

1. Encoding

Do not trust anything users enter !! Use the encode function available in the language / framework to convert the <> characters to & lt; % gt ;.

2. Validation / Sanitize

One way to prevent XSS is validation: completely remove suspicious characters in the user's input, or error messages if the input contains these characters.

Also, if you want to allow users to enter HTML, use sanitize libraries . These libraries will filter dangerous HTML, CSS, and JS tags against XSS. Users can still use <p>, <span>, <ul> tags to present text.

Please, please repeat, please use the available libraries, not "report" to rewrite to show the level. There have been many cases of XSS errors because developers are confident and write their own code to remove special characters and … to leave.

3. CSP (Content Security Policy)

Currently, we can use the CSP standard to combat XSS. With CSP, the browser only runs JavaScript from the designated domains. Suppose uses CSP, only running JavaScript originating from . Because Khoa leaves malicious code on the repository , the following JavaScript will not be executed.


To use the CSP, the server simply adds the Content-Security-Policy header to each response. The header content contains domains that we trust.



Saying a little mastery (because I don't like PHP), the number of websites built by PHP is the most XSS error. The first reason is because the number of web pages written in PHP is extremely high . The second reason is that PHP does not encode strange characters by default. PHP CMSs like WordPress, Joomla are very powerful with numerous plug-ins. However, many hotly written plug-ins are the cause of this security error.

Currently, the number of websites with XSS errors is quite a lot, you just need to roam on the network will meet. For moral reasons, hope you imitate the example of juno_okyo, when discovered, notify the admin so that people can fix it but not play the "young buffalo" hack like me.

As I said, XSS is a very basic error, almost every hacker knows. This error-prone website is easy to bait for hackers. Therefore, the developers remember carefully, do not let your web errors.

Who finished the code, then check to see if I stick , who is code, just check the code . Remember to like and share this article with many developers so everyone can avoid it.

Some reference links:

ITZone via toidicodedao

Share the news now