XSS Attack and Defense details

I. Principles

XSSCross-Site Scripting(XSS) Is the most popularWebOne of the security vulnerabilities.

XSS means attackers can use malicious scripts.CodeInject to other web pages browsed by users.

XSS attacks are classified into two types:

1. for intra-site attacks, the attacker submits the attack script to the website database (for example, the attacker's personal information contains the Attack Script), and then deceives others (System Administrators) to browse the page, this attack script is triggered.

2. for out-of-site attacks, all attacks are self-built email or webpages, and then others are deceived.View this page to trigger this attack script.

II. Introduction to XSS

The following code is available:

View code

 1   <  ASP: textbox  ID = "Txbusername"  Runat  = "Server"  > </  ASP: textbox  >  
  2     <  ASP: button  ID  = "Btnsave"  Runat  = "Server"  Text  = "Button" Onclick  = "Btnsave_click"     /> 

View code

 
1 Protected void btnsave_click (Object sender, eventargs E)
2 {
3 Response. Write (txbusername. Text );
4 }
 

When you enter <SCRIPT type = "text/JavaScript"> alert ("Script Injection" + document. Cookie); </SCRIPT> in the input box, the user's cookie is displayed.

Instead, you can save the code to a database or create a self-built network to allow other users to trigger the code and obtain related resources of other users. (Cookies can be used to review the original page and can be used as attackers to log on to the page. There are a lot of related methods online. If you are interested, you can go to Baidu .)

Attackers can write JavaScript code to send these resources to a specified URL or email address for further attacks.

Attackers can also write JavaScript code to capture the current user's page content, such as account information.

In addition, JS can also use actinveobject to do many things, such as downloading viruses and wooden polo, or even modifying the Registry (when the client does not have a firewall ). In short, it is very dangerous to let the user enter the code and make the code executable.

The specific code about these things can be learned together if you are interested. It is not difficult to write it.

Iii. Defense methods

1. configuration on the page or web. configValidaterequest = "false ",ValidaterequestJustASP. NETProvides in-depth defense techniques (Defense-in-depth).WebIn development, you cannot rely only on it, but do not have a special Validation Code for the input.

2. Use regular expressions to filter or convert special characters. (Not recommended, prone to problems)

3. UseASP. NETSelf-supportedHttputility. (This is more convenient)

For example:

Response. Write (httputility. htmlencode (request. Form ["name"]);

4. Use the anti-Cross-Site Scripting library provided by Microsoft (Microsoft anti-Cross Site Scripting library v1.5-antixss). (This is the safest)

AntixssIs a separately downloaded software library. Developers canHttp://www.microsoft.com/download/en/details.aspx? Id = 5242Download directly. (You can call antixsslibrary. dll in the project after installation. Note that this version is. net4.0. Please download the corresponding version as needed .)

AntixssAndHttputilityFor example:

String name = antixss. htmlencode (request. querystring ["name"]);

SoHttputilityAndAntixssWhat is the difference? Which one should developers use?

The biggest difference between them is thatHttputility. htmlencodeBlack List verification (Black List. That isHttputility. htmlencodeOnly filter the special characters it knows, and allow other input.Antixss. htmlencodeWhitelist verification (White List. It only allows the output of characters that it deems valid, and filters out all other characters.

In both,Antixss. htmlencodeIt is recommended to be safer.