Shulou(Shulou.com)06/01 Report--

I. browser security

1. Homologous policy (SOP)

In the browser,

Tags such as, and so on can load resources across domains without homologous restrictions. Each time these tags with the src attribute are loaded, a browser actually initiates a GET request. Unlike XMLHttpRequest, which authorizes cross-domain access through the HTTP header "Access-Control-Allow-Origin:* * allow access to its own domain" returned by the target domain, because HTTP headers are generally uncontrollable to JavaScript), the browser restricts the permissions of JavaScript to read or write returned content from resources loaded through the src attribute.

2. Browser sandbox (Sandbox)

3. Malicious website blocking

2. Cross-script * (XSS)

2.1 XSS*** Typ

2.1.1, reflective XSS

The data entered by the user is reflected to the browser, and the reflective XSS is also called "non-persistent XSS" (Non-persistent XSS).

Suppose a page outputs the parameters entered by the user directly on the page:

Normally, the data submitted by the user to param will be displayed on the page, such as:

Http://www.a.com/test.php?param=, this is a test.

Check the source code at this time:

This is a test.

But if you submit a piece of HTML code:

Http://www.a.com/test.php?param=alert(/xss);

Then check the source code:

Alert (/ xss)

2.1.2, storage XSS

* the user's data is stored on the server side.

A more common scenario is: * wrote a blog article containing malicious JavaScript code. As long as users visit the modified article, the malicious code will be executed in their browser, and the malicious code will be saved to the server. So this method is also called persistent XSS (Persistent XSS).

2.1.3 、 DOM Based XSS

XSS is formed by modifying the DOM node of the page, which is called DOM Based XSS

The code is as follows:

Function test () {

Var str = document.getElementById ("text") .value

Document.getElementById ("t") [xss_clean] = "testlink"

}

Id = "t"

Type= "text" id= "text" value= "/ >

Type= "button" id= "s" value= "write" / >

Normal construction data, www.a.com.

Click the write button: the page displays the www.a.com link

Abnormal construction of the following data:

'onclick=alert (/ xss/) / /

Click the write button, the page displays testlink, click testlink, pop-up / xss/ warning box

Here, first a single quote closes the first single quote in href, then inserts an onclick event, and finally comments out the first single quote with comments.

This code can also be closed *:

'>

Test ")

This code finally outputs pop-up box 1, which is XSS***. The reason is that the first time you execute JavaScriptEscape, you only protect:

Var x = "$var"

But when [xss_clean] outputs the data to the Html page, the browser renders the page again. When the label is executed, x has been decoded, and when the climate runs again [xss_clean], its parameters become:

Href=' "'onclick= (alert (1)); / /'

The precaution is: first, when you output $var, you should execute JavaScriptEncode; once. Secondly, when you output [xss_clean] to the html page, you should look at it on a case-by-case basis: if you output to an event or script, you should do a JavaScriptEncode;. If you output to Html content or attributes, you should do a HTMLEncode.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.