Research On XSS Vulnerability Defense Based On React Front-end Framework

With the development of Web2.0 era,the separation of front and back ends has become the standard Internet project development method in the industry.In the software development of large enterprises,React,as a Web side framework,ranks first in the usage and recognition of all front-end frameworks.At the same time,more and more security attacks are being carried out on programs.Attackers use XSS to inject malicious code into web pages and execute it,which brings great losses to users.At present,XSS attacks in React framework have become a research hotspot of front-end frameworks,and the study of XSS attacks in React has practical significance for information security and social stability.In order to defend against XSS attacks in React,this paper proposes a new XSS attack mode through code audit,studies the defense means of XSS attacks,and develops an XSS filtering system to filter XSS codes.The specific contents are as follows:First,three new XSS attack modes in React are proposed.The first is the discovery that React underlying can use JSON objects to generate HTML pages and can implant XSS attack code into objects by modifying JSON objects.The second is Unicode encoding of request data using the Burp Suite packet capture tool to bypass the React default encoding escape feature.The third is to modify the file extension to bypass the client’s defense,and use canvas technology to modify the image pixel value to implant the XSS code into the picture.Secondly,the defense means of the above attack modes are studied.Firstly,regular expression is used as the first line of defense to match the keyword of XSS attack.The Error Boundary component provided with the React16 version is then used to catch page rendering exceptions due to XSS attacks.Finally,the File Reader method for reading and writing files provided by HTML5 is used to obtain the actual content of the file and verify whether the file type is correct or not.Then,according to the characteristics of the attack code,an XSS filtering system is designed to filter the XSS code and provide the developer to call to reduce the risk of XSS attack.Then design the overall process,split several modules for development,to complete the implementation of XSS filter system.Firstly,the whitelist module is designed to distinguish the common code from the HTML code,and then the tag name,attribute and attribute value in the HTML code is matched and the XSS code is filtered.At the same time,the content of the uploaded file is verified.Finally,based on the above research results,the function test of the XSS filtering system is carried out to verify that the system can filter out common XSS codes and the XSS attack codes proposed in this paper.In this paper,React framework is used to develop a set of management system.XSS code and the filtered code attack the management system respectively.By comparing the experimental data filtering results,the use value and reliability of the system are reflected.According to the test results,the XSS filter system can effectively defend common XSS codes and the XSS codes proposed in this paper.