Javascript can be used as a tool for hackers to attack websites. Injecting malicious scripts by js (javascript) is one of the methods. So, let’s learn how to prevent js injection attacks? The following is a good statement, share with you:
What is a JavaScript injection attack?
Whenever you accept content input from a user and redisplay it, the website is vulnerable to JavaScript injection attacks. Let's look at a specific application that is vulnerable to JavaScript injection attacks. Suppose a customer feedback website has been created. Customers can visit the website and enter feedback information about the product. When a customer submits feedback, the feedback information is redisplayed on the feedback page.
Customer feedback website is a simple website. Unfortunately, this website is vulnerable to JavaScript injection attacks.
Suppose the following text is being entered into the customer feedback form:
<script>alert("Boo!")</script>
This text represents a JavaScript script that displays the warning message box. After someone submits this script to the customer feedback form, the message Boo! will show an attack when anyone visits the customer feedback website in the future. You may also think that others will not be able to destroy it through JavaScript injection attacks.
Now, your first reaction to JavaScript injection attacks may be to ignore them. You might think that JavaScript injection attacks are nothing more than harmless, and unfortunately, hackers do sabotage by injecting JavaScript into their websites. A JavaScript injection attack can be used to perform cross-site scripting (XSS) attacks. In a cross-site scripting attack, confidential user information can be stolen and sent to another website.
For example, hackers can use JavaScript injection attacks to steal cookies values from other users’ browsers. If sensitive information (such as passwords, credit card accounts, or social security numbers) is saved in browser cookies, hackers can steal it using JavaScript injection attacks. Alternatively, if the user enters sensitive information into the form field of the page and the page is compromised by a JavaScript attack, the hacker can use the injected JavaScript to get the form data and send it to another website.
Please pay great attention. Take JavaScript injection attacks seriously and protect users' confidential information. In the next two sections, we will discuss two techniques to prevent ASP.NET MVC applications from being attacked by JavaScript injection.
Method 1: HTML encoding in the view
An easy way to prevent JavaScript injection attacks is to encode data entered by any website user in HTML when redisplaying data in the view.
For example: <%=Html.Encode(feedback.Message)%>
What is the meaning of using HTML to encode a string? When using HTML to encode strings, dangerous characters such as < and > are replaced with HTML entities such as < and >. So, when the string <script>alert("Boo!")</script> is encoded using HTML, it will be converted to <script>alert("Boo!")</script>. The browser no longer executes JavaScript scripts when parsing encoded strings. Instead, it shows harmless pages
Method 2: HTML encoding before writing to the database
In addition to using HTML to encode data when displaying data in a view, you can also use HTML to encode data before submitting it to the database. The second method is exactly the case with the controller in Listing 4 of the program.
like:
public ActionResult Create(string message){// Add feedbackvar newFeedback = new Feedback();newFeedback.Message = Server.HtmlEncode(message);newFeedback.EntryDate = DateTime.Now;db.Feedbacks.InsertOnSubmit(newFeedback);db.SubmitChanges(); // Redirectreturn RedirectToAction("Index");}Note that the value of Message is HTML encoded in the Create() operation before submitting to the database. When a Message is redisplayed in the view, the Message is HTML encoded, so no JavaScript injected into the Message is performed.
Summarize
Often, people prefer to use the first method discussed in this tutorial and not the second method. The problem with the second approach is that HTML-encoded data will eventually be retained in the database. In other words, the data in the database will contain strange characters. What's the disadvantage of this? If you need to display database data in a form other than a web page, you will encounter problems. For example, data cannot be displayed easily in Windows Forms applications.
The above is all the content of this article. I hope it will be helpful to everyone's learning and I hope everyone will support Wulin.com more.