1, feature-based defenses
XSS vulnerabilities and SQL injection vulnerability known as Web pages are written in the use of the imperfect, so every loophole for the use and weaknesses are different. This makes it difficult for XSS vulnerabilities defense: a single feature can not be summed up all the XSS attack.
XSS defense use more traditional feature matching manner, are checked for a match of all information submitted. For this type of XSS attack, using pattern matching method will generally need to "javascript" the keyword search, if it is found to submit information contains "javascript", identified as XSS attacks on. The disadvantage of this detection method is obvious: hacker can avoid detection by inserting a character or complete coding manner:
Evasion 1) was added a plurality of tab key in javascript, to give
< IMG SRC="jav ascript:alert('XSS');" >;
Avoid Method 2) was added (blank) character in javascript, get
< IMG SRC="javascri pt:alert('XSS');" >;
Evasion 3) was added (return) character in javascript, to give
< IMG SRC="jav
ascript:alert('XSS');" >;
Evasion 4) between each character in javascript added carriage returns to give
< IMG SRC="javascrip\r
\nt:alert('XSS');" >
Evasion 5) "javascript: alert ( 'XSS')" a fully encoded, to give
< IMGSRC=javascrip?74:alert('XSS') >
The method described above can easily escape detection based on the feature.
2, based on code modifications defense
and defense as SQL injection, XSS attack is the use of writing Web pages negligence, so there is a way from the perspective of Web application development to avoid:
Step 1, all the user content submitted reliable input validation, including the URL, query keywords, HTTP headers, POST data, received only within a specified length, using the appropriate format, using the expected character contents submitted to all other filters.
Step 2, to achieve Session tag (session tokens), CAPTCHA systems or HTTP header reference check function is performed to prevent a third party website.
Step 3, acknowledge receipt of the content is properly standardized and contains only the smallest, secure Tag (no javascript), to remove any reference to remote content (especially style sheets and javascript), using HTTP only the cookie.
Of course, the above operation will reduce the availability of Web services system, the user can only enter a small number of developed characters, the interaction between people and the system is reduced to the extreme, only applies to information release type site. And taking into account the very few Web coding staff have received formal safety training, it is difficult to completely avoid XSS vulnerabilities in the page.
3, client xss attack
Client XSS attacks, because the data do not trust is used to update DOM, JS non-secure interface.
The earliest the strongest defensive approach:
Using safe JavaScript APIs (JS safe use interfaces)
4, server xss attack
Sever XSS containing untrusted data caused by HTML. In most cases, is the oldest method is the most powerful defense
Context-sensitive s check or data input can also help prevent such washing attacks, but this method is more a lot more difficult, than the output transcoding method. erver side output encoding (transcoding server)