What is a JavaScript injection attack ?, Javascript injection attacks

What is a JavaScript injection attack ?, Javascript injection attacks

Javascript can be used as a tool for hackers to attack websites. Injection of javascript malicious scripts is one of the methods, let's learn how to prevent js injection attacks? Here is a good statement to share with you:

What is a JavaScript injection attack?
The website is vulnerable to JavaScript injection whenever you accept and re-Display user input. Let's look at a specific application that is vulnerable to JavaScript injection attacks. Assume that a customer feedback website has been created. Customers can visit the website and enter feedback on the product. When the customer submits feedback, the feedback is displayed on the feedback page again.

The customer feedback website is a simple website. Unfortunately, this website is vulnerable to JavaScript injection attacks.

Assume that the following text is being input into the customer feedback form:

<Script> alert ("Boo !") </Script>

This text indicates the JavaScript script that displays the warning message box. After someone submits this script to the customer feedback form, the message is Boo! Attacks that will be displayed when anyone accesses the customer feedback website in the future. You may also think that others will not be damaged by JavaScript injection attacks.

Now, your first response to JavaScript injection attacks may be ignored. You may think that JavaScript injection attacks are just a type of harmless. Unfortunately, hackers inject JavaScript into the website to conduct destructive activities. Attackers can use JavaScript injection to execute cross-site scripting (XSS) attacks. In cross-site scripting attacks, attackers can steal confidential user information and send it to another website.

For example, hackers can use JavaScript injection to steal Cookies from other users' browsers. If sensitive information (such as passwords, credit card accounts, or social insurance numbers) is stored in browser Cookies, hackers can use JavaScript injection to steal the information. Alternatively, if the user inputs sensitive information into the form field of the page, and the page is vulnerable to JavaScript attacks, the hacker can use the injected JavaScript to obtain the form data and send it to another website.

Please pay attention to it. Take JavaScript injection attacks seriously and protect users' confidential information. In the next two sections, we will discuss two techniques to prevent ASP. net mvc applications from being attacked by JavaScript injection.

Method 1:HTML encoding in the view

One simple way to prevent JavaScript injection attacks is to use HTML to encode the data input by any Website user when displaying data in the view again.

For example: <% = Html. Encode (feedback. Message) %>

What is the meaning of using HTML to encode a string? When an HTML encoded string is used, dangerous characters such as <and> are replaced with HTML entities, such as <and>. Therefore, when the HTML-encoded string <script> alert ("Boo!") is used !") </Script>, it is converted to <script> alert ("Boo !") </Script>. The browser does not execute JavaScript scripts when parsing encoded strings. Displays harmless pages.

Method 2:HTML encoding before writing data to the database
In addition to HTML-encoded data when displaying data in the view, you can also use HTML-encoded data before submitting data to the database. The second method is the controller in program listing 4.

For example:

public ActionResult Create(string message){// Add feedbackvar newFeedback = new Feedback();newFeedback.Message = Server.HtmlEncode(message);newFeedback.EntryDate = DateTime.Now;db.Feedbacks.InsertOnSubmit(newFeedback);db.SubmitChanges();  // Redirectreturn RedirectToAction(“Index”);}

Note that the Message value is HTML encoded in the Create () operation before it is submitted to the database. When the Message is re-displayed in the view, the Message is HTML encoded, so no JavaScript injected into the Message is executed.

Summary

Generally, people prefer to use the first method discussed in this tutorial, rather than the second method. The second problem is that HTML-encoded data will be retained in the database. In other words, the data in the database contains strange characters. What are the disadvantages? If you need to display database data in a form other than the web page, you will encounter problems. For example, you cannot easily display data in Windows Forms applications.

The above is all the content of this article. I hope it will be helpful for your learning and support for helping customers.