A cross-domain request for XSS vulnerability is renewed

Last mentioned, because of the need to use the proxy page to resolve the cross-domain request for the POST request, you need to execute the passed function on the proxy page. So we made a white list. Only our approved callback function can be executed on the page, preventing the execution of illegal JS methods and scripting attacks.

the way we do this is to introduce the whitelist and filtering methods separately as separate files into the page and then use them (which provides an opportunity for new vulnerabilities).  

This vulnerability occurs for two reasons:

• Blocked the white list of JS files
• the current page if you do not detect this method is not filtered directly (why do you do so?) Preventing a white list from failing, for some reason, causes some kind of request to fail, causing the process to pass. For this reason, there is an opportunity to exploit the vulnerability. )

How to control This white list easily? The exploit is: The browser's XSS filter attribute. When an XSS attack is detected in the URL, the browser automatically filters the JS content on the page. is to use this principle, disable the White list filter function of the page, plus no restrictions, resulting in the ability to bypass the filter function directly on the page to execute the attack code.

After checking, the browser in order to prevent XSS attacks, filtering the URL in the presence of the JS address on the line filter. Visit the following address:

https://www.baidu.com/?xss=%3Cscript%20type%3D%22text%2Fjavascript%22%20src%3D%22https%3A%2F% 2fss1.bdstatic.com%2f5en1bjq8aauym2zgoy3k%2fr%2fwww%2fcache%2fstatic%2fprotocol%2fhttps%2fjquery% 2fjquery-1.10.2.min_f2fb5194.js%22%3e%3c%2fscript%3e

Will find such an error:

The XSS Auditor refused to execute a script in ' https://www.baidu.com/?xss=%3Cscript%20type%3D%22text%2Fjavascript% 22%20src...ocol%2fhttps%2fjquery%2fjquery-1.10.2.min_f2fb5194.js%22%3e%3c%2fscript%3e ' because its source code was Found within the request. The auditor was enabled as the server sent neither a ' x-xss-protection ' nor ' Content-security-policy ' header.

Cause the page Cannot load jquery js, think this JS is an XSS attack.

There's a field in the HTTP protocol header that controls whether or not to turn on the browser's XSS filtering feature. That is: X-xss-protection.  

So what is X-xss-protection? This is to protect against XSS. You can set his value to turn on and off whether to filter XSS, of course, it is best to turn on this function, here is to understand and learn the HTTP protocol in this field. How should that be configured?   

0– Turn off XSS protection for browsers-  turn on XSS protection  1; mode=block– turn on XSS protection and notify the browser to block rather than filter user-injected scripts.  1; report=http://site.com/report– This browser is supported only by Chrome and the WebKit kernel, which tells the browser to post this part of the data to the specified address when a suspected XSS attack is found.

When XSS protection is turned on, the browser hides the output from the reflective XSS.

Here, there are two solutions for my solution:

• The filter method is placed in the page, not in the form of an external;
• or if the detection method is not detected, the process continues directly.  

The fight against XSS is more than.

Resources:

Https://www.imququ.com/post/web-security-and-response-header.html

http://drops.wooyun.org/tips/1166

Http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx

http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/ Controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx

https://msdn.microsoft.com/en-us/library/dd565647 (v=vs.85). aspx

A cross-domain request for XSS vulnerability is renewed