开发者

How to ensure website security checks

How to safe gaurd a form against script injection attacks. This is one of the most used form开发者_StackOverflow of attacks in which attacker attempts to inject a JS script through form field. The validation for this case must check for special characters in the form fields. Look for suggestions, recommedations at internet/jquery etc for permissible characters & character masking validation JS codes.


You can use the HTML Purifier (in case you are under PHP or you might have other options for the language you are under) to avoid XSS (cross-site-scripting) attacks to great level but remember no solution is perfect or 100% reliable. This should help you and always remember server-side validation is always best rather than relying on javascript which bad guys can bypass easily disabling javascript.

For SQL Injection, you need to escape invalid characters from queries that can be used to manipulate or inject your queries and use type-casting for all your values that you want to insert into the database.

See the Security Guide for more security risks and how to avoid them. Note that even if you are not using PHP, the basic ideas for the security are same and this should get you in a better position about security considerations.


If you output user controlled input in html context then you could follow what others and sanitize when processing input (html purify, custom input validation) and/or html encode the values before output.

Cases when htmlencodng/strip tags (no tags needed) is not sufficient:

  1. user input appears in attributes then it depends on whether you always (double) quote attributes or not (bad)
  2. used in on* handlers (such as onload="..), then html encoding is not sufficient since the javascript parser is called after html decode.
  3. appears in javascript section - depends on whether this is in quoted (htmlentity encode not sufficient) or unquoted region (very bad).
  4. is returned as json which may be eval'ed. javascript escape required.
  5. appears in CSS - css escape is different and css allows javascript (expression)

Also, these do not account for browser flaws such as incomplete UTF-8 sequence exploit, content-type sniffing exploits (UTF-7 flaw), etc.

Of course you also have to treat data to protect against other attacks (SQL or command injection).


Probably the best reference for this is at the OWASP XSS Prevention Cheat Sheet


ASP.NET has a feature called Request Validation that will prevent unencoded HTML from being processed by the server. For extra protection, one can use the AntiXSS library.


you can prevent script injection by encoding html content like

Server.HtmlEncode(input)


There is the OWASP EASPI too.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜