What is a JavaScript injection attack? _javascript Tips

Source: Internet
Author: User

JavaScript can be used as a hacker to attack the site of a tool, where the injection of JS (JavaScript) Malicious script is one of the means, then below, we learn how to prevent JS injection attack? Here's a nice statement to share with you:

What is a JavaScript injection attack?
The site is vulnerable to JavaScript injection attacks whenever the user input is accepted and the content is displayed again. Let's look at a specific application that is susceptible to JavaScript injection attacks. Suppose you have created a customer feedback site. Customers can access the site and enter feedback about the product. Feedback is displayed back on the feedback page when the customer submits the feedback.

The customer feedback site is a simple website. Unfortunately, this site is vulnerable to JavaScript injection attacks.

Suppose you are entering the following text into the customer feedback form:

<script>alert ("Boo!") </script>

This text represents a JavaScript script that displays a warning message box. After someone submits this script to the customer feedback form, the message boo! Attacks that will be displayed in the future when anyone accesses a customer feedback site. You may also think that others will not be corrupted by JavaScript injection attacks.

Now, your first reaction to JavaScript injection attacks may be to ignore it. You might think that JavaScript injection attacks are just harmless, and unfortunately hackers can sabotage by injecting JavaScript into the Web site. Use JavaScript injection attacks to perform cross-site scripting (XSS) attacks. In a cross-site scripting attack, you can steal confidential user information and send information to another site.

For example, a hacker can use a JavaScript injection attack to steal Cookies from another user's browser. If sensitive information, such as a password, credit card account, or social security number, is stored in a browser cookie, the hacker can use a JavaScript injection attack to steal the information. Alternatively, if a user enters sensitive information into a page's form field and the page is compromised by a JavaScript attack, the hacker can use injected JavaScript to get the form data and send it to another Web site.

Please attach great importance to it. Take the JavaScript injection attack seriously and protect the user's confidential information. In the next two sections, we will discuss two techniques to prevent asp.net MVC applications from being attacked by JavaScript injection.

Method 1: HTML encoding in the view

An easy way to prevent JavaScript injection attacks is to use HTML to encode data entered by any site user when you re displaying data in the view

such as: <%=html.encode (feedback. Message)%>

What is the meaning of using HTML to encode a string? When using HTML-encoded strings, dangerous characters Furu < and > are replaced with HTML entities such as < and >. So, when using HTML-encoded string <script>alert ("Boo!") </script>, it will be converted to <script>alert ("Boo!") </script>. The browser no longer executes JavaScript scripts when parsing encoded strings. Instead, it displays harmless pages.

Method 2: HTML encoding before writing to the database
In addition to using HTML-encoded data when displaying data in a view, you can also use HTML-encoded data before submitting the data to the database. The second method is the controller in Listing 4 of the program.

Such as:

Public ActionResult Create (String message)
{
//Add feedback
var newfeedback = new Feedback ();
Newfeedback.message = Server.HTMLEncode (message);
Newfeedback.entrydate = DateTime.Now;
Db. Feedbacks.insertonsubmit (newfeedback);
Db. SubmitChanges (); 
 

Redirect return
redirecttoaction ("Index");
}

Note that the value of the message is HTML-encoded in the Create () operation before it is committed to the database. When the message is displayed again in the view, the message is encoded in HTML and does not perform any JavaScript injected into the message.

Summarize

Generally, people prefer to use the first method discussed in this tutorial, rather than using the second method. The problem with the second approach is that HTML-encoded data will eventually be preserved in the database. In other words, the data in the database will contain strange characters. What's the downside? If you need to display database data in a form other than a Web page, you will experience problems. For example, you cannot easily display data in a Windows Forms application.

The above is the entire content of this article, I hope to help you learn, but also hope that we support the cloud habitat community.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.