YEAR OF SECURITY FOR JAVA – WEEK 11 – X-XSS-PROTECTION

转载 2012年03月21日 10:18:16
What is it and why should I care?
X-XSS-Protection is a Microsoft IE technology used to help prevent reflected XSS attacks in IE.


Note 1: This is not a “panacea” for XSS. There is no excuse for not developing your site in a secure manner to prevent XSS. This however is a protection offered by the browser itself (as opposed to an application), meant to protect the masses from the vast amount of XSS litter on the internet.
Note 2: Firefox (by way of NoScript), Chrome (by way of WebKit) and Safari(also WebKit) have similar protections, but apparently don’t use the X-XSS-Protection header as a controlling mechanism.


The XSS protection provided essentially checks for request content that is matched in the response and would cause an XSS vulnerability to be exploited. The filter then performs some mangling of the content to prevent the attack from succeeding. According to the docs, IE has the protection turned on by default for most security zones, including the Internet zone, which is the primary concern for most users.


What should I do about it?
The first thing you should do is work towards resolving any and all XSS issues in your application. As a security minded developer, this is a must.


The recommendation for the use of this header is actually not so straightforward in my opinion. In general, the other HTTP headers I’ve described already in the series have had very little downside. However, the X-XSS-Protection header has had some problems in the past. As far as I’m aware, the IE folks have done a good job of dealing with the known vulns, but I still have concerns since some of the vulns have exposed security problems.


In general, I would recommend keeping the protection enabled, unless you are very sure you have XSS all cleaned up in your app. However, this comes with the caveat that you should at least put some thought into the use cases in your site first. Depending on your choice, here are the options you have available to use, and how you enable them in your application using the X-XSS-Protection HTTP header.


1. Enable the protection for all security zones in blocking mode (Blocking mode means the site won’t display at all if an XSS attempt is found, but rather a simple warning to the user that the attack has been blocked):


1
X-XSS-Protection: 1; mode=block
2. Enable the protection for all security zones:


1
X-XSS-Protection: 1
3. Leave the protection enabled for the default zones:


Do nothing.


4. Disable the protection entirely (I only recommend this in 2 cases: either you’re positive that you’ve completely resolved XSS in your app, or there’s an issue in the XSS filter that you’re aware of that causes an additional vulnerability) :


1
X-XSS-Protection: 0
The protection provided by the X-XSS-Protection header is not complete, but it does raise the bar against attackers and helps protect users. While there have certainly been some implementation issues, the fact that all the major browsers have some implementation of reflected XSS protection shows the importance of this issue. Be prudent in implementation, but certainly do everything you can to help your users be safe.


References
———–
http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx
http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx
http://blogs.msdn.com/b/mikeormond/archive/2009/01/26/ie8-cross-site-scripting-xss-protection.aspx
http://msdn.microsoft.com/en-us/library/dd565647(v=vs.85).aspx
http://michael-coates.blogspot.com/2009/07/ie-8-anti-xss-bit-overblown.html
http://jeremiahgrossman.blogspot.com/2010/01/to-disable-ie8s-xss-filter-or-not.html
http://www.jtmelton.com/2009/01/12/the-owasp-top-ten-and-esapi-part-2-cross-site-scripting-xss/
http://michael-coates.blogspot.com/2009/11/ie8-xss-filter-bug.html
http://xforce.iss.net/xforce/xfdb/47442
http://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities/
http://www.theregister.co.uk/2009/11/20/internet_explorer_security_flaw/

Calendar中的Calendar.WEEK_OF_YEAR陷阱

问题重现:当我们想使用Calendar.WEEK_OF_YEAR来求出2015-12-31属于2015年的第几周时,这里就会出现问题了。一年有52周,而2015-12-31这一天是2015年的第53周...
  • u010571844
  • u010571844
  • 2015年11月02日 19:47
  • 5781

java中已知WEEK_OF_YEAR,确定当前周的周一和周日

Calendar cal = Calendar.getInstance(); cal.set(Calendar.WEEK_OF_YEAR,18);//18为周数 ...
  • gulang76
  • gulang76
  • 2010年08月26日 11:07
  • 4142

mysql的yearweek 和 weekofyear函数

1.MySQL 的 YEARWEEK 是获取年份和周数的一个函数,函数形式为 YEARWEEK(date[,mode]) 例如 2010-3-14 ,礼拜天 SELECT YEARWEEK...
  • lifuxiangcaohui
  • lifuxiangcaohui
  • 2016年03月22日 10:42
  • 7240

html5 input month/date/week/time/datetime/datetime-local

清注意我用的浏览器是opera 无标题文档
  • jianguo_liao19840726
  • jianguo_liao19840726
  • 2012年05月25日 23:28
  • 1125

HTTP响应头之X-Frame-Options, X-XSS-Protection

X-Frame-Options: DENY由于在iframe.html中 iframe
  • caiqiiqi
  • caiqiiqi
  • 2017年03月18日 02:27
  • 3638

java security week

http://www.jtmelton.com/2012/01/02/year-of-security-for-java-week-1-session-fixation-prevention/
  • cnbird2008
  • cnbird2008
  • 2012年03月05日 17:42
  • 561

DATENAME和DATEPART

SELECT GETDATE() AS '当前日期' SELECT DATENAME(YEAR,GETDATE()) AS '年' SELECT DATENAME(month,GETDATE ()...
  • QQ282030166
  • QQ282030166
  • 2013年08月18日 10:57
  • 937

MYSQL计算时间间隔——————TimeStampDiff()

 函数TimeStampDiff()是MySQL本身提供的可以计算两个时间间隔的函数,语法为:TIMESTAMPDIFF(unit,datetime_expr1,datetime_expr2),...
  • ldl22847
  • ldl22847
  • 2015年06月04日 23:00
  • 977

spring security 4.0 教程 步步深入 5

5. Java Configuration在Spring 3.1中向Spring框架添加了对Java配置的常规支持。 自Spring Security 3.2以来,一直有Spring Security...
  • chemmuxin1993
  • chemmuxin1993
  • 2016年11月03日 11:28
  • 8208

JS日期:日期-周别操作

//获取本周是一年中的第几周 function getWeekOfYear(a, b, c) { var d1 = new Date(a, b-1, c); var d2 = new Da...
  • zhang_Red
  • zhang_Red
  • 2012年11月29日 11:01
  • 3438
内容举报
返回顶部
收藏助手
不良信息举报
您举报文章:YEAR OF SECURITY FOR JAVA – WEEK 11 – X-XSS-PROTECTION
举报原因:
原因补充:

(最多只允许输入30个字)