Cross-station script attack (III)

Cross-station script attack (III)

Part two: Anti-crime of cross-station script attack

First, how to prevent the server from cross-station script attack

Thankfully, the technology to prevent a Cross-site script attack is becoming perfect. There are several ways in which you can now prevent Cross-site script attacks:

1. Encode the characters of dynamically generated pages

2. Filter and Restrict input

3. Use HTML and URL encoding

1. Encode the characters of dynamically generated pages

The first thing you have to do is code the characters that dynamically generate the page, you have to do this, or the hacker is likely to change your character settings easily through your
Line of defense. If our site is an English site, so long as we set the character encoding into a Latin character iso-8859-1 on the line, the specific situation is as follows:

<meta http-equiv= "Content-type" content= "text/html;charset=iso-8859-1" >

2. Filter and restrict all input data

This is the second way to prevent Cross-site script attacks, and do not allow those special characters to enter when you log in. So we can be on the onsubmit side
method to complete this function by adding JavaScript programs. In this case we limit the maximum of 15 characters. This blocks the input from the longer script.

In <<knowledge Base Article qa252985>>, Microsoft provides a short JavaScript program to filter the input data. We
This code has also been introduced into our example in the light of specific circumstances, such as:

function Checkform () {

Document.forms[0].username.value = _

RemoveBad (Document.forms[0].username.value);

return true;

}

MICROSOFT ' S CODE

function RemoveBad (strtemp) {

strtemp = Strtemp.replace (/\</\>/\ "/\ '/\%/\;/\ (/\)/\&/\+/\-/g," ");

return strtemp;

}

In this way, you can filter the characters that are included in the input:

% < > [] {}; & +-"' ()

3. Use HTML and URL encoding

Although using the filtering and limiting input described above is a very important defense, it has no way of doing anything with my email attack.
Because I put the parameters of the URL directly in the message. We have to adopt a more forceful security measure against this situation. If we use the ASP, the solution is relatively speaking
Much easier. As long as HTML and URL encoding are always used for dynamically generated Web pages. For the case in our example, in the first input page we have the redirect URL
The following changes were made:

Strredirecturl = Strredirecturl & _

Server. UrlEncode (Response.Cookies ("UserName"))


In the execution page we add:

strUserName =server. HTMLEncode (Request.QueryString ("UserName"))

And

strUserName =server. HTMLEncode (Request.Form ("UserName"))

Microsoft recommends that all dynamic page input and output should be encoded. This should be even in the case of storing and fetching database data. So that you can, to a large extent,
Avoid a cross-site script attack.


To do this, add in the page1.asp:


<%@ Language=vbscript%>


<% If request.cookies ("UserName") <> "" Then


' REDIRECT if detect the cookie

Dim Strredirecturl

Strredirecturl = "Page2.asp?username="

Strredirecturl = Strredirecturl & _

Server. UrlEncode (Request.Cookies ("UserName"))

Response.Redirect (Strredirecturl)


Else%>

<HTML>

<HEAD>

<meta http-equiv= "Content-type" content= "text/html; Charset=iso-8859-1 ">

<title>mynicesite.com Home page</title>

</HEAD>

<script language= "JavaScript" >

<!--

function Checkform () {

Document.forms[0].username.value =

RemoveBad (Document.forms[0].username.value);

return true;

}


//******************************************************

Programmer:not ORIGINAL Code-comes from MICROSOFT

Code source:microsoft knowledge Base Article q25z985

Description:removes bad characters.

//******************************************************


function RemoveBad (strtemp) {

strtemp =strtemp.replace (/\</\>/\ "/\ '/\%/\;/\ (/\)/\&/\+/\-/g," ");

return strtemp;

}

-->

</SCRIPT>

<BODY>

<BR>

<H2>MyNiceSite.com</H2>

<BR>

<form method= "POST" action= "page2.asp" >

Enter your mynicesite.com username:

<input type= "text" name= "UserName" width= "ten" maxwidth= "ten" >

<input type= "Submit" name= "submit" value= "Submit" >

</FORM>

</BODY>

</HTML>

<% End If%>

Page2.asp In addition:


<%@ Language=vbscript%>

<% Dim strUserName

If request.querystring ("UserName") <> "" Then

strUserName =server. HTMLEncode (Request.QueryString ("UserName"))

Else

Response.Cookies ("UserName") =request.form ("UserName")

strUserName = Server. HTMLEncode (Request.Form ("UserName"))

End If%>

<HTML>

<HEAD>

<meta http-equiv= "Content-type" content= "text/html;charset=iso-8859-1" >

</HEAD>

<BODY>

</BODY>

</HTML>

This attack is now being effectively compromised. When the malicious tags and scripts are encoded, they are displayed in the form of text, as follows:


We can also add an IIS component to filter all the special characters from dynamic input. For those sites that have been done well, this approach is used to prevent cross stations
The script's attack came very easily. Our control can intercept request targets from ASP pages, and can be used for tables, cookies, request strings, and program content
Detection:

We can also add statistical data to this component by writing a log file. Each time a customer enters an illegal character, this component will write down its IP
Address and time. For more information, see Doug Dean's <<roll your Own IIS application on asptoday>>.

We only need to take some simple steps to effectively stop the Cross-site script attack. In addition to the three methods mentioned above, Microsoft and Cert also strongly recommend the use of a
A method they call "sanity check". For example, if you have an input window that only allows you to enter a number, let's limit it to a 0-9-digit loss.
Into. Microsoft and Cert used this method to qualify the input characters much better than a separate filter-specific character. With these measures, you can make the
Some customers who visit your site are protected when they visit your site.

Second, from hackers to attack our browser method:

When you roam the Internet, how to avoid attack? Microsoft and cert suggest not to bump into the Internet. In response to this situation, the name of a column in PC Magazine
The author of John Dvorack an interesting answer. He sees it as a premeditated act by Microsoft: to intimidate people who surf the web into safe
Sites to browse, such as AOL and MSN.com website.

In our example, even if you do not wander on the Internet, you cannot avoid hacking attacks on the internet. Ironically, most of the danger comes
From our most trusted website. If you want to make sure that the site does not go wrong, you have to not download any dynamic content or any cookies. For more information, see Browser related
Information.

Microsoft also warns you to set the browser's active script to a strictly restrictive state and to set the email to a strictly restricted reception mode. In the click of the message
You must be careful when linking. For further information, please refer to a book called <<microsoft ' s knowledge Base Article q253117>>. In order to
In case, you'd better have a little more Internet experience and be cautious at all times.

Conclusion

If you are a former UNIX program developer, you may not know what a cross station script means. You know the user name and password of many site managers logged in
Are root,root. Similarly, the names and passwords of many database administrators are sa,password. You also know webzine (such as Phrack and Alt2600), based on his
The methods provided can let you know the weaknesses of a server step by step. On this kind of hardware, you also know that many of the Web site's database servers and Web servers are not
Self protection. Once a hacker is caught, the machine is paralyzed.

While it is easy to take measures to prevent the system from being hacked, our system has been exposed to hackers. We have every reason to believe that the next year will
There will be some new security vulnerabilities. "According to current research, each of the internet," says a paper published under the direction of Mr. John Howard, a cert company.
Sites with domain names are hacked at least once a year on average. ”

For the server that is afraid of just one such attack is also unbearable. Cross-site script attacks are another method that hackers can use. But we just have to do what we said.
Some simple processing can prevent this form of attack from happening.