JavaScript injection attacks

The website is vulnerable to JavaScript injection whenever you accept and re-Display user input. Let's look at a specific application that is vulnerable to JavaScript injection attacks. Assume that a customer feedback website has been created. Customers can visit the website and enter feedback on the product.

What is a JavaScript injection attack?
The website is vulnerable to JavaScript injection whenever you accept and re-Display user input. Let's look at a specific application that is vulnerable to JavaScript injection attacks. Assume that a customer feedback website has been created. Customers can visit the website and enter feedback on the product. When the customer submits feedback, the feedback is displayed on the feedback page again.

The customer feedback website is a simple website. Unfortunately, this website is vulnerable to JavaScript injection attacks.

Assume that the following text is being input into the customer feedback form:

This text indicates the JavaScript script that displays the warning message box. After someone submits this script to the customer feedback form, the message is Boo! It will be displayed when anyone visits the customer feedback website in the future

. You may also think that others will not be damaged by JavaScript injection attacks.

Now, your first response to JavaScript injection attacks may be ignored. You may think that JavaScript injection attacks are nothing more than harmless.

Unfortunately, hackers inject JavaScript into the website to launch destructive activities. Attackers can use JavaScript injection to execute cross-site scripting (XSS) attacks. In cross-site scripting attacks, attackers can steal confidential user information and send it to another website.

For example, hackers can use JavaScript injection to steal Cookies from other users' browsers. If sensitive information (such as passwords, credit card accounts, or social insurance numbers) is stored in browser Cookies, hackers can use JavaScript injection to steal the information. Alternatively, if the user inputs sensitive information into the form field of the page, and the page is vulnerable to JavaScript attacks, the hacker can use the injected JavaScript to obtain the form data and send it to another website.

Please pay attention to it. Take JavaScript injection attacks seriously and protect users' confidential information. In the next two sections, we will discuss two techniques to prevent ASP. net mvc applications from being attacked by JavaScript injection.

Method 2: HTML encoding before writing data to the database
In addition to HTML-encoded data when displaying data in the view, you can also use HTML-encoded data before submitting data to the database.
The second method is the controller in program listing 4.

For example:

Public ActionResult Create (string message)
{
// Add feedback
Var newFeedback = new Feedback ();
NewFeedback. Message = Server. HtmlEncode (message );
NewFeedback. EntryDate = DateTime. Now;
Db. Feedbacks. InsertOnSubmit (newFeedback );
Db. SubmitChanges ();

// Redirect
Return RedirectToAction ("Index ");
}

Note that the Message value is HTML encoded in the Create () operation before it is submitted to the database. When the view is re-displayed
When the Message is displayed, the Message is HTML encoded, so no JavaScript injected into the Message is executed.

Summary
Generally, people prefer to use the first method discussed in this tutorial, rather than the second method. The problem with the second method is that
The data library will eventually retain HTML-encoded data. In other words, the data in the database contains strange characters. What are the disadvantages? For example
If you need to display the database data in a form other than the web page, you will encounter problems. For example
Displays data in sequence.