1. What is XSS?
XSS, also known as CSS (Cross Site Script), is a cross-site scripting attack. It indicates that a malicious attacker inserts malicious HTML code into a web page. When a user browses this page, the HTML code embedded in the Web will be run, to achieve the Special Purpose of malicious users. XSS is a passive attack. Because it is passive and difficult to use, many people often call it harmful.
The biggest charm of XSS attacks is the hijacking of users' browsers through HTML injection, arbitrary construction of the HTML content currently browsed by users, and even simulation of users' current operations.
How does XSS happen?
Assume that the following textbox is used
<input type="text" name="address1" value="value1from">
Value1from is the input from the user. Assume that the user does not input value1from, but enters "/> <SCRIPT> alert (document. Cookie) </SCRIPT> <! -Then it will become
<input type="text" name="address1" value=""/><script>alert(document.cookie)</script><!- ">
The embedded Javascript code will be run.
Or if the user inputs "onfocus =" alert (document. Cookie ),
<input type="text" name="address1" value="" onfocus="alert(document.cookie)">
When an event is triggered, the embedded Javascript code is run.
The power of the attack depends on the script entered by the user.
The reason why XSS occurs is that the data entered by the user is changed to code. Therefore, we need to perform HTML encode processing on user input data. Encode special characters such as "braces", "single cited character", and "cited character.
XSS vulnerability repair
Principle: Do not trust customer input data
Note: the attack code is not necessarily in <SCRIPT> </SCRIPT>.
- Mark important cookies as HTTP only. In this case, the document. Cookie statement in Javascript cannot obtain cookies.
- Only allow the user to input the expected data. For example, in the age Textbox, only the user is allowed to enter a number. Characters other than numbers are filtered out.
- HTML encode processing of data
- Filter or remove Special HTML tags, such as: <SCRIPT>, <IFRAME>, & lt; For <, & gt; For>, & quot
- Filter tags of JavaScript events. For example, "onclick =", "onfocus", etc.
XSS protection:
I. Users themselves
You can ignore the link from a site to another site: for example, assume that site A is linked to the region. This method can effectively prevent XSS attacks embedded in URLs. However, this method is not easy to use and cannot be used when two sites share content. The second method is to disable javascript-like scripting in your browser. Even if it is possible that some of the very good functions on some sites cannot be used, you just need to tolerate it.
2. The five points listed above.
2. SQL injection attacks
SQL Injection prevention methods:
1. special characters are not allowed when users enter username and password during login and login.
Ii. Minimum permission principle.
3. If Java is used, use preparedstatement as much as possible.
3 ,...
Site attack prevention