Front-end firewall for XSS vulnerabilities: Seamless Protection (1)

The previous article explains the attack and defense practices of the hook program, and implements a monitoring solution for the Framework page, which will protect all subpages.

So far, our protection depth is almost the same, but the breadth is still lacking.

For example, our property hook only considers setAttribute, but ignores the setAttributeNode. Although this method is never used, it does not mean that people cannot use it.

For example, createElement is used to create elements. In fact, createElementNS can also be used. You can even use the ready-made element cloneNode to achieve the goal. Therefore, these edge methods are worth considering.

Next we will review the previously discussed monitoring sites one by one.

Inline event execution eval

At the end of the first article, it is best to monitor eval, setTimeout ('... ') these functions can parse code to prevent execution of XSS code stored elsewhere.

Let's first list these functions:

evalsetTimeout(String) / setInterval(String)FunctionexecScript / setImmediate(String)

In fact, you can monitor all the hooks in the previous article. But the reality is not as simple as we think.

Is there a problem with eval rewriting?

Eval is not a function. Why can't I rewrite it?

 
 

  
  
Var raw_fn = window. eval;
  
  
 
  
  
Window. eval = function (exp ){
  
  
Alert ('execute eval: '+ exp );
  
  
Return raw_fn.apply (this, arguments );
  
  
};
  
  
 
  
  
Console. log (eval ('1 + 1 '));
 
 

No problem at all. This is because the code is too simple. The following Demo shows the defects of the Alibaba Cloud version eval:

 
 

  
  
(function() {  
  
  
    eval('var a=1');  
  
  
})();  
  
  
 
  
  
alert(typeof a); 
 
 

Run

It should be undefined, but the result is number. All the local variables are global. What is the situation? In fact, eval is not really a function, but a keyword!