I'm working on an eCommerce application that's using quite a bit of JavaScript and jQuery. Everything is checked server-side before anything is processed, but there has been a lot of news lately regarding web-based break-ins via JavaScript. I was just wondering what type of things I can do to reduce this th开发者_运维问答reat and if there were any good websites that had information on this.
Thanks in advance!
Here is a good link to read about XSS: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
Basically, what a "hacker" is trying to do when they use XSS is get the user to think your site is asking them for something secure, when really the "hacker" is asking (by injecting script into your site) and is sending that data to somewhere unsecure. Comes in many flavors.
The usual prevention measures are to sanitize you data (so a "hacker" can't inject scripts via data entry). Basically, anything that is dynamically created or comes from users (even your own content people) should be encoded so that script, etc cannot be executed.
Many people seem confused about the goals of XSS. If you think that your server and the data on it are the only thing to protect, you are wrong. XSS is often directed at the user, rather than the server, the "hacker" is trying to steal from the user, not the server (or it's owners). Stealing from the user may in turn result in stealing from the server (got the users credentials, now go buy stuff impersonating the user).
Check out Google Gruyere. It's a tutorial on a fake web site with a lot of security holes that you can exploit in order to better understand common security problems in web applications. It goes over XSS and other problems that can occur in JavaScript, as well as some server-side problems.
精彩评论