Recently, a third-party tool scanned the project for an Http head xss cross scripting vulnerability. To fix this vulnerability, we also studied the principle of cross-site scripting attacks, the cross-site scripting attack is basically the html version of SQL injection. The core content is to pass a specially designed script to the server and execute the html Vulnerability on the webpage through HTTP GET/POST. there are two main types of XSS. One is that the injected link needs to be clicked by a lie to hijack the user's cookie; the other is that the script has injected DB through this method, every time someone browses a normal link to the website, the script will be executed. Theoretically, java script can do everything. Here is a simple example. The JSP code contains the following section in my webpage:
<% String sz = request. getHeader ("user-agent ");... %>... <script type = "text/javascript"> var sz = "<% = sz %> ";... (sz. indexOf ('Firefox /')! =-1...) // This is omitted, mainly to judge the http head information, take the client browser. </Script>
Such a simple piece of code has a vulnerability. The http head headers I obtained through chrome are as follows: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) chrome/29.0.1547.57 Safari/537.36 so var sz = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) chrome/29.0.1547.57 Safari/537.36 ", but the client can inject the content by modifying the normal attributes of the browser response in the http head. By analyzing the page source code, you can construct a string "; alert (document. cookie);" the final page code becomes:
<script type="text/javascript"> sz = "";alert(document.cookie);"" ... </script>
If a user clicks this link, the user can use a script to send the user's cookie to another server on the Internet and hijack the cookie. The solution is also relatively simple, that is, to check any information sent from the user, such as encoding. You can use URLEncoder of JDK or StringEscapeUtils of apache commons to prevent script code from escaping from our limited range. This is how I handle the request. change getHeader ("user-agent") to URLEncoder. encode (request. getHeader ("user-agent") Finally, even if html is injected, the result is: sz = "% 22% 3 Balert % 28document. cookie % 29% 3B % 22 "; the script cannot be an executable script.