Shulou(Shulou.com)06/03 Report--

This article shows you how Java prevents xss attacks. The content is concise and easy to understand. It will definitely brighten your eyes. I hope you can gain something through the detailed introduction of this article.

Cross-site scripting (English: Cross-site scripting, usually referred to as: XSS) is a kind of security vulnerability attack of website application, and it is a kind of code injection. It allows malicious users to inject code into the web page, and other users will be affected when they view the web page. Such attacks usually include HTML as well as client-side scripting languages.

XSS attack usually refers to the use of loopholes left in web page development, through ingenious methods to inject malicious instruction code into the web page, so that users can load and execute web programs created maliciously by the attacker. These malicious web programs are usually JavaScript, but they can actually include Java,VBScript,ActiveX,Flash or even ordinary HTML. After a successful attack, the attacker may be given higher privileges (such as performing some actions), private web content, conversations, cookie, and so on.

Background and status quo

When Netscape first launched the JavaScript language, they also sensed the security risk (even if only in sandboxie of a browser) of allowing web servers to send executable code to a browser. A key problem caused by it is that when users open multiple browser windows at the same time, in some cases, snippet code in a web page is allowed to retrieve data from another page or object. and because malicious websites can use this method to try to steal confidential information, in some cases, this should be completely prohibited. To solve this problem, browsers adopt the same origin decision-only allowing any interaction between objects from the same domain name system and using the same protocol with web pages. As a result, malicious websites cannot use JavaScript to steal confidential data from another browser. Since then, in order to protect users from malicious harm, other browsers and server-side instruction languages have adopted similar access control decisions.

XSS vulnerabilities date back to the 1990s. A large number of websites have been attacked or discovered by XSS vulnerabilities, such as Twitter [1], Facebook [2], MySpace,Orkut [3] [4], Sina Weibo [5] and Baidu Tieba. Research shows that [6] in recent years, XSS has overtaken buffer overflow to become the most popular attack, and 68% of websites are likely to suffer such attacks. According to the 2010 statistics released by the Open Web Application Security Program (Open Web Application Security Project), XSS ranks second among the top 10 security threats to Web, second only to code injection (Injection). [7]

Detection method

There are usually some ways to test whether a website handles special characters correctly:

Alert ([xss_clean]) alert (vulnerable)% 3Cscript%3Ealert ('XSS')% 3C/script%3Ealert (' XSS')

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.