XSS attacks (security aspects) and traditional defense techniques

Source: Internet
Author: User
Tags sql injection defense

XSS attacks: Cross Site scripting attacks (Scripting), which are not confused with the abbreviations of cascading style sheets (cascading style Sheets, CSS), are abbreviated as XSS for cross-site scripting attacks.

A must-see source, Good article:http://www.cnblogs.com/TankXiao/archive/2012/03/21/2337194.html

What is XSS attack

XSS is a computer security vulnerability that often appears in web applications, allowing malicious Web users to embed code into pages that are available to other users. For example, the code includes HTML code and client script.

The hazards of XSS attacks include1, theft of various types of user accounts, such as machine login account, user network Bank account, all kinds of Administrator account 2, control enterprise data, including read, tamper, add, delete enterprise sensitive data capacity 3, theft of business important business value of information 4, illegal transfer 5, mandatory e-mail 6, the website 7, Control the victim's machine to launch attacks on other websitesClassification of XSS vulnerabilitiesThe following three types of XSS vulnerabilities are available in terms of attack exploits:Type A, a locally exploited vulnerability that exists in the client script itself on the page。 The attack process is as follows: Alice sends Bob a maliciously constructed web URL. Bob clicks and looks at the URL. JavaScript in a malicious page opens a vulnerable HTML page and installs it on Bob's computer. The vulnerable HTML page contains javascript that executes on the local domain of Bob's computer. Alice's malicious script can execute commands on Bob's computer under the privileges that Bob holds.type B, reflection vulnerability, which is somewhat similar to type A, unlike when Web clients use server-side script generation pages to provide data to users, if unauthenticated user data is included in the page without HTML entity encoding, The client code can be injected into the dynamic page . The attack process is as follows: Alice often browses to a website that Bob owns. Bob's site runs Alice using a username/password to log in and store sensitive information such as bank account information. Charly found that Bob's site contains a reflective XSS vulnerability. Charly writes a URL that exploits the vulnerability and sends it to Alice as a message from Bob. After Alice logs on to Bob's site, browse to the URL provided by Charly. The malicious script embedded in the URL executes in Alice's browser, just as it does directly from Bob's server. This script steals sensitive information (authorizations, credit cards, account information, and so on) and then sends that information to Charly's Web site without Alice knowing it completely.Type C, a stored vulnerability, which is the most widely used and likely to affect the security of the Web server itself, the hacker uploads the attack script to the Web server, so that all users accessing the page are exposed to the possibility of information disclosure, It also includes the administrator of the Web server. The attack process is as follows: Bob owns a Web site that allows users to post information/browse published information. Charly noticed that Bob's site has an XSS vulnerability of type C. Charly released a hot-spot message to attract other users to read. Bob or any other person, such as Alice, who browses the information, will be Charly by the session cookies or other information. Type a directly threatens the individual user, while type B and type C threaten to be an enterprise-class Web application.Traditional Defense Technology

2.1.1 Feature-based defenses

XSS vulnerabilities, like well-known SQL injection vulnerabilities, take advantage of the imperfect writing of web pages, so each vulnerability exploits and targets different weaknesses. This poses a challenge to XSS vulnerability Defense: It is not possible to generalize all XSS attacks with a single feature. The traditional XSS defense uses feature matching, which is checked in all the submitted information. For this type of XSS attack, the pattern-matching method typically requires the "javascript" keyword to be retrieved, and once the commit message is found to contain "javascript", it is considered an XSS attack. The flaw in this method of detection is obvious: hackers can evade detection by inserting characters or by fully encoding: Dodge Method 1) Add multiple tab keys to JavaScript to get < IMG src= "Jav ascript:alert (' XSS ');" >; Dodge Method 2) Add (space) characters in JavaScript, get < img src= "Javascri pt:alert (' XSS ');" >; Dodge Method 3) Add (enter) character in JavaScript, get < IMG SRC = "Javascript:alert (' XSS ');" >; Dodge Method 4) Add a carriage return line break between each character in JavaScript to get < IMG src= "Javascrip\r\nt:alert (' XSS ');" > Dodge Method 5) The Javascript:alert (' XSS ') is fully encoded to get < Imgsrc=javascrip?74:alert (' XSS ') > The above method can easily evade feature-based detection. In addition to there will be a large number of false negatives, based on the existence of a large number of false positives may: in the above example, for a site such as the above address, because the inclusion of the keyword "JavaScript", will also trigger the alarm.2.1.2 Defense based on code modificationLike SQL injection defense, XSS attacks also take advantage of Web page authoring negligence, so there is another way to avoid this from the perspective of Web application development: Step 1, reliable input validation of all user submissions, including URLs, query keywords, HTTP headers, post data, etc. Accepts only the specified length range, uses the appropriate format, uses the expected character content to submit, the other is filtered. Step 2, implement session marker (session tokens), CAPTCHA system or HTTP reference header check to prevent the function from being executed by third party websites. Step 3, confirm that the received content is properly normalized, contains only the smallest, secure tag (no JavaScript), remove any references to remote content (especially stylesheets and JavaScript), use HTTP only cookie. Of course, if the above operation will reduce the usability of the web business system, the user can only enter a small number of development characters, the interaction between the human and the system is minimized, only for the information publishing site. And given that few web coders have formal security training, it is difficult to avoid XSS vulnerabilities in the page altogether. 3 Comprehensive discussion on XSS attack as one of the biggest threats to web business, it not only harms the web business itself, but also has direct impact on users accessing Web services, how to prevent and prevent XSS attacks, ensure the business security of Web sites, and is the job of intrusion prevention products that are located in the defense of business threat.

XSS attacks (security aspects) and traditional defense techniques

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.