Current blog on the prevention of XSS cross-site script injection and SQL injection

Yesterday this blog by the XSS cross-site script injection attack, 3 minutes to fall ... In fact, the attackers attack is very simple, no technical content. can only sigh oneself before unexpectedly completely not guard.

Here are some of the records left in the database. In the end, the guy got a script for the wireless loop popup, and it was impossible for him to enter it after the script was estimated.

Similar to this:

<body onload=‘while(true){alert(1)}‘> </body></html>

I immediately realized the seriousness of the incident and it shows that my blog has a serious security problem. Because XSS cross-site scripting attacks can cause user cookies or even server session user information to be hijacked, the consequences are severe. Although attackers use scripts that do not necessarily have any technical content.

Second smallpox some time to understand, how to guard against. By the way also looked at the SQL injection aspect.

SQL injection is a concatenation of SQL statements. Therefore, the user input needs to be parameterized. Since I am using JPA, there is no SQL stitching problem, but it is better to do some user input. My blog system is not complicated, altogether four tables, article,user,message,comment.

A database query is involved and is entered by the user with only the user name, password, and title of the article. Other background generated such as the article date of a class without tube.

For the validation of these three fields, you can use a custom annotation method.

/***@ClassName: Isvalidstring *@Description: Custom annotations Implement front and rear parameter checks to determine if illegal characters are included *@author Nameless *@date 2016-7-25 8:22:58 *@version 1.0 */@Target ({Elementtype.field, elementtype.method})@Retention (Retentionpolicy.runtime)@Constraint (Validatedby = IsValidString.ValidStringChecker.class)@DocumentedPublic@interface isvalidstring {StringMessage()Default "the string is invalid."; Class<?>[] Groups ()Default {}; class<? Extends payload>[] Payload ()default{};class validstringchecker implements constraintvalidator< Isvalidstring,string>{ @Override public void initialize (isvalidstring arg0) {}@ Overridepublic boolean isvalid (String strvalue, Constraintvalidatorcontext context) {//Check method return true;}}     

Once you have defined a custom annotation, you can add @isvalidstring to the corresponding entity class field.

But since I haven't yet found out how to intercept the exception returned by the custom annotation check, check it out in the controller class.

public static boolean contains_sqlinject_illegal_ch(String str_input) {//"[`[email protected]#$%^&*()+=|{}‘:;‘,\\[\\].<>/?~！@#￥%……&*（）——+|{}【】‘；：”“’。，、？]"String regEx = "[‘=<>;\"]";Pattern p = Pattern.compile(regEx);Matcher m = p.matcher(str_input);if (m.find()) {return true;} else {return false;}}

The intercepted characters have ' "[] <>;

I think these are enough. <> solved the XXS cross-site scripting injection problem by the way.

And the XXS cross-site script injection problem still makes me very headache. Because my blog system uses the Wangeditor Web text editor, back to the background contains a lot of legitimate HTML tags, used to express the article format. So it is not possible to filter <> such characters uniformly.

For example,

The &lt,&gt in the middle is a valid <> character that can be displayed on the page. The outside <p><br> is the normal HTML tag produced by the text editor to control the format.

The problem is, if someone clicks the editor "source code" identifier, the text editor produces a normal HTML tag, and then enter this sentence

It's a headache, and I wonder why this editor is offering shit. View the source code function, resulting in the inability to unify the <>

In this case, I can only filter part of the look-up is a harmful HTML tags, and it is well known that such blacklist verification is not safe.

/* * Cross-site scripting (XSS) is a type of computer security vulnerability * Typically found in Web applications. XSS enables attackers to inject * client-side scripts into Web pages viewed by other users. A cross-site * Scripting vulnerability May is used by attackers to bypass access * Controls such as the Same-origin policy . Cross-site scripting carried out * on websites accounted for roughly 84% of all security vulnerabilities * documented by S Ymantec as of 2007. Their effect may range from a petty * nuisance to a significant security risk, depending on the sensitivity of * the data Handled by the vulnerable site and the nature of any security * mitigation implemented by the site ' s owner. (from en.wikipedia.org) */PublicStaticBooleanContains_xss_illegal_str(String str_input) {if (Str_input.contains ("""<body") | | Str_input.contains ("<body") | | Str_input.contains ("<script") | | Str_input.contains ("<script") | | Str_input.contains ("<link") | | Str_input.contains ("<link") | | Str_input.contains ("%3cscript") | | Str_input.contains ("%3chtml") | | Str_input.contains ("%3cbody") | | Str_input.contains ("%3clink") | | Str_input.contains ("%3cscript") | | Str_input.contains ("%3chtml") | | Str_input.contains ("%3cbody") | | Str_input.contains ("%3clink") | | Str_input.contains ( "<meta") | | Str_input.contains ( "<meta") | | str_input.contains ( "% 3Cmeta ") | | Str_input.contains ( "%3cmeta") | | str_input.contains ( "<style") | | str_input.contains ( "% 3CSTYLE ") | | Str_input.contains ( "%3cstyle") | | str_input.contains ( "<xml") | | str_input.contains ( "%3Cxml" )|| Str_input.contains ( "%3cxml")) {return true;} else {return false;}}   

I'm thinking of taking this text editor's view of the source code function to kill.

In addition, the system learns the prevention of XSS cross-site scripting injection. began to read a book, "White Hat Speak Web security", think this book is good.

Then there are new insights to add to this article.

Current blog on the prevention of XSS cross-site script injection and SQL injection