XSS security problems and prevention

Cross-site scripting is short for CSS, but because CSS has been widely used in the field of web design ), therefore, Cross is abbreviated to X with similar pronunciation. However, early files still use CSS to represent Cross-site scripting.

Detection Method
There are usually some ways to test whether the website correctly processes special characters:

> <Script> alert (document. cookie) </script>
= '> <Script> alert (document. cookie) </script>
"> <Script> alert (document. cookie) </script>
<Script> alert (document. cookie) </script>
<Script> alert (vulnerable) </script>
% 3 Cscript % 3 Ealert ('xss') % 3C/script % 3E
<Script> alert ('xss') </script>


<Div style = "height: expression (alert ('xss'), 1)"/> (this is only valid for IE)
Attack methods and objectives
After attackers execute scripts in a browser, if they need to collect data (such as cookies or other sensitive information) from the attackers, they can set up a website on their own, attackers can use JavaScript to submit collected data as parameters, and then record it on the attacker's server in the form of a database.

Common XSS attack methods and objectives include:

Attackers can steal cookies to obtain sensitive information.
You can use the embedded Flash to further obtain higher permissions through the crossdomain permission settings, or use Java to perform similar operations.
Use iframe, frame, XMLHttpRequest, or Flash to perform some management actions as (attacked) users, or perform some common operations, such as sending Weibo posts, adding friends, and sending private messages.
Requests for operations that are not allowed at ordinary times, such as improper voting activities, as the attacked domain is subject to the trust of other domains.
XSS can attack some small websites on pages with high traffic volumes to achieve DDoS attacks.
Defense and utilization of Vulnerabilities
Filter special characters
One of the methods to avoid XSS is to filter the content provided by users. Many languages provide HTML Filtering:

Htmlentities () or htmlspecialchars () of PHP ().
Cgi. escape () of Python ().
Server. HTMLEncode () of ASP ().
Server. HtmlEncode () of ASP. NET or a more powerful Microsoft Anti-Cross Site Scripting Library
Java xssprotect (Open Source Library ).
Node-validator of node. js.
Specify the type using the HTTP Header
In most cases, you can use the HTTP header to specify the content type so that the output content cannot be parsed as HTML. Use the following code in PHP:

<? Php
Header ('content-Type: text/javascript; charset = UTF-8 ');
?>
You can forcibly specify the output content as a text/JavaScript script (content encoding is specified by the way), rather than HTML that can cause attacks.

Use HttpOnly when setting cookies
As part of in-depth protection, using the HttpOnly parameter when setting cookies helps prevent XSS scripts from stealing cookie content. HttpOnly restricts the access of cookies as DOM objects.

PHP PHP5.2 and later versions support HttpOnly parameter settings, as well as global HttpOnly settings. session in ini. set cookie_httponly to 1 or TRUE to enable the HttpOnly attribute of the global Cookie. Of course, it can also be enabled in the Code:

<? Php ini_set ("session. cookie_httponly", 1); // or session_set_cookie_params (0, NULL, TRUE);?>

The setcookie function and setrawcookie function also add 7th parameters as the HttpOnly option. The enabling method is as follows:

Setcookie ("abc", "test", NULL, TRUE); setrawcookie ("abc", "test", NULL, TRUE );

User
Most browsers, including Internet Explorer and Mozilla Firefox, have the option to disable JavaScript, but disabling the function is not the best method, because many websites need to use the JavaScript language for normal operation. Generally, a browser with frequent Security Updates is more secure than a browser that has not been updated for a long time.