Site protection against attacks

1. What is XSS

The XSS is also called the CSS (cross site script), which is an attack by the site. It refers to a malicious attacker inserting malicious HTML code into a Web page, and when the user browses to the page, the HTML code embedded in the Web is run to achieve the special purpose of the malicious user. XSS is a passive attack, because of its passive and bad use, so many people often call the harm.

The greatest charm of cross-site scripting attacks is to hijack the user's browser through HTML injection, construct the HTML content of the user's current browsing, and even simulate the user's current operation.

How does XSS happen?

If you have one of the following textbox

<type= "text"  name= "Address1"  value= " Value1from ">

Value1from is input from the user, assuming that the user is not the input value1from, but instead enters "/><script>alert (document.cookie) </script><!- then it will become

<type= "text"  name= "Address1"  value= "" />< Script > alert (document.cookie) </ Script > <! - " >

The embedded JavaScript code will be run.

Or the user enters "onfocus=" alert (document.cookie) , then it becomes

<type= "text"  name= "Address1"  value= ""  onfocus= "alert (document.cookie)">

The embedded JavaScript code will be run when the event is triggered.

The power of the attack depends on what kind of script the user has entered.

The reason that XSS occurs is because the data entered by the user becomes code. So we need to do HTML encode processing of the data entered by the user. Encode special characters such as "brackets", "single-cited", "cited".

XSS bug Fix

Principle: Do not trust the data entered by the customer
Note: The attack code is not necessarily in <script></script>

1. Mark important cookies as HTTP only, in which case the Document.cookie statement in JavaScript cannot get a cookie.
2. Simply agree that the user enters the data we expect. For example: The Age of the textbox, just agree with the user to enter the number. and the characters outside the number nonalphanumeric filtered out .
3. HTML Encode Processing of data
4. Filter or remove special HTML tags, such as: <script>, <iframe>, &lt; for <, &gt; For &quot;
5. Filters the tags of javascript events. such as "onclick=", "onfocus" and so on.

Prevention of XSS is mainly:

First, the user's own

Users can ignore a site to another site link: For example, suppose a site link to somerandomsite.com/page, then you assume that the site first, it is best not to click the link directly, but through the search function to find the site. Such a method can effectively prevent XSS attacks embedded in the link URLs, but this method is not easy to use, and when two sites share content, there is no way to use. The second way is to disable JavaScript scripting language in your browser. Even if it makes it possible for some very nice features on some sites to be out of use, you just have to tolerate it.

Two, the above listed five points.

2. SQL injection attack

Prevent SQL injection methods:

First, the user registration and landing when the input username and password when the special characters are forbidden.

Second, the principle of least privilege.

Third, assuming that Java is used, try to use PreparedStatement

3 、...

Site protection against attacks