XSS attacks test code
The main attack is to obtain information in the cookie server by typing in the input box, so login to your server,
The principle is the value entered by the attack in front of the keyword, then those values are stored in a database back-end server through the retrieval of the key-value pairs, thereby triggering obtain the server cookie information.
Therefore, front and rear ends to be processed special characters, not to enter special tags, such as <script>, HTML tags, or other special character codes
1. Get the user's cookie
<script>alert(document.cookie)</script>
οnclick=alert(document.cookie)
2. disrupt the Page Layout
<iframe src="http://baidu.com"></iframe>
<script>alert("hello")</script>
3. Enter the parameters on the script pages link / js script input in the input box
XSS bug fixes
Principle: do not believe the data entered by the customer
Note: The attack code is not necessarily in the <script> </ script> in
The important cookie is marked as http only, so in Javascript document.cookie statement you can not get to the cookie.
The user needs to input processing, we expect only allow the user to enter data, other values not and will filter out. For example: textbox age, only allows the user to enter a number. The characters other than numbers are filtered out.
Html Encode data processing
Html filtration or removal of a particular label, for example: <script>, <iframe>, & lt; for <, & gt; for>, & quot for
Filtering tabs JavaScript events. E.g. "οnclick =", "onfocus" and the like.