[Web security practices] XSS
Article Points:
1. Understand XSS
2. XSS attacks
3. XSS defense (important)
I. Understanding XSS first
Let's start with a story. In the previous article, I also want to talk about this case. In fact, what is attack is very simple. Attackers can obtain the information they want. I caught a Tomcat Vulnerability (this is not what I said, but someone I know). I uploaded a JSP file, simulating HttpClient, downloading a Trojan, and running it. OK. Therefore, there is no absolute security.
Today, the bricklayer will show you how to defend against XSS. As for defense, the benevolent wise sees the wise. We hope you will discuss each other. The bricklayer currently engages in JAVA, so there are many examples of JAVA.
Q: What is XSS? Why?
A: Full name: Cross Site Script, Chinese name: Cross-Site scripting attack. As the name implies, "HTML injection" refers to an attack that changes the webpage and inserts malicious scripts to control the browser when users browse the webpage.
XSS supports three types of attack stability: reflected XSS, stored XSS, and DOM Based XSS.
Ii. XSS attacks
Next, let's take a look at how XSS is attacked? At this time, the bricklayer came up with a saying: Know Yourself And know yourself and know what you want to do. We will not explain this attack in detail. After all, we want to talk about XSS defense. First, the bricklayer will introduce the following:
XSS Playload is a malicious script used to complete various specific functions. At this time, I thought of an episode in the hacker spirit. The so-called "hacker" is not a real hacker, but a Script Kid (Script Kid ). A common XSS
Playload is a 'cookie hijacks 'attack by reading the Cookie object of the browser. The bricklayer will teach you how to defend against these attacks. The 'httpponly 'flag of cookies can be prevented.
Powerful XSS Playload can do the following: 1. Construct GET and POST requests 2. Phishing 3. Identify user browsers, etc.
Q &
Q: What is Phishing?
A: As the name suggests, the user is willing to take the bait. Here we will make A negative usage. For example, you can enter QQ information or account information on a fake pop-up box or on a fake page. As soon as you enter someone else's server to get your account password. This is why fish are hooked. Analogy:
Iii. XSS defense (important)
The soldiers will block the attack, and the water will cover the earth. In terms of Web Security, The bricklayer wants to remind everyone that "a monkey can climb a tall tree ." Therefore, some of the items we are considering are done by default, and some of them need to be concerned and configured by ourselves.
In fact, a lot of measures have been taken against XSS. For example, various browsers.
1. Based on the above ideas, The bricklayer first talks about cookies, a Cookie, which we use in this way:
1. send a request to the server in the browser to obtain the Cookie.
2. The server returns the sending Cookie header and writes the Cookie to the client browser. (Note: This is a browser. Do not use it as a browser kernel)
3. Before the Cookie expires, All pages of the browser will send the Cookie.
This means that we cannot use cookies in disorder. It is like a Session, so pay attention to it when using it. Sometimes, when Cooike is used to remember a password, you must set the HttpOnly attribute of the Cookie to true. SpringMVC is used as an example. If the Cookie is used, it should be as follows:
// create cookie and set it in responseCookie cookie1 = new Cookie("cookie1", "cookieValueHttpOnly");Cookie cookie2 = new Cookie("cookie2", "cookieValue");cookie1.setHttpOnly(true); response.addCookie(cookie1);response.addCookie(cookie2);
Take a look at the entire Controller code:
Open the browser to view the following results. Visit the Controller layer of the URL and open Firebug to view the results:
Ii. Input Validation
The input validation logic must be implemented on the server. If Javascript is used, attackers can easily bypass it. So the common practice is to perform Double Check like a lot of code: "The client JS checksum is used together with the server verification, so that the client JS verification will block the misoperation of most users, even 99% ."
In XSS defense, we need to validate, filter, or encode some special characters entered by users. This input validation method becomes "XSS Filter ". First, in the configuration file,
Of course, configure the path where you need it. Then the bricklayer wrote an Http request decoration class to filter these parameters. Just do it ~ Practical experience.
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {public XssHttpServletRequestWrapper(HttpServletRequest request){super(request);}public String[] getParameterValues(String parameter){String[] values = super.getParameterValues(parameter);if (values==null){return null;}int count = values.length;String[] encodedValues = new String[count];for (int i = 0; i < count ; i++){encodedValues[i] = cleanXSS(values[i]);}return encodedValues;}public String getParameter(String parameter){String value = super .getParameter(parameter);if (value == null){return null;}return cleanXSS(value);}public String getHeader(String name){String value = super .getHeader(name);if (value == null)return null;return cleanXSS(value);}/*** @Title: cleanXSS* @Description: You'll need to remove the spaces from the html entities below* @param @param value* @param @return* @return String*/private String cleanXSS(String value){value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");value = value.replaceAll("'", "& #39;");value = value.replaceAll("eval\\((.*)\\)", "");value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");value = value.replaceAll("script", "");return value;}}
Iii. output validation
In general, in addition to rich text, you can use encoding or escape to defend against XSS attacks when variables are output to HTML pages. This is a form of euphemism.
Iv. Summary
The only way to do it is to use it correctly. The same is true for Web security. Therefore, we need to correctly use XSS for defense.