Use HTTP Headers to defend against WEB Attacks

Use HTTP Headers to defend against WEB Attacks

Load the page again and a warning box will pop up.

Perform the same test in FireFox and the test is successful.

Change the value of the X-XSS-Protection header to 1 and try again.

Header ("X-XSS-Protection: 1 ");

You can easily see that X-XSS-Protection has been successfully enabled.

HTTP/1.1 200 OK

Date: Sun, 12 Apr 2015 14:54:42 GMT

Server: Apache/2.2.29 (Unix) mod_fastcgi/2.4.6 mod_wsgi/3.4 Python/2.7.8 PHP/5.6.2 mod_ssl/2.2.29 OpenSSL/0.9.8y DAV/2 mod_perl/2.0.8 Perl/v5.20.0

X-Powered-By: PHP/5.6.2

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check = 0, pre-check = 0

Pragma: no-cache

Set-Cookie: PHPSESSID = 8dfb86b13ec9750d1f1afdfc004f5042; path =/

X-XSS-Protection: 1

Content-Length: 820

Keep-Alive: timeout = 5, max = 100

Connection: Keep-Alive

Content-Type: text/html; charset = UTF-8

Execute JavaScript again on the vulnerability page and the script will not be executed. Go to the Chrome console and check what happened.

From the console information above, we can know that the script is not executed.

Header ("X-XSS-Protection: 1 ");

No other parameters are added to this header, but the script is only blocked.

We can add some other parameters, such:

Header ("X-XSS-Protection: 1; mode = block ");

In this case, the browser will stop the script execution and return a blank page.

The following is the HTTP header information.

HTTP/1.1 200 OK

Date: Mon, 13 Apr 2015 09:59:22 GMT

Server: Apache/2.2.29 (Unix) mod_fastcgi/2.4.6 mod_wsgi/3.4 Python/2.7.8 PHP/5.6.2 mod_ssl/2.2.29 OpenSSL/0.9.8y DAV/2 mod_perl/2.0.8 Perl/v5.20.0

X-Powered-By: PHP/5.6.2

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check = 0, pre-check = 0

Pragma: no-cache

Set-Cookie: PHPSESSID = 729f2f716310ccfe353c81ced1602cf0; path =/

X-XSS-Protection: 1; mode = block

Content-Length: 846

Keep-Alive: timeout = 5, max = 100

Connection: Keep-Alive

Content-Type: text/html; charset = UTF-8

Although it can be perfectly implemented in some mainstream browsers (IE, Chrome, Safari. But this header is not supported in FireFox, so we can still see the pop-up warning box

Summary

Therefore, the X-XSS-Protection header should be used for in-depth defense. Because it cannot completely protect websites, developers must ensure that they have other measures to protect them.