Xss defense Summary

1. user input output as is

Method of exploits: xss attacks are carried out directly at the output location.

Solution: to filter, the most common such as filtering, the following content input: http://xxx.com /? Umod = commentsoutlet & act = count & siteid = 3 & libid = 9 & dataid = 1480 & score = & func = haoping & _ = 1353475261886 can be directly executed

2. output between <script> </script>
Usage:
1) perform xss attacks by closing tags, such as injection </script> <script> xss code </script> <script>
2) inject special code to ensure that the code in the <script> </script> label is still normal JS syntax and can execute malicious JS Code

For example, enter aaaa to display:
<Script type = 'text/javascript '> document. domain = 'xxxx. com '; _ ret = {"_ res": 2}; try {parent. aaaaaaaaa </script> <script> alert (1) </script> (_ ret);} catch (err) {aaaaaaaaa </script> <script> alert (1) </script> (_ ret) ;}</script>
You can enter eval ('alert (1) '); void

<Script type = 'text/javascript '> document. domain = 'xxxx. com '; _ ret = {"_ res": 2}; try {parent. eval ('alert (1) '); void (_ ret);} catch (err) {eval ('alert (1)'); void (_ ret );} </script>
Solution:
1). filter user input content. The common ones are filter ', <,>
2) Try not to output the variable content that can be controlled by the user in the <script> label.
3. output on the HTML attribute page
Method of exploits: inject js Code into the attribute tag, for example, inject onclick events into the input tag.
Solution:
1) because the HTML Entity that appears in the html attribute is automatically escaped and executed, the \ and & characters must be strictly filtered.
2) if you use regular expression matching to match HTML objects, you need to consider & # XX; convert it to & # 00XX; which can also be executed.

4. Dual-byte encoding Bypass
Method of exploits: in the case of special character set (Common GBXXXX) encoding and "escaped \" input, by entering some high-level codes, you can inject code to close the escape function, such as entering % a0.

Solution: 1. You can specify the Encoding As UTF8
2. Filter high-level characters. Non-text characters are not allowed.

5. Output in double quotation marks

Usage method: You can enter \ to match "in the body to invalidate the subsequent syntax, resulting in XSS code injection.
Solution: Filter \

 

6. Output in comments

Method of exploits: for some variables output in comments, JavaScript code can be injected through line breaks, as shown in:
Solution: users are not allowed to insert controllable variables in the annotation code.

7. Output in the DOM Function

Common dom xss is the $ ("# y" ).html ("xxxxxxx") output in the functions document. write, innerHTML, and JQUERY ");
Method of exploits: Passing variables to DOM function parameters
Solution: strictly filter the parameters passed to the DOM function. Because JavaScript supports unicode characters, filter \

8. Output in the eval function
Method of exploits: inject code into eval function parameters through ";" to execute js Code
Solution: Do not use the eval function whenever possible. Strictly filter eval function parameters and filter ";"

 

9. Output in the SRC property tag

Method of exploits: Execute js through pseudo protocols such as javascript vbscript data

Solution:
1. Filter SRC values. pseudo protocols such as javascript: vsscript: data: are not allowed.
2. Because the characters in the html Entity encoding can still be parsed, The & #: All characters need to be filtered.

 

10 output in key flash Functions
Key functions in flash: flash. external. ExternalInterface. call, getURL, navigateToURL, _ evalJS, and pseudo-Protocol javascript: Passing in user-controllable parameters may cause XSS
Use: To pass js Code to a specific function, you can execute JS. For example:

NavigateToURL (new URLRequest (link), "_ self"); pass to the link parameter: "javascript: alert (1 )"

Solution: determine the validity of relevant parameters (for example, only digit characters are allowed), restrict URL validity, and prohibit the appearance of javascript and;

11. load arbitrary XML files in FLASH

Flash usually uses xml configuration files to obtain parameters. If flash can load arbitrary XML, it may cause remote loading of arbitrary flash and execution of arbitrary JS Code.
Use: To pass xml parameters to a malicious address and the parameter values in the notification control to execute XSS
Solution: determine the validity of XML files