Home > Developer > JavaScript

The principle and precaution of JavaScript injection vulnerability

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Initial Contact:

After initial exposure to JavaScript injection vulnerabilities, if you do not carefully analyze and extract some of the patterns that occur in the mechanism of the vulnerability, you will not be able to quickly discover all the injection risks that may exist in your project and guard against them in your code.

Occurrence mode:

The role of JavaScript injection vulnerability is mainly dependent on two key actions, one is to be able to inject JavaScript into the system's back-end storage system from the interface, and the other is that there are some UI in the system to show the data injected by the user.

For example, the most common injection vulnerability is in various types of names, such as the name of the system and so on, because the names are often displayed on various systems, if the user entered the name of the script injected, then the various systems affected by the risk of injecting vulnerabilities.

When I was doing bug bash for other projects, I injected a JavaScript script into a name in the system, resulting in problems with the 8 subsystems, sites, and apps that used the name.

Solution:

There are two main ways to prevent injection vulnerability: one is to encode content after the user enters data and then save it to persistent storage, and the other is to encode data from persistent storage where the user enters data.

The advantage of method one is that the code that stores user input data is few and fixed, but the UI interface of displaying input data may have a lot and change, so it is better to guard against it, but the disadvantage is that the data stored in persistent storage is encode.

The advantage of method two is that the raw content of the data is stored in persistent storage, but the disadvantage is that it is necessary to write code prevention in multiple UI interfaces, and also to ensure that the new UI is added without forgetting to guard against it. For example, the Web app is more popular, the company decided to develop, then the process of development must be done to prevent, otherwise it may be better to prevent, but the new system is not well protected, the loopholes finally occurred.

Commonly injected content:

<script>alert (0) </script>

<script>debugger</script>--assist developers to quickly locate the wrong JavaScript code (in case of opening the debugger).

The principle and precaution of JavaScript injection vulnerability

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
sql injection vulnerability scanner paying on principle of car loan javascript vulnerability scanner how to fix sql injection vulnerability javascript injection attack example javascript escape sql injection javascript injection attack
Related Article
JavaScript solution to the eight Queens Problem method summar...
The difference between single and double quotes in JavaScript...
Ajax and 302 response code Testing
Ajax and 302 response code test_javascript-js tutorial

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More