Cross-site scripting attacks XSS

• First, to recognize the XSS
• Second, XSS attacks
• Third, XSS defense (emphasis)
• Iv. Summary

Writer:bysocket (mud and brick pulp carpenter)

• Weibo: Bysocket
• Watercress: Bysocket

Reprint it anywhere u want.

Article points:
1. Understanding XSS

2. XSS attacks

3. XSS Defense (emphasis)

First, to recognize the XSS

Let me tell you a story, in the previous article, I would like to say this case. In fact what is called attack, very simple. To get the information the attacker wanted, the black was successful. Caught a tomcat loophole (this is not what I said, an acquaintance of the people said), upload a JSP, inside the simulation httpclient, download a trojan, run. OK, it's done. So, there's no absolute security.

Today, Mason takes you to know about XSS, and then the question of how to defend it. As for the defense, the benevolent see of the beholder. Ye what is not worthy of the people, I hope that readers to discuss each other. Masons are currently engaged in Java, so the example is more java.

Q: What is XSS? Why do you have this?

A: Full Name: Cross site script, Chinese name: Multi-site Scripting attack. As the name implies, it means "HTML injection" to modify the Web page, insert malicious script, so that when users browse the Web page, control the user browser an attack.

XSS can be divided into three types according to the attack Stability: reflective XSS, Storage-type Xss,dom Based XSS.

Second, XSS attacks

Learn more about XSS, how to attack? Mason at this time think of a word: know each other, victorious bar. This attack we will not explain in detail, after all, want to say is the XSS defense. First of all, the Masons are going to introduce:

XSS Payload, the so-called malicious script used to complete a variety of specific functions. This time I think of the hacker spirit of the episode, now so-called "hacker" is not a real hacker, but called the script kid. A common XSS Payload is to initiate a ' cookie hijacking ' attack by reading the browser's Cookie object. This mason will teach you to defend the HA, where the ' httponly ' logo of the cookie can prevent OH.

Powerful XSS payload can do the following things ha: 1, construct GET and POST request 2, various fishing 3, identify user browser and so on
Q&a

Q: What is it called fishing?
A: As the name implies, willing to take the bait, here do derogatory usage. For example, people use a fake pop-up box, or a fake page to let you enter QQ information, or what account information. In fact, you enter the user's server to obtain your account password. This is the bait of the fish. Metaphor:

Third, XSS defense (emphasis)

The soldiers come to block, punches. Mason in the Web security, want to remind everyone is: "Tall trees, monkeys can climb up." "Therefore, some of the places we consider are default to you, some need our own care, to set."

In fact, there are a lot of things that have been done against XSS in the unseen places. such as a variety of browsers.

First, according to the above ideas, masons talk about cookies, a cookie, we use this:
1, the browser under the server sends the request, prepares to obtain the cookie

2. The server returns the sending cookie header and writes a cookie to the client browser. (Note that this is the browser, not what the browser kernel is)

3. Cookies will be sent to all pages of the browser before the cookie expires.

This means that we do not use cookies. It's like a session, so be careful when you use it. Sometimes cooike is used to remember the password, be careful to set the cookie HttpOnly property to Ture. Here I take springmvc as an example. If a cookie is used, this should be the case:

?

1234567

Create cookie and set it in Responsecookie cookie1 = new Cookie ("Cookie1", "cookievaluehttponly"); Cookie cookie2 = new Cookie ("Cookie2", "Cookievalue"); Cookie1.sethttponly (true); Response.addcookie (COOKIE1); Response.addcookie (COOKIE2);

Intercept the entire code of the controller to see:

We open the browser can see the following results, access to the Controller layer URL, open firebug view:

Second, the input check

The logic of the input checksum must be implemented on the server side. If JS is used, it is easy to be bypassed by attackers. Therefore, it is common practice, like a lot of code to double Check: "Client JS check and server-side check together, so that the client JS check will block most even say 99% of the user's misoperation." ”

In XSS defense, we need to verify, filter, or encode some of the special characters entered by the user. This input check becomes an "XSS Filter". First we are in the configuration file,

The path configuration of course, where you need to configure the next. The Masons then wrote an HTTP request decoration class, which is used to filter the parameters. Say dry to do Bai ~ actual combat experience.

?

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960

public class Xsshttpservletrequestwrapper extends Httpservletrequestwrapper{     public Xsshttpservletrequestwrapper (HttpServletRequest request)     {         super (request);     }     public String[] Getparametervalues (String parameter)     {         String[] values = super.getparametervalues (parameter);         if (values== NULL)         {             return null;        }         int count = values.length;        string[] EncodedValues = new String[count];        for (int i = 0; I <  count; i++)         {             encodedvalues[i] = CLEANXSS (Values[i]);        }         return encodedvalues;    }      public string GetParameter (string parameter)     {         string  value=  super.getparameter (parameter);         if (value = = null)         {             return null;        }         return CLEANXSS (value);    }      public string GetHeader (string name)     {         strinG  value=  super.getheader (name);         if (value = = null)             return null;         return CLEANXSS (value);     }     /**       * @Title: cleanxss      * @Description: You ll Need to remove the spaces from the HTML entities below      *  @param   @param  value      *  @param   @return       * @return String      */    private string CleanXSS (String value)     {        value= Value.replaceAll ("<", "& lt; "). ReplaceAll (">", "& gt;");         value = Value.replAceall ("\ \ (", "& #40;"). ReplaceAll ("\ \)", "& #41;");         value = Value.replaceall ("'", "& #39;");         value = Value.replaceall ("eval\\ ((. *) \ \)", "");         value = Value.replaceall ("[\\\" \\\ '][\\s]*javascript: (. *) [\\\ "\\\ ']", "\" \ "");         value = Value.replaceall ("Script", "");         return value;    }}

Third, the output check

In general, in addition to rich text, in the variable output to the HTML page, you can use encoding or escape to protect against XSS attacks. This is a kind of tactful way of each family.

Cross-site scripting attacks XSS