How Should programmers defend against xss vulnerabilities?

1. user input output as is

Method of exploits: xss attacks are carried out directly at the output location.
Solution:
Filtering is required. The most common ones are filtering. <,>,
Enter the following content:
Http://xxx.com /? Umod = commentsoutlet & act = count & siteid = 3 & libid = 9 & dataid = 1480 & score = & amp; func = haoping & amp; _ = 1353475261886

Can be executed directly
2. output between <script> </script>
Usage:
1) perform xss attacks by closing tags, such as injection </script> <script> xss code </script> <script>
2) inject special code to ensure that the code in the <script> </script> label is still normal JS syntax and can execute malicious JS Code
For example, enter aaaa to display:
 
<Script type = 'text/javascript '> document. domain = 'xxxx. com '; _ ret = {"_ res": 2}; try {parent. aaaaaaaaa </script> <script> alert (1) </script> (_ ret);} catch (err) {aaaaaaaaa </script> <script> alert (1) </script> (_ ret) ;}</script>


You can enter
Eval ('alert (1) '); void

<Script type = 'text/javascript '> document. domain = 'xxxx. com '; _ ret = {"_ res": 2}; try {parent. eval ('alert (1) '); void (_ ret);} catch (err) {eval ('alert (1)'); void (_ ret );} </script>

Solution:
1). filter user input content. The common ones are filter ', <,>
2) Try not to output the variable content that can be controlled by the user in the <script> label.


3. output on the HTML attribute page
Usage:
Inject js Code into the property tag, for example, inject onclick events into the input tag.

Solution:
1) because the HTML Entity that appears in the html attribute is automatically escaped and executed, the \ and & characters must be strictly filtered.
2) if you use regular expression matching to match HTML objects, you need to consider & # XX; convert it to & # 00XX; which can also be executed.
4. Dual-byte encoding Bypass
Usage:
When you enter "escaped \" in special character sets (commonly known as GBXXXX) encoding, you can enter some high-level encoding to inject code to close it. "For example, enter % a0 ″, you can bypass the escape.
Solution:
1. You can specify the Encoding As UTF8.
2. Filter high-level characters. Non-text characters are not allowed.
 
5. Output in double quotation marks
Usage:
You can enter \ to match "in the body to invalidate the subsequent syntax and inject XSS code.
Solution:
Filter \
 
6. Output in comments
Usage:
For some variables output in comments, JavaScript code can be injected using line breaks, as shown in:
Solution:
User-controllable variables cannot be inserted into the annotation code.
 
7. Output in the DOM Function
Common dom xss is the $ ("# y" ).html ("xxxxxxx") output in the functions document. write, innerHTML, and JQUERY ");

Usage:
Parameters that pass variables to the DOM Function
Solution:
Strictly filter the parameters passed to the DOM function. Because JavaScript supports unicode-encoded characters, \
 
8. Output in the eval function
Method of exploits: inject code into eval function parameters through ";" to execute js Code www.it165.net
Solution: Do not use the eval function whenever possible. Strictly filter eval function parameters and filter ";"
 
9. Output in the SRC property tag
Usage:
Execute js through pseudo protocols such as javascript vbscript data
Solution:
1. Filter SRC values. pseudo protocols such as javascript: vsscript: data: are not allowed.
2. Because the characters in the html Entity encoding can still be parsed, The & #: All characters need to be filtered.
 
10 output in key flash Functions
Key functions in flash:
Flash. external. ExternalInterface. call, getURL, navigateToURL, _ evalJS, and pseudo-Protocol javascript:
All user-controllable parameters may cause XSS

Use: To pass js Code to a specific function, you can execute JS.
For example:
NavigateToURL (new URLRequest (link), "_ self"); pass to the link parameter: "javascript: alert (1 )"
 
Solution:
Determine the validity of relevant parameters (for example, only digit characters are allowed), restrict URL validity, and prohibit javascript and;
 
11. load arbitrary XML files in FLASH
Flash usually uses xml configuration files to obtain parameters. If flash can load arbitrary XML, it may cause remote loading of arbitrary flash and execution of arbitrary JS Code.
Exploitation:
The xml parameter is passed as a malicious address, and the parameter value in the notification control is used to execute XSS.
Solution:
Determine the validity of XML files