The exclusive promotional activities on JCOP J3H145 card and Feitian R301 Smartcard Reader are in full swing. Please check this page for details.

Personal summary of XSS cross-site scripting attacks in Java development

Smartcard solutions

Moderator: product

youyou
Posts: 52
Joined: Fri Jul 06, 2018 3:42 am
Points :352
Contact:

Personal summary of XSS cross-site scripting attacks in Java development

Post by youyou » Thu Mar 21, 2019 3:54 am

1. :) To prevent cross-site vulnerabilities and prevent attackers from publishing cross-site attack statements on the attacked website. They cannot trust any content submitted by users. , "'" and other characters for filtering; Secondly, any content written to the page must be encode, to avoid accidentally get out the HTML tag. This level can be used to block at least half of all XSS attacks. :)

2. Cookies, guard against theft
First, avoid disclosing user privacy directly in cookies, such as email, password, etc. Secondly, cookie and system IP binding can reduce the risk of cookie disclosure. In this way, the cookie obtained by an attacker has no real value and cannot be used for replay.

3. Try to use POST instead of GET form is submitted
It is impossible to bypass the use of javascript for POST operations, which makes it more difficult for attackers and reduces the number of cross-site vulnerabilities available.

4. Refer strictly
Check if the HTTP refer came from an expected url. This prevents HTTP requests made by the type 2 attack, and also prevents most of the type 1 attack unless cross-site access happens to be planted on the reference page of the privileged operation.

5. Change the single-step process into multi-step process, and introduce validation code in the multi-step process
In the multi-step process, a verification code is generated for each step as hidden form element embedded in the middle page. In the next step, the verification code is submitted to the server, and the server checks whether the verification code matches.
For one thing, this adds a lot of headaches to the first type of attacker. Secondly, the attacker must get the validation code generated by the previous step in the multi-step process to launch the next request, which is almost impossible to do in the second type of attack.

6. Introduce user interaction
A simple number can be blocked by almost all the unexpected privileges of operation.

7.Use dynamic javascript only where anonymous is allowed.

8. For the img and other links in the user submitted information, check whether there are redirected back to the site, pictures that are not true and other suspicious operations.

9. Internal management of the website
In many cases, internal management sites tend to neglect security issues and simply restrict access to sources. Such sites are often vulnerable to XSS attacks and need to be taken care of. Security is a long-term concern and has never been a one-size-fits-all business. Compared with other attack means, XSS attack is more covert and changeable, which is related to business process and code implementation. There is no one-and-done solution. In addition, in the face of XSS, the convenience of products is often sacrificed to ensure complete security. How to balance security and convenience is also a matter to be considered. :)

youyou
Posts: 52
Joined: Fri Jul 06, 2018 3:42 am
Points :352
Contact:

Re: Personal summary of XSS cross-site scripting attacks in Java development

Post by youyou » Thu Mar 21, 2019 3:56 am

Notes for web application developers:
1. For developers, the first thing to focus on is reliable input validation for all user submissions. These submissions include urls, query keys, and more
Word, HTTP header, post data, etc. Accept only the characters you wish, in the appropriate format, within the length you specify. Block, filter, or ignore anything else.

2. Protect all sensitive functions from being automated by bots or executed by third-party websites. Implement session tokens, CAPTCHA systems, or HTTP tokens.

3.If your web application must support user-supplied HTML, the security of your application will suffer a catastrophic decline. But there are things you can do to protect your web site: make sure the HTML content you receive is properly formatted, include only minimal, secure tags (no JavaScript at all), and remove any references to remote content (especially stylesheets and JavaScript). For more security, use httpOnly cookies.

Post Reply Previous topicNext topic

Who is online

Users browsing this forum: No registered users and 2 guests

JavaCard OS : Disclaimer