yes, that's good. how do you defend

Posted by tetley at 2020-02-15


XSS (cross sitescripting), translation, cross script. When the self determiner, section chief DOM tree, executed unexpected JS script, so there was a security problem.

In the above, we simply give XSS attack justice. We don't understand justice So let's introduce XSS attack according to the actual situation

When we attack XSS I will often ask about it. "Reflective XSS", "memory XSS", "DOM XSS", etc., and introduce XSS attacks from the perspective of data memory location.

I understand that XSS attack is a paragraph JS script server, and the background server directly returns the script to the browser. Then inject the script on the bronma DOM tree

XSS attack mode

For example, if Google creates user details, it will go through several programs. User defined browser terminal list information-2 The user sends the grain information to the server - 3. Save the user information in the server and return the user information to the browser. Display user information according to the information returned by the browser terminal server and DOM element of the lease page

Generally, the food information entered by users is the basic information of some users, but the brothers who do not know their whereabouts will be called place names. "" a script interpreted as script pops up on the web page.

This is the result that we fully trust the user's input. The user can execute what he wants according to the input box.

The harm of XSS attack

Through the above introduction We have known the principle of XSS attack, so the purpose of XSS attack is that we can pass it. What actions are performed in JS script browser? -Outstanding alert, affecting user experience - create website, import administrator information, user registration certificate

It's JS that is powerful, so there are many attack means given to JS, I see. To attack XSS, we need to find a way to solve this problem.

Defense of XSS attack

The core of XSS attack is brown Greider. DOM text parsing JS script injection JS script. In this way, the defense means of XSS attack is based on the defense of chief browner.

If we use HTML encoding, we can browse the information encoding that needs render. When Brower DOM element is used, we need to automatically decode the information and the above information. This is our defense compared with string interpretation of JS script. The core idea of XSS attack.

Let's check it out first. HTML symbol, the next section of spring provides HTML class code: switch (character) {case ": return": case ": return": return "" ": return" "" ": return" "": case " In fact, HTML encoding is to replace a few special words, so it is also HTML D encoding, and "this string is replaced with special characters.

The following provides several common choreography and coding solutions to XSS attacks:

Using HTML encoding library when using spring MVC server back-end memory browser

The parameter type of controller method is basic data type, generally Java type.

The server uses the parameter string type of the getparameter of the request, and the webdabinder role converts the string type to the form the server really needs.

The parameter resolution requested every time is used. Webdatabinderfactory makes a binderfactory object, and this is the parameter object that the binder finally resolves. The definition in webdatabdatabinderfactory nvocablermethod is not different from the controller method.

This solution is easy to implement and becomes a custom basecontroller, which is very convenient.

But after all the back-end data is encoded It can not only reduce the heat toxicity, but also occupy the database space.

XSS attack information can occur on the front of the server using HTML symbols

There may be XSS attacks on the front end of the server using HTML symbols, as well as encoding information in front of the browser, and then searching for XSS attacks.

This solution avoids the problem of bad data heat toxicity brought by the back-end code of the server, but it can increase the workload of the former part. You need to code various fields.

Encryption at the front of the server and encryption at the back of the server can be selected according to the actual situation.

Using the flyer framework

The former framework, such as Vue and angular, starts in the basic situation. XSS attack defense, so this framework is used We don't have to worry about XSS aggressiveness

XSS attacks are simple but costly So we should pay attention to this problem in development Especially B2C project

Friends who like this article. Welcome to lebroncen's first hour update