Menu
homeInternet

Responses html. Description of the Response object. Professor Markup says

Cross-site script injection attacks

In a cross-site scripting (XSS) attack, an attacker injects malicious code into a legitimate Web page, which then runs a malicious script on the client side. When a user visits an infected page, the script is downloaded to the user's browser and executed there. This scheme has many varieties. A malicious script could access browser cookies, session tokens, or other sensitive information stored in the browser. However, all attacks operate according to the scheme shown in Figure 1.

Figure 1. Figure 1. Typical XSS attack
XSS vulnerabilities

In a typical XSS attack, the attacker finds a way to inject a string into the server's Web page. Let's say an attacker injected the following line into a Web page: alert("you are under attack") . Every time a user visits this page, their browser downloads this script and runs it along with the rest of the page's content. In this case, as a result of running the script, the user will see a pop-up window with the text “you are under attack.”

Consequences of XSS

If an attacker was able to exploit an XSS vulnerability in a Web application, they could inject script into the page that would provide access to user account information. In this case, the attacker can perform many malicious actions, for example:

  • steal an account;
  • spread viruses;
  • access your browsing history and clipboard contents;
  • gain the ability to remotely control the browser;
  • scan and use hardware and software resources and applications on the internal network.
Preventing XSS attacks

To prevent XSS attacks, the application must encrypt the page output before delivering it to the end user. When the output is encrypted, the HTML markup is replaced with alternative representations − objects. The browser displays these objects but does not launch them. For example, converted to .

Table 1 shows the object names for some common HTML characters.

Table 1. Object names for HTML characters Result Description Object name Object number
Non-breaking space
< Less than<
> More than> >
& Ampersand& &
¢ Cent¢ ¢
£ Lb£ £
¥ Jena¥ ¥
Euro
§ Paragraph§ §
© Copyright ©
® ® ®
Trademark

When the browser encounters the objects, they are converted back to HTML and printed, but they are not fired. For example, if an attacker inserts the string alert("you are under attack") into a variable field on the server's Web page, then when using the described strategy, the server will return the string alert("you are under attack") .

When the browser downloads the encrypted script, it will convert it to alert("you are under attack") and display the script as part of the Web page, but will not run it.

Adding HTML Code to a Server-Side Java Application

To prevent malicious script code from being rendered along with the page, your application must encrypt all string variables before they are rendered on the page. Encryption simply involves converting each character into the corresponding HTML object name, as shown in the Java code shown in Listing 1.

Listing 1. Converting characters to HTML object names public class EscapeUtils ( public static final HashMap m = new HashMap(); static ( m.put(34, """); //< - меньше чем m.put(60, ""); // >- greater than //The user must match all html objects to the corresponding decimal values. //Object mappings to decimal values ​​are shown in the table below) public static String escapeHtml() ( String str = "alert(\"abc\")"; try ( StringWriter writer = new StringWriter((int) (str.length() * 1.5)); escape(writer, str); System.out.println("encoded string is " + writer.toString()); catch (IOException ioe) (ioe.printStackTrace()); ; return null; ) ) public static void escape(Writer writer, String str) throws IOException ( int len ​​= str.length(); for (int i = 0; i< len; i++) { char c = str.charAt(i); int ascii = (int) c; String entityName = (String) m.get(ascii); if (entityName == null) { if (c >0x7F) ( writer.write(""); writer.write(Integer.toString(c, 10)); writer.write(";"); ) else ( writer.write(c); ) ) else ( writer. write(entityName);

The Java code in Listing 1 encodes the HTML string String String "alert(\"abc\)" . Use the following procedure:

As a result, the following line will appear in the output: alert("abc") .

Table 2 shows the mapping of HTML objects to their decimal values.

Table 2. HTML Object Decimal Values Decimal value Object Description
160 Non-breaking space
60 < Less than
62 > More than
38 & Ampersand
162 ¢ Cent
163 £ Lb
165 ¥ Jena
8364 Euro
167 § Paragraph
169 Copyright
174 ® Registered Trademark
8482 Trademark
Conclusion

Cross-site script injection is one of the most common methods of attacking a user's computer. However, you can significantly reduce an attacker's ability to infect your Web application with malicious code. When building your application, be careful to encrypt all page output values ​​before sending them to the end user's browser.

After receiving and interpreting a request message, a server responds with an HTTP response message:

  • A Status-line
  • Zero or more header (General|Response|Entity) fields followed by CRLF
  • An empty line (i.e., a line with nothing preceding the CRLF) indicating the end of the header fields
  • Optionally a message-body

    • The following sections each explain of the entities used in an HTTP response message.

    Message Status-Line

    A Status-Line consists of the protocol version followed by a numeric status code and its associated textual phrase. The elements are separated by space SP characters.

Status-Line = HTTP-Version SP Status-Code SP Reason-Phrase CRLF HTTP Version

A server supporting HTTP version 1.1 will return the following version information:

HTTP-Version = HTTP/1.1

Status Code

The Status-Code element is a 3-digit integer where the first digit of the Status-Code defines the class of response and the last two digits do not have any categorization role. There are 5 values ​​for the first digit:

S.N. Code and Description
1 1xx: Informational

It means the request was received and the process is continuing.
2 2xx: Success

It means the action was successfully received, understood, and accepted.
3 3xx: Redirection

It means further action must be taken in order to complete the request.
4 4xx: Client Error

It means the request contains incorrect syntax or cannot be fulfilled.
5 5xx: Server Error

It means the server failed to fulfill an apparently valid request.

HTTP status codes are extensible and HTTP applications are not required to understand the meaning of all registered status codes. A list of all the status codes has been given in a separate chapter for your reference.

Response Header Fields

We will study General-header and Entity-header in a separate chapter when we will learn HTTP header fields. For now, let's check what Response header fields are.

The response-header fields allow the server to pass additional information about the response which cannot be placed in the Status- Line. These header fields give information about the server and about further access to the resource identified by the Request-URI.

  • Proxy-Authenticate

  • WWW-Authenticate

You can introduce your custom fields in case you are going to write your own custom Web Client and Server.

Examples of Response Message

Now let"s put it all together to form an HTTP response for a request to fetch the hello.htm page from the web server running on site

HTTP/1.1 200 OK Date: Mon, 27 Jul 2009 12:28:53 GMT Server: Apache/2.2.14 (Win32) Last-Modified: Wed, 22 Jul 2009 19:15:56 GMT Content-Length: 88 Content- Type: text/html Connection: Closed Hello, World!

The following example shows an HTTP response message displaying error condition when the web server could not find the requested page:

HTTP/1.1 404 Not Found Date: Sun, 18 Oct 2012 10:36:20 GMT Server: Apache/2.2.14 (Win32) Content-Length: 230 Connection: Closed Content-Type: text/html; charset=iso-8859-1 404 Not Found Not Found

The requested URL /t.html was not found on this server.

The following is an example of HTTP response message showing error condition when the web server encountered a wrong HTTP version in the given HTTP request:

HTTP/1.1 400 Bad Request Date: Sun, 18 Oct 2012 10:36:20 GMT Server: Apache/2.2.14 (Win32) Content-Length: 230 Content-Type: text/html; charset=iso-8859-1 Connection: Closed 400 Bad Request Bad Request

Your browser sent a request that this server could not understand.

The request line contained invalid characters following the protocol string.

The described object is a very useful and powerful tool. This object has several methods, their description is given below:

Collections: Methods: Properties: Response.Cookies collection

The Cookies collection sets values ​​for cookies. If the specified cookies do not exist, it creates them. If the cookie exists, it takes on a new value and destroys the old one.

Response.Cookies(cookie) [(key) | . attributes ] = value

Options:

  • cookie - Cookie name
  • key - Optional parameter. If it is specified, then the cookie is a directory (nested) and the key is a set of values.
  • attributes - Specified information about the cookies themselves. This parameter can be one of the following:
  • value - Specifies the value to be assigned to this key or attribute.
NameDescription
DomainRecording only. If specified, cookies are sent only upon request from this domain.
ExpiresRecording only. The date on which the cookie expires. This date must be set in order for cookies to be written to the client's hard drive after the session ends. If this attribute is not set, then the cookie expiration date is assumed to be the current date. Cookies will expire immediately after the end of the session.
HasKeyOnly reading. Indicates whether the cookie contains the given key.
PathRecording only. If specified, cookies are only sent upon request from this path. If the parameter is not set, the path to the application is used.
SecureRecording only. Indicates whether cookies will be protected or not.

Comment:

If the key cookie is created as shown in the following script,

then the following header will be sent:

Set-Cookie:MYCOOKIE=TYPE1=sugar&TYPE2=cookies

If you assign a value to mycookie without using keys, then this action will destroy the type1 and type2 keys. Eg:

In the previous example, the keys type1 and type2 will be destroyed and their values ​​will be lost. Mycookie will now contain the value chocolate marshmallow.

You can also check the existence of a specific key in the following way:

If TRUE is displayed, then such a key exists; if FALSE, it does not.

Response.Write method

Response.Write variable_or_value

Options:

  • variable_or_value - Data to be displayed on the browser screen via HTML. This parameter can be of any type supported by VisualBasic Scripting Edition. That is, the data can be of the following types: date, string, character, numeric values. The value of this parameter cannot contain the combination %>. Instead, you can use the equivalent combination %\>. The web server will convert this sequence into the required one when the script is executed.

The following example shows how the Response.write method works to output a message to the client.

I'll just tell you: And your name

The following example adds an HTML tag to a web page. Since this method cannot contain the combination %>, we use the sequence %\>. So an example script:

The output will be the line:

Response.Redirect method

Response.Redirect URL (URL - Uniform Resource Locator)

Options:

  • URL - The parameter is a universal resource descriptor. It shows when the browser needs to be redirected.

Comment:

Any occurrence of this method between tags and the web page will be ignored. This method can only be used in the head of an HTML page. This method will pass a header to the browser if the URL parameter of this object is missing in the following form:

HTTP/1.0 302 Object Moved Location URL

Response.End method

Response.End

Comment:

If the Response.Buffer property was set to TRUE, then calling the Response.End method will clear the buffer, pushing data out of it to the client. If you don't want to output data to the user, you should call the following method:

Response.AddHeader method

The AddHeader method adds an HTML header with specific values. This method always adds a new header to the response to the client browser. This method does not replace the existing header with a new one. The added header cannot be removed.

This method is used only for “advanced” tasks.

Response.AddHeader variable_name, value

Options:

  • variable_name - The name of the new HTML header parameters.
  • value - Set value that will be remembered in the header.
Notes:

For the method to work correctly, the variable_name must not contain the underscore character (_). The ServerVariables set interprets the underscore as a dash in the header. As an example, the following script forces the server to find a parameter from the HTML header called MY-HEADER.

Since the HTTP protocol requires that all header parameters be passed before the body of the HTML page, you must call the AddHeader method in your script before the description begins.... There is one exception. If the Buffer property is set to true, then you can write AddHeader anywhere in the script, but before the first call to the Flush method. Otherwise, calling the AddHeader method will throw an error.

The following two .ASP files demonstrate this last point.

your text on the page

In this example, the page is not buffered. The script works however AddHeader is called before the server produces HTML output to the client.

here is some information from your page...

In the second example, the page is buffered and, as a result, the server does not output text to the client until the script itself ends or the Flush method is encountered. You can use this method to send multiple copies of some header parameter with different values, as with the WWW-Authenticate header.

Response.AppendToLog method

The AppendToLog method adds a line to the end of the report file (log-file) of the web server. You can call this method as many times as you need. Each time you call the method, the string you specify will be written to the server report file.

Response.AppendToLog value

Options:

  • value - Text that will be added to the web server report file. This string cannot contain the comma character (,). Moreover, the total length of the added line should not exceed 80 characters.
Notes:

To use this feature, you must have the URI Query option enabled in the "Advanced Logging Properties" panel for this web server in IIS.

Response.BinaryWrite method

The BinaryWrite method allows you to write specified information to the current HTTP output without any character conversion. This method is useful for outputting non-string information, such as binary data required by an application.

Response.BinaryWrite data

Options:

  • data - Data intended for HTTP output.

If you have an object that produces a byte array, you can use the following call to this method to pass that array to some application running on the client machine.

Response.Clear method

The Clear method erases all buffered HTML output. However, this method does not erase the buffer information associated with the header. You can use this method to manage errors. However, executing this method will result in an error if the Response.Buffer property is not true.

Response.CacheControl property

This property overrides the default value. When you set the property to Public, the Proxy server can cache the output generated by ASP.

Response.CacheControl [= cache control header]

Options:

  • Cache control header - This header control option can be either Public or Private.
Response.CharSet property

The CharSet property allows you to add the name of the character code table (for example, WINDOWS-1251) to the HTML header, the content-type line.

Response.CharSet code_table_name

Options:

  • charset_name - A string that specifies the charset for this HTML page. The name of this code table will be added to the header of the HTML file under the "content-type" parameter.

For an ASP page that does not use the Response.Charset property, the "content-type" parameter in the header will be as follows:

Content-type:text/html

If the ASP file contains the command

then in the header the content-type field will look like

Content-type:text/html; charset=Windows-1251

Comment:

This function inserts any line into the header and does not check its validity.

If a page contains several Response.Charset tags, then each subsequent one will replace the value with its own.

Response.ContentType property

The ContentType property allows you to specify the type (type) of the content of the HTML file. If this property is not used, then text/html is taken by default.

Response.ContentType [=content_type]

Options:

  • content_type - A string describing the HTML content type. This string usually takes the form "type/subtype", where type is the main category of the content and subtype indicates the type of content. For a complete list of supported types, refer to your browser documentation or the HHTP specification.

The following example illustrates setting the content type to Channel Definition Format (Push Channels).

The second example demonstrates setting a property to the most commonly known values.

Response.Expires property

The Expires property specifies the period of time until the HTML page cached by the browser is considered not to have expired (storage period). If a user requests a cached page from the browser that has not expired, the browser returns it directly from its cache.

Response.Expires [=number]

Options:

  • number - The amount of time in minutes before the page is considered "overdue". Setting this value to 0 causes the given page to become "expired" immediately.

Comment:

If this property is set more than once on a page, the smallest value is used.

Response.ExpiresAbsolute property

The ExpiresAbsolute property specifies the time and date after which the HTML page cached by the browser is considered expired (the retention period has expired). If a user requests a cached page from the browser that has not expired, the browser returns it directly from its cache. If the time is specified (and the date is specified), then the "expiration date" of this page expires at midnight of that day. If neither time nor date is specified, then the value is assigned according to the day and time when the script was run.

Response.ExpiresAbsolute [= [date] [time]]

Options:

  • date - Indicates the expiration date of the "shelf life". The date format must comply with the RFC-1123 standard.
  • time - Indicates the time when the page expires. This value is converted to GMT (Greenwich Mean Time) format before the header is sent to the client.

Comment:

If a given property is defined more than once on a page, then the expiration time of the "storage period" is taken to be the earliest of all specified values.

Response.IsClientConnected property

This property is read-only, meaning no values ​​can be assigned to this property. This property indicates whether the client is connected or no longer connected to the server defined in the last of the Response.Write.

Response.IsClientConnected()

Comment:

This property allows you to determine when a user is connected and when he is disconnected from the server. For example, the length of the time period between when the server responded and when the client made the request gives confidence that the client is still connected and it makes sense to continue executing the script.