version : v1.1Update time : 2013-05-25what 's new: Optimizing Performancefunction Description :
can effectively protect xss,sql injection, code execution, file inclusion and many other high-risk vulnerabilities.
How to use:
Upload waf.php to the directory of files to include
To add protection to the page, there are two ways to do this, depending on the situation two:
XSS Cross-site scripting attack: A malicious attacker inserts malicious script code into a Web page, and when the user browses to the page, the script code embedded inside the Web is executed to achieve the purpose of malicious attacks on the user.For example, some forums allow users to speak freely without detecting the user's input data, which is displayed directly on the page.If the user enters some CSS style code, the HTML table code, displayed on
ObjectiveThe XSS is also called the CSS (cross site script), which is an attack by the site. A malicious attacker inserts malicious HTML code into a Web page, and when the user browses to the page, HTML code embedded inside the Web is executed to achieve the special purpose of the malicious attacker.Environment preparationas in previous times, use PHP as a demonstration. Because the production of XSS is a
XSS Defense:
1, as far as possible major general domain name domains under the root of the domain name to reduce the impact of the site XSS vulnerability to the main station;
2, the input of the data filter check:
public static string Htmlspecialchars (final String s) {string result = s; result = Regexreplace ("", "amp;", result); result = Regexreplace ("\", "quot;", result); result = Regexreplace ("Note:
Many domestic forums have a cross-site scripting loophole, foreign also many such examples, even Google has appeared, but in early December revised. (Editor's note: For cross-site scripting exploits, readers can refer to the "detailed XSS cross-site scripting Attack"). Cross-station attacks are easy to construct, and very covert, not easy to be Chage (usually steal information immediately jump back to the original page).
How to attack, do not explain
Core ConceptsWAFWeb application Firewall (Web application Firewall), or WAF.Web attacksAttacks initiated against web apps, including but not limited to the following types of attacks: SQL injection, XSS cross-site, Webshell upload, Command injection, illegal HTTP protocol request, unauthorized file access, and more.waf--attacks against web apps, including but not limited to the following types of attacks: SQL injection,
PHP XSS Attack prevention If you like a product title, you can use Strip_tags () filter to erase all HTML tags.If something like a product description, you can use the Htmlspecialchars () filter to escape the HTML tag. SQL injection prevents numeric type parameters, which can be coerced into shaping using (int)/intval ().A string type parameter that can be used to escape special characters using mysql_real_escape_string (). java
3.1 XSS IntroductionThe Cross site script was originally abbreviated as CSS, and in order to differentiate itself from CSS in web development, the security realm is called XSS.The cause of XSS is the direct input of the user, output to the page, the hacker can input script statements to attack.XSS Classification: Reflective XSS, need to persuade users to click on
This article will explain how to use cross-site scripting (XSS) and how to use it. This article will give a brief introduction to JavaScript and XSS vulnerabilities.
XSS is short for Cross-Site Scripting, but you may ask why it is not replaced by CSS. This is because CSS has been used in Cascading Style Sheets, so using XSS
During the XSS detection process on a website, multiple search pages call the same function. Most of these variables are not strictly filtered. Most of these variables are typical XSS, for the typical XSS detection site, we have already explained this clearly, so I will not talk about it much 。
I want to share with beginners who haven't touched dom
Label:The knowledge of web security is very weak, this article to the XSS cross-site attack and SQL injection related knowledge, I hope you have a lot of advice. For the prevention of SQL injection, I only used simple concatenation of string injection and parametric query, can say that there is no good experience, in order to avoid after the understanding of the guilty of making a big mistake, a special reference to a lot of predecessors of the experi
Recently, in the cnode community, an article about XSS published by @ Wu Zhonghua directly led the community to initiate various attacks on cnode. Here we summarize some of the problems and solutions encountered this time.
File Upload Vulnerability
The logic for nodeclub to upload images is as follows:
// File name uploaded by the user
Var filename = Date. now () + '_' + file. name;
// User folder
Var userDir = path. join (config. upload_di
Talking about PHP security and anti-SQL injection, prevent XSS attack, anti-theft chain, anti-CSRF
Objective:
First of all, the author is not a web security experts, so this is not a Web security expert-level article, but learning notes, careful summary of the article, there are some of our phper not easy to find or say not to pay attention to things. So I write down to facilitate later inspection. There must be a dedicated web security tester in a
Directory1 . Vulnerability Description 2 . Vulnerability trigger Condition 3 . Vulnerability Impact Range 4 . Vulnerability Code Analysis 5 . Defense Methods 6. Defensive thinking1. Vulnerability descriptionA simple summary of how this vulnerability is exploited1 The exploit of this vulnerability is the need to log in to the background to operate, accurately from the point of view of the cookie is required to be logged in the background state 2 the background of the logo upload has an
(1) ConceptsXss (cross-site scripting) attacks refer to attacks that insert malicious html tags or javascript code into Web pages. When a user browses this page or performs some operations, attackers use users' trust in the original website to trick users or browsers into performing insecure operations or submitting users' private information to other websites.For example, an attacker places a seemingly secure link in a forum to obtain users' private information from cookies after Obtaining user
XSS attacks: Cross Site scripting attacks (Scripting), which are not confused with the abbreviations of cascading style sheets (cascading style Sheets, CSS), are abbreviated as XSS for cross-site scripting attacks.A must-see source, Good article:http://www.cnblogs.com/TankXiao/archive/2012/03/21/2337194.htmlWhat is XSS attackXSS is a computer security vulnerabili
Affected products: glFusion developer: http://www.glfusion.org/defect impact: 1.2.2 and probably prior tested version: 1.2.2Advisory Details: High-Tech Bridge Security Research Lab discovered multiple XSS vulnerabilities in glFusion, which can be exploited to perform Cross-Site Scripting attacks. glFusion has a "bad_behaviour" plugin (installed by default) that verifies HTTP Referer, aimed to protect agains
0x00 Preface
At the beginning of the article, I 'd like to apologize for the article (about the inheritance of cross-origin character sets) that was recently published with an outrageous conclusion but was deleted in a timely manner. I also hope that those who will repost the article without testing can delete the article. Prevent more people from misunderstanding the cross-origin character set. However, I have reorganized an article for my gratitude, which I have always wanted to write. However
XSS vulnerability of one cross-origin request continued
As mentioned above, because you need to use the proxy page to solve the cross-origin request of POST requests, You need to execute the passed function on the proxy page. Therefore, we implemented a whitelist. Only the callback functions we recognized can be executed on the page to prevent execution of illegal JS methods and script attacks.
The method we use is to introduce the whitelist and filte
We often say that network security should actually include the following three aspects of security: 1. confidentiality, such as user privacy theft and account theft. The common method is Trojan. 2. Integrity, for example, data integrity. For example, Kangxi sent a 14th son, which was tampered with by the fourth brother at that time, common methods are XSS cross-site scripting attacks and csrf Cross-Site Request Forgery. 3. Availability, such as whethe
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.