Responses html. Description of the Response object. Professor Markup says
Cross-site script injection attacksIn a cross-site scripting (XSS) attack, an attacker injects malicious code into a legitimate Web page, which then runs a malicious script on the client side. When a user visits an infected page, the script is downloaded to the user's browser and executed there. This scheme has many varieties. A malicious script could access browser cookies, session tokens, or other sensitive information stored in the browser. However, all attacks operate according to the scheme shown in Figure 1.
Figure 1. Figure 1. Typical XSS attack![](https://i1.wp.com/ibm.com/developerworks/ru/library/se-prevent/image001.gif)
In a typical XSS attack, the attacker finds a way to inject a string into the server's Web page. Let's say an attacker injected the following line into a Web page: alert("you are under attack") . Every time a user visits this page, their browser downloads this script and runs it along with the rest of the page's content. In this case, as a result of running the script, the user will see a pop-up window with the text “you are under attack.”
Consequences of XSSIf an attacker was able to exploit an XSS vulnerability in a Web application, they could inject script into the page that would provide access to user account information. In this case, the attacker can perform many malicious actions, for example:
- steal an account;
- spread viruses;
- access your browsing history and clipboard contents;
- gain the ability to remotely control the browser;
- scan and use hardware and software resources and applications on the internal network.
To prevent XSS attacks, the application must encrypt the page output before delivering it to the end user. When the output is encrypted, the HTML markup is replaced with alternative representations − objects. The browser displays these objects but does not launch them. For example, converted to .
Table 1 shows the object names for some common HTML characters.
Table 1. Object names for HTML charactersNon-breaking space | |||
< | Less than | < | |
> | More than | > | > |
& | Ampersand | & | & |
¢ | Cent | ¢ | ¢ |
£ | Lb | £ | £ |
¥ | Jena | ¥ | ¥ |
Euro | € | € | |
§ | Paragraph | § | § |
© | Copyright | © | |
® | ® | ® | |
™ | Trademark | ™ | ™ |
When the browser encounters the objects, they are converted back to HTML and printed, but they are not fired. For example, if an attacker inserts the string alert("you are under attack") into a variable field on the server's Web page, then when using the described strategy, the server will return the string alert("you are under attack") .
When the browser downloads the encrypted script, it will convert it to alert("you are under attack") and display the script as part of the Web page, but will not run it.
Adding HTML Code to a Server-Side Java ApplicationTo prevent malicious script code from being rendered along with the page, your application must encrypt all string variables before they are rendered on the page. Encryption simply involves converting each character into the corresponding HTML object name, as shown in the Java code shown in Listing 1.
Listing 1. Converting characters to HTML object names public class EscapeUtils ( public static final HashMap m = new HashMap(); static ( m.put(34, """); //< - меньше чем m.put(60, ""); // >- greater than //The user must match all html objects to the corresponding decimal values. //Object mappings to decimal values are shown in the table below) public static String escapeHtml() ( String str = "alert(\"abc\")"; try ( StringWriter writer = new StringWriter((int) (str.length() * 1.5)); escape(writer, str); System.out.println("encoded string is " + writer.toString()); catch (IOException ioe) (ioe.printStackTrace()); ; return null; ) ) public static void escape(Writer writer, String str) throws IOException ( int len = str.length(); for (int i = 0; i< len; i++) { char c = str.charAt(i); int ascii = (int) c; String entityName = (String) m.get(ascii); if (entityName == null) { if (c >0x7F) ( writer.write(""); writer.write(Integer.toString(c, 10)); writer.write(";"); ) else ( writer.write(c); ) ) else ( writer. write(entityName);The Java code in Listing 1 encodes the HTML string String String "alert(\"abc\)" . Use the following procedure:
As a result, the following line will appear in the output: alert("abc") .
Table 2 shows the mapping of HTML objects to their decimal values.
Table 2. HTML Object Decimal Values160 | Non-breaking space | |
60 | < | Less than |
62 | > | More than |
38 | & | Ampersand |
162 | ¢ | Cent |
163 | £ | Lb |
165 | ¥ | Jena |
8364 | € | Euro |
167 | § | Paragraph |
169 | Copyright | |
174 | ® | Registered Trademark |
8482 | ™ | Trademark |
Cross-site script injection is one of the most common methods of attacking a user's computer. However, you can significantly reduce an attacker's ability to infect your Web application with malicious code. When building your application, be careful to encrypt all page output values before sending them to the end user's browser.
After receiving and interpreting a request message, a server responds with an HTTP response message:
- A Status-line
- Zero or more header (General|Response|Entity) fields followed by CRLF
- An empty line (i.e., a line with nothing preceding the CRLF) indicating the end of the header fields
- Optionally a message-body
The following sections each explain of the entities used in an HTTP response message.
Message Status-LineA Status-Line consists of the protocol version followed by a numeric status code and its associated textual phrase. The elements are separated by space SP characters.
A server supporting HTTP version 1.1 will return the following version information:
HTTP-Version = HTTP/1.1
Status CodeThe Status-Code element is a 3-digit integer where the first digit of the Status-Code defines the class of response and the last two digits do not have any categorization role. There are 5 values for the first digit:
1 | 1xx: Informational It means the request was received and the process is continuing. |
2 | 2xx: Success It means the action was successfully received, understood, and accepted. |
3 | 3xx: Redirection It means further action must be taken in order to complete the request. |
4 | 4xx: Client Error It means the request contains incorrect syntax or cannot be fulfilled. |
5 | 5xx: Server Error It means the server failed to fulfill an apparently valid request. |
HTTP status codes are extensible and HTTP applications are not required to understand the meaning of all registered status codes. A list of all the status codes has been given in a separate chapter for your reference.
Response Header FieldsWe will study General-header and Entity-header in a separate chapter when we will learn HTTP header fields. For now, let's check what Response header fields are.
The response-header fields allow the server to pass additional information about the response which cannot be placed in the Status- Line. These header fields give information about the server and about further access to the resource identified by the Request-URI.
-
Proxy-Authenticate
-
WWW-Authenticate
You can introduce your custom fields in case you are going to write your own custom Web Client and Server.
Examples of Response MessageNow let"s put it all together to form an HTTP response for a request to fetch the hello.htm page from the web server running on site
HTTP/1.1 200 OK Date: Mon, 27 Jul 2009 12:28:53 GMT Server: Apache/2.2.14 (Win32) Last-Modified: Wed, 22 Jul 2009 19:15:56 GMT Content-Length: 88 Content- Type: text/html Connection: Closed Hello, World!
The following example shows an HTTP response message displaying error condition when the web server could not find the requested page:
HTTP/1.1 404 Not Found Date: Sun, 18 Oct 2012 10:36:20 GMT Server: Apache/2.2.14 (Win32) Content-Length: 230 Connection: Closed Content-Type: text/html; charset=iso-8859-1 404 Not Found Not Found
The requested URL /t.html was not found on this server.
The following is an example of HTTP response message showing error condition when the web server encountered a wrong HTTP version in the given HTTP request:
HTTP/1.1 400 Bad Request Date: Sun, 18 Oct 2012 10:36:20 GMT Server: Apache/2.2.14 (Win32) Content-Length: 230 Content-Type: text/html; charset=iso-8859-1 Connection: Closed 400 Bad Request Bad Request
Your browser sent a request that this server could not understand.
The request line contained invalid characters following the protocol string.
The described object is a very useful and powerful tool. This object has several methods, their description is given below:
Collections: Methods: Properties: Response.Cookies collectionThe Cookies collection sets values for cookies. If the specified cookies do not exist, it creates them. If the cookie exists, it takes on a new value and destroys the old one.
Response.Cookies(cookie) [(key) | . attributes ] = value
Options:
- cookie - Cookie name
- key - Optional parameter. If it is specified, then the cookie is a directory (nested) and the key is a set of values.
- attributes - Specified information about the cookies themselves. This parameter can be one of the following:
- value - Specifies the value to be assigned to this key or attribute.
Name | Description |
Domain | Recording only. If specified, cookies are sent only upon request from this domain. |
Expires | Recording only. The date on which the cookie expires. This date must be set in order for cookies to be written to the client's hard drive after the session ends. If this attribute is not set, then the cookie expiration date is assumed to be the current date. Cookies will expire immediately after the end of the session. |
HasKey | Only reading. Indicates whether the cookie contains the given key. |
Path | Recording only. If specified, cookies are only sent upon request from this path. If the parameter is not set, the path to the application is used. |
Secure | Recording only. Indicates whether cookies will be protected or not. |
Comment:
If the key cookie is created as shown in the following script,
then the following header will be sent:
Set-Cookie:MYCOOKIE=TYPE1=sugar&TYPE2=cookies
If you assign a value to mycookie without using keys, then this action will destroy the type1 and type2 keys. Eg:
In the previous example, the keys type1 and type2 will be destroyed and their values will be lost. Mycookie will now contain the value chocolate marshmallow.
You can also check the existence of a specific key in the following way:
If TRUE is displayed, then such a key exists; if FALSE, it does not.
Response.Write methodResponse.Write variable_or_value
Options:
- variable_or_value - Data to be displayed on the browser screen via HTML. This parameter can be of any type supported by VisualBasic Scripting Edition. That is, the data can be of the following types: date, string, character, numeric values. The value of this parameter cannot contain the combination %>. Instead, you can use the equivalent combination %\>. The web server will convert this sequence into the required one when the script is executed.
The following example shows how the Response.write method works to output a message to the client.
I'll just tell you: And your name
The following example adds an HTML tag to a web page. Since this method cannot contain the combination %>, we use the sequence %\>. So an example script:
The output will be the line: