During front-end WEB development, many developers often leave XSS vulnerabilities due to a large number of URLs and multiple transmission parameters. Once a vulnerability is detected in the security test, defect must be enabled for the developer. Defect has a very high priority and must be resolved immediately. Developers often use tricky methods to quickly block current vulnerabilities. As a result, this vulnerability is often blocked, and the vulnerability appears again.
During the development process, I summarized my own methods. This method can solve the XSS problem in a systematic and consistent manner. The Development Environment used in this article is a simple java and jsp platform. This method is also available for other platforms, such as php, c #, And. net.
First, we will introduce two common front-end XSS vulnerabilities.
1, https: // www.2cto.com? Name = "> <script> prompt ('xss Vulnerability ') </script>
If the JSP contains such a piece of code (EL is used here ):
<Input value = "$ {name}"/>
The value in the name parameter truncates the input and claims the script segment to run the script.
2, https: // www.2cto.com? Name = "; alert (" Hello ");" <script> var name = "$ {name}"; </script>
The value in the name parameter is also truncated. And run alert.
The following describes the NCR standard of HTML.
Html uses nonstandard unicode, that is, the ncr standard. If unicode is used, use document. createTextNode ('\ uxxxx ').
Or directly use & # xxxx.
For example, the unicode value of a word is 23383. in html, if it is written as follows: <label> & #23383 </label> <input name = "& #23383" value = "& #23383"/>
For example,> unicode is 62. In html, if it is written as follows: <label> & #62 </label> <input name = "& #62" value = "& #62"/>
After the user agent displays html, the page is completely parsed into <label> & gt; </label> <input name = "& gt;" value = "& gt; "/> displayed as <label >></label> <input name ="> "value ="> "/>
Note:Here you need to explain. When interpreting html, the user agent has three processes:
1. Replace NCR with a real character. 2. convert some replaced characters into HTML Entities. For example,> to & gt ;. 3. display the parsed HTML.
At this time, if you call innerText (IE) or textContent (FF), the displayed string will be obtained. If you call innerHTML or outerHTML, you will get the string parsed in step 1.
InnerText now supports Chrome Safari Opera except FF 3.6.
In addition to IE8 and earlier versions, textContent is supported in IE9 perviewer Chrome Safari Opera.
Using getAttribute (). nodeValue is always a string after the display.
Convert the string to NCR format and save it in attribute. After the display, use getAttribute (). nodeValue to obtain the original string again.
Display characters -- "NCR --" (innerHTML) HTML entities -- "(textContent/innerText/getAttribute) display characters
Use NCR to solve XSS Problems
1. Create a tag to convert all characters into NCR. Tag usage: <ncr: transfer> </ncr: transfer>
2. Use the following method for the first XSS:
<Input value = "<ncr: transfer >$ {name} </ncr: transfer>"/>
3. Use the following method for the second XSS:
<Div id = "test" style = "display: none" value-name = "<ncr: transfer >$ {name} </ncr: transfer>"/>
<Script> var name = dojo. attr ('test', 'value-name'); </script>
Dojo is used here. Dojo. attr (id, attribute) is the value of the attribute in the node corresponding to the id.
With this method, you don't have to worry about the value in $ {name}, \ '",; <>.
This method also solves the problem of strange characters and garbled characters with high characters.
Author: XP bug