This article mainly describes the suggestions for XSS security defense against cross-site scripting attacks, if you are interested in the XSS security defense suggestions, you can click the following article to view details.
XSS attacks are the biggest threat to Web Services. They do not only harm Web services, but also directly affect users who access Web services. How to Prevent and block XSS attacks, how can we ensure the business security of Web sites?
First, we need to know what XSS attacks are.
Security Defense suggestions for XSS attacks on page 1
As one of the greatest threats to Web Services, XSS attacks not only harm Web services, but also directly affect users who access Web services. How to Prevent and block XSS attacks, how can we ensure the business security of Web sites? First, we need to know what XSS attacks are.
1. What is XSS attack:
XSS stands for Cross Site Scripting, which means Cross-Site Scripting. The first word is Cross. Why is it abbreviated as X? Because CSS is the abbreviation of Cascading Style Sheet, and Cross is pronounced similar to X, it is abbreviated as XSS to avoid confusion. A malicious attacker inserts malicious html code into a Web page. When a user browses this page, the html code embedded in the Web page is executed, to achieve the Special Purpose of malicious users. XSS is a passive attack, because it is passive and not easy to use, so many people often call it harmful.
XSS attack methods:
There are multiple methods for Cross-Site attacks. The HTML language allows simple interaction using scripts, intruders insert a malicious HTML code into a page through technical means, such as recording the user information stored in the Forum (Cookie). Because the Cookie stores the complete user name and password information, users will suffer Security losses. Of course, when attackers sometimes add code with. JS or. VBS as the end and end names to the webpage, we will also be attacked during browsing.
Hazards of XSS attacks:
1. Theft of various user accounts, such as machine logon accounts, user online banking accounts, and various administrator accounts
2. Control enterprise data, including the ability to read, tamper with, add, and delete enterprise sensitive data
3. Theft of important commercial data of an enterprise
4. Illegal Transfer
5. Force send email
6. Website Trojans
7. Control the victim machine to initiate attacks to other websites
Four XSS attack vulnerabilities:
XSS attacks are divided into two categories. One is internal attacks. It mainly refers to the use of program vulnerabilities to construct cross-site statements, such as showerror of dvbbs. cross-Site vulnerabilities in asp. The other type is from external attacks. It mainly refers to the construction of cross-site scripting attack XSS Cross-Site vulnerability webpage or the search for Cross-Site vulnerability webpages other than the target machine. For example, when we want to penetrate a website, we construct a webpage with cross-site vulnerabilities, and then construct cross-site statements. By combining other technologies, such as social engineering, the Administrator of the target server is spoofed to open it.
Five Basic XSS defense technologies:
1. feature-based defense: XSS vulnerabilities are the same as the well-known SQL Injection Vulnerabilities. They all use incomplete web pages. Therefore, each vulnerability has different exploitation and targeted vulnerabilities. This makes it difficult to defend against XSS vulnerabilities: it is impossible to summarize all XSS attacks with a single feature. Traditional XSS defense uses feature matching to check all submitted information. For this type of XSS attacks, the pattern matching method usually needs to search for the keyword "javascript". Once the submitted information contains "javascript", it is deemed as an XSS attack. The disadvantage of this method is obvious: hackers can avoid detection by inserting characters or fully coding:
Method 1) add multiple tab keys to javascript to obtain
;
Method 2) Add the & # x09 encoded characters to javascript to obtain
;
Method 3) add in javascript
Character to obtain
Asert: alert (XSS); ">;
The above content is a description of the security defense suggestions for XSS attacks, hoping to help you in this regard.