Hacker attack and Defense also talk about cross-site scripting attacks and Defense-vulnerability warning-the black bar safety net

ID MYHACK58:62200613056
Type myhack58
Reporter 佚名
Modified 2006-11-28T00:00:00


On the network there was about cross-site scripting attacks and Defense articles, but as the attack technology advances, previously about a cross site scripting attack the views and theories can not meet now the attack and Defense of the need, and because of this for cross-site scripting cognitive confusion, resulting in now a lot of the program includes now the Action Network, there are cross-site scripting filter is not strict problem, hope this can give the writing program and the research program to bring a bit of ideas.

Or first take a look at cross-site scripting vulnerability in the Genesis, the so-called cross-site scripting vulnerabilities in fact Html injection problem, a malicious user input has not been strict control into the database and ultimately displayed to the visiting user, resulting in the visiting user's browser to browse to the identity of the user to perform HTml code, data flow is as follows:

The malicious user's Html input---->web applications---->access to the database---->web applications---->the user's browser

So we can clearly see that the Html code is how to get into the victims browser, we also can according to this process to discuss cross-site scripting attacks and Defense!

1 What is an HTml input?

Here is a HTml code example

< img src="http://www.loveshell.jpg" width=1 0 0 onerror=alert("load image error!") of >

Many of the procedures are ultimately the user's input is converted into this form. You can see the<>is telling the browser this is a Html tags, img is the Html tag name, src is the tag of the first attribute, the=back is the value of this property, the rear width is the second attribute, onerror is a mark of the event attributes. You can see a Html tags include many elements, not in the traditional sense only the input < a > will be injected into Html, in fact, as long as you input in the Html tag, generate new elements or attributes, to achieve a cross-site scripting attacks! In fact most of the secret cross-site scripting attack is not needed< a>, because now the Ubb tags already let you in the Html tags within, very interesting, isn't it?

2 Where is the evil source?

Since our goal is the introduction of the code in the target user's browser within the perform, then we look at what areas can be introduced into the HTml code! If the user can not limited the introduction of < a>, then it is clear that he can completely manipulate an Html tag, such as<script>alert('xss')</script>such a form, which for the pursuit of security program that is absolutely not allowed, so the first thing to do the conversion is the< a>, by the following code:

Filter code:



Well, the user may not be able to construct your own HTml mark, then the use of already existing properties? The following code can still work very well:

< img src="javascript:alert(/xss/)" width=1 0 0>

Because many of the Html tags in attributes are supported by javascript:[code]in the form of, well, a lot of the program aware of this, may do the following conversion:

The filter code

Dim re

Set re=new RegExp

re. IgnoreCase =True

re. Global=True

re. Pattern="javascript:"

Str = re. replace(Str,"javascript:")

re. Pattern="jscript:"

Str = re. replace(Str,"jscript:" a)

re. Pattern="vbscript:"

Str = re. replace(Str,"vbscript: a")

set re=nothing you see, as long as found in javascript and other script attribute of the form will be filtered out and lost:the script code is no effect! Such perfect? In fact Html value of the property, the note is the value rather than the attribute itself is supported ASCii this form of representation, for example, the above code can be replaced with this:

< img src="javascript:alert(/xss/)" width=1 0 0>

Code and implementation, huh! It seems that you missed something Oh, with this code!


The line,&lost its original significance, the user can not be expressed in other ways Html attribute values! And so on, so that the filter really can believe that? Just found this filter the keywords mechanism, the bypass is the simple question:

img src="javas cript:alert(/xss/)" width=1 0 0>

There is no javascript keyword! Note that the middle one is the tab key to get out! The keyword is split! This is a very troublesome problem, many people forget these special characters, huh! It was thought to be the filter space, the filter before we look at some of the other stuff! Perhaps we are now at the src attribute has been unable to use, but we can still produce their own property or event mechanism Oh! Still you can perform Html code, first talk about the event mechanism it:

< img src="#" onerror=alert(/xss/) > the

So you can still execute the Code of the Oh! Understand the problem which, isn't it? Some programmers seem to understand, note I said If, the moving Web is a typical example, the event property is not to onerror? A lot of people start with regular expressions, find key words such as onerror will do the conversion, or prompt the user does not perform, is not no chance?

Of course not, the event just let the code run one way and not all, you can define events so you can achieve your get out of their own properties, try the following:

< img src="#" style="Xss:expression(alert(/xss/));" > the

Oh, still perform! Doing a keyword filter after it was found is not between the attributes of the partition to use the space, well, they put the spaces blocked up think so a lot of people, ha-ha) now! The spaces turn into a very common method? Is? Even you can also make someone unable to keyword splitting, not too confident, try the code below see how:

< img src="#"/**/onerror=alert(/xss/) width=1 0 0>

Hey, Good Work! This seems to be the use of a script comment will be treated as a blank to represent the cause! What should I do? The above mentioned seems to have always been in the passive attack Defense, why not seize his origin out? Where the problem where plugging!

The above problem seems to essentially one thing, and that is the user goes beyond his label, that is, data and code confusion, to deal with this confusion the solution is to restrict the prison, allowing users in a safe space activities, which through the above analysis we may already know, as long as the filter of < > the two people who will go to kill the character after which you can put user's input in the output when put to the""between, now the General procedure is to do so, such as! will be converted to < img src="http://www.loveshell.net"a > This is a good security practice, then? We should let the user input in the security field, this can be achieved by filtering the user input in""achieve, but don't forget, the label itself is unsafe, to filter out the spaces and the tab key do not worry about keyword was split bypass, and then is mentioned in the article way to filter out the script keyword, and finally is to prevent the user by such a form bypass check conversion off&now!

In the article mentioned at the beginning of the figure can be seen, the data conversion and filtering can be in 3 places for conversion, in the acceptance data can be converted, in into the database can be converted, in the output data can also be converted, but confused where? Had to face a problem is that many times programmers want to safe to make that big application on the sacrifice of security is to have a cost, such as now mailboxes are reluctant to discard html tags, so they focus onXSSof IDS detection properties, as long as the discovery of unsafe things will be transformed, but the attack is unpredictable, beautiful things are always fragile, limited, certainly some people will bypass, Oh。 This article is nothing technical content, just hoping to engage the security script staff can be more understandingXss, cross-site, is not so simple drop!