Use HTTP Headers to defend against WEB attacks (Part2)
In the previous article "use HTTP Headers to defend against WEB attacks (Part1)" (http://www.bkjia.com/Article/201504/394123.html), we learned how to use the X-Frame option to defend against clickjacking attacks. In this article, we will discuss another HTTP Header option, X-XSS-Protection. Similar to the previous article, we will first look at the vulnerability web page and then use this HTTP header option to defend against it.
Source code analysis
The settings are similar to the previous article. After a user successfully logs on to the console, a console interface is displayed. You can search for them here. The following code is the implementation code:
Welcome to Dashboard...
You are logged in: [Logout]
Search Values
You Entered:
From the code above, we can see that the application does not filter user input, leaving a vulnerability.
Next, we can see from the HTTP Response Header that the application does not have any additional protection mechanisms.
HTTP/1.1 200 OKDate: Sun, 12 Apr 2015 14:53:37 GMTServer: Apache/2.2.29 (Unix) mod_fastcgi/2.4.6 mod_wsgi/3.4 Python/2.7.8 PHP/5.6.2 mod_ssl/2.2.29 OpenSSL/0.9.8y DAV/2 mod_perl/2.0.8 Perl/v5.20.0 X-Powered-By: PHP/5.6.2Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheSet-Cookie: PHPSESSID=f94dc2ac2aa5763c636f9e75365102b5; path=/Content-Length: 820Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=UTF-8
Testing in progress
Execute a simple JavaScript script in the search box to check whether the script is successfully executed.
Okay, I admit it seems that the execution is not successful. Open the console and check the error message.
Google Chrome blocks this script from the console information. In addition, the error message indicates that the X-XSS-Protection or Content-Security-Policy header is not enabled on the server.
You can enable the X-XSS-Protection or Content-Security-Policy header to filter data.
Use the following code to disable protection:
header("X-XSS-Protection: 0");
Add the above Code to the source code
Welcome to Dashboard...
You are logged in: [Logout]
Search Values
You Entered:
Load the page again and a warning box will pop up.
Perform the same test in FireFox and the test is successful.
Change the value of the X-XSS-Protection header to 1 and try again.
header("X-XSS-Protection: 1");
You can easily see that X-XSS-Protection has been successfully enabled.
HTTP/1.1 200 OKDate: Sun, 12 Apr 2015 14:54:42 GMTServer: Apache/2.2.29 (Unix) mod_fastcgi/2.4.6 mod_wsgi/3.4 Python/2.7.8 PHP/5.6.2 mod_ssl/2.2.29 OpenSSL/0.9.8y DAV/2 mod_perl/2.0.8 Perl/v5.20.0 X-Powered-By: PHP/5.6.2Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheSet-Cookie: PHPSESSID=8dfb86b13ec9750d1f1afdfc004f5042; path=/X-XSS-Protection: 1Content-Length: 820Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=UTF-8
Execute JavaScript again on the vulnerability page and the script will not be executed. Go to the Chrome console and check what happened.
From the console information above, we can know that the script is not executed.
header("X-XSS-Protection: 1");
No other parameters are added to this header, but the script is only blocked.
We can add some other parameters, such:
header("X-XSS-Protection: 1; mode=block");
In this case, the browser will stop the script execution and return a blank page.
The following is the HTTP header information.
HTTP/1.1 200 OKDate: Mon, 13 Apr 2015 09:59:22 GMTServer: Apache/2.2.29 (Unix) mod_fastcgi/2.4.6 mod_wsgi/3.4 Python/2.7.8 PHP/5.6.2 mod_ssl/2.2.29 OpenSSL/0.9.8y DAV/2 mod_perl/2.0.8 Perl/v5.20.0 X-Powered-By: PHP/5.6.2Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheSet-Cookie: PHPSESSID=729f2f716310ccfe353c81ced1602cf0; path=/X-XSS-Protection: 1; mode=blockContent-Length: 846Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=UTF-8
Although it can be perfectly implemented in some mainstream browsers (IE, Chrome, Safari. But this header is not supported in FireFox, so we can still see the pop-up warning box
Summary
Therefore, the X-XSS-Protection header should be used for in-depth defense. Because it cannot completely protect websites, developers must ensure that they have other measures to protect them.