Initial Contact:
After initial exposure to JavaScript injection vulnerabilities, if you do not carefully analyze and extract some of the patterns that occur in the mechanism of the vulnerability, you will not be able to quickly discover all the injection risks that may exist in your project and guard against them in your code.
Occurrence mode:
The role of JavaScript injection vulnerability is mainly dependent on two key actions, one is to be able to inject JavaScript into the system's back-end storage system from the interface, and the other is that there are some UI in the system to show the data injected by the user.
For example, the most common injection vulnerability is in various types of names, such as the name of the system and so on, because the names are often displayed on various systems, if the user entered the name of the script injected, then the various systems affected by the risk of injecting vulnerabilities.
When I was doing bug bash for other projects, I injected a JavaScript script into a name in the system, resulting in problems with the 8 subsystems, sites, and apps that used the name.
Solution:
There are two main ways to prevent injection vulnerability: one is to encode content after the user enters data and then save it to persistent storage, and the other is to encode data from persistent storage where the user enters data.
The advantage of method one is that the code that stores user input data is few and fixed, but the UI interface of displaying input data may have a lot and change, so it is better to guard against it, but the disadvantage is that the data stored in persistent storage is encode.
The advantage of method two is that the raw content of the data is stored in persistent storage, but the disadvantage is that it is necessary to write code prevention in multiple UI interfaces, and also to ensure that the new UI is added without forgetting to guard against it. For example, the Web app is more popular, the company decided to develop, then the process of development must be done to prevent, otherwise it may be better to prevent, but the new system is not well protected, the loopholes finally occurred.
Commonly injected content:
<script>alert (0) </script>
<script>debugger</script>--assist developers to quickly locate the wrong JavaScript code (in case of opening the debugger).
The principle and precaution of JavaScript injection vulnerability