Home > Others

XSS Security Filtering

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

A lot of XSS attacks occur when users enter unfriendly content where they can enter, and the underlying approach is to filter the input content.

PHP or Java, basically have a ready-made JAR package or PHP framework, call to automatically filter the user's input, to avoid the XSS

There are several ways to defend against this:

1. HttpOnly prevent the robbery of cookies

HttpOnly was first proposed by Microsoft, and has become a standard so far. The browser will disallow JavaScript on the page to access cookies with the HttpOnly attribute. Many websites will be used to authenticate the cookies set to HttpOnly

Many simple XSS attacks are the input of JS to obtain information such as cookies, key cookies are set to httponly effectively avoid this situation

2. Input Check

The input check is generally to check whether the data entered by the user contains special characters, such as <, >, ', ', etc., if special characters are found, the characters are filtered or encoded. This is basically done with the ready frame content

3. Output check

Most people know that input needs to be checked, but the output check is ignored. Output in HTML tags such as code: PHP code
    1. <?php
    2. $a = "<script>alert (1);</script>";
    3. $b = "
    4. ?>
    5. <div><?=$b?></div>
    6. <a href="#" ><?=$a?></a>
This way the client is exposed to XSS attacks, and the workaround is to use the htmlencode,php function in the variable htmlentitiesphp code<?php
    1. $a = "<script>alert (1);</script>";
    2. $b = "
    3. ?>
    4. <div><?=htmlentities ($b)?></div>
    5. <a href="#" ><?=htmlentities ($a)?></a>
Output HTML code in HTML properties
    1. <div id="div" name ="$var"></div>
In this case the defense is also using HTMLEncode
Implemented in owasp-php: PHP code
    1. $immune _htmlattr = Array (', ', '. ', ' -', ' _ ');
    2. $this->htmlentitycodec->encode ($this->immune_htmlattr, "\" ><script>123123;</script  ><\ "");
Output in <script> tags such as code: PHP code
    1. <?php
    2. $c = "1;alert (3)";
    3. ?>
    4. <script type="Text/javascript" >
    5. var c = <?=$c?>;
    6. </script>

This makes the XSS effective again. First of all, the JS variable output must be in quotation marks, but if i $c = "\" Abc;alert (123),//", you will find that the quotation marks are useless, the function is not very good to meet. Only a stricter javascriptencode function can be used to ensure security-all characters except numbers and letters are encoded using the hexadecimal "\xhh" method. Here I use the Open source owasp-php method to implement PHP code
    1. $immune = Array ("");
    2. echo $this->javascriptcodec->encode ($immune, "\" Abc;alert (123);//");
Final output \x22abc\x3balert\x28123\x29\x3b\x2f\x2f HTML code in event
    1. <a href="#" onclick="Funca (' $var ')" >test</a>
Possible attack method HTML code
    1. <a href="#" onclick="Funca ("); Alter (/xss/;//') ">test</a>
This is actually written in <script>, so the same as 3 defense in CSS output in owasp-php implementation: PHP code
    1. $immune = Array ("");
    2. $this->csscodec->encode ($immune, ' Background:expression (window.x?0: (Alert (/xss/), window.x=1); ');

Output in Address
First make sure that the variable starts with "HTTP", and then use the JS encodeURI or encodeURIComponent method. Implemented in owasp-php: PHP code
    1. $instance = Esapi::getencoder ();
    2. $instance->encodeforurl (' url ');

4. Defensive Dom Based XSS

DOM Based XSS is the output of data from JavaScript to HTML pages. JS Code
    1. <script>
    2. var x = "$var";
    3. document.write ("<a href= '" +x+">test</a>");
    4. </script>
The defense method used in the three-way output check is encoded when x is assigned, but when the document.write output data to HTML, the browser re-renders the page and decodes the x so that it is equivalent to no coding and generates XSS. Defense method: First, or should do the output defense code, but if the output to the event or script, you want to do another javascriptencode encoding, if it is output to HTML content or attributes, you want to do a htmlencode. There are many places that trigger Dom Based XSS: document.write (), Document.writeln (), xxx.innerhtml=, xxx.outerhtml=, Innerhtml.replace, Document.attachevent (), Window.attachevent (), Document.location.replace (), Document.location.assign ()

XSS Security Filtering

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More