Cross-site scripting (XSS) in Web security testing

Source: Internet
Author: User
Tags html encode
Cross-site scripting (XSS) attacks are the most common vulnerabilities in Web applications. An attacker embeds a client script (such as JavaScript) in a webpage. when a user browses the webpage, the script is executed in the browser of the user to achieve the target of the attacker. for example, attackers can obtain users' cookies, navigate to malicious websites, and carry Trojans. As a tester, you must

Cross Site Scripting (XSS) is the most common vulnerability in Web applications. An attacker embeds a client script (such as JavaScript) in a webpage. when a user browses the webpage, the script is executed in the browser of the user to achieve the target of the attacker. for example, attackers can obtain users' cookies, navigate to malicious websites, and carry Trojans.

As a tester, you need to understand the XSS principles, attack scenarios, and how to fix them. In order to effectively prevent the occurrence of XSS.


How does XSS happen?

Suppose there is a textbox below

 

Value1from is the input from the user. if the user does not enter value1from, But inputs "/> script alert (document. cookie) and script

 

The embedded JavaScript code will be executed.

 

Or if the user inputs "onfocus =" alert (document. cookie ),

 

When an event is triggered, the embedded JavaScript code is executed.

The attack power depends on the script entered by the user.

 

Of course, the data submitted by the user can also be sent to the server through QueryString (in the URL) and Cookie. for example

 

HTML Encode

XSS occurs because the data entered by the user is changed to code. Therefore, we need to perform HTML Encode processing on user input data. Encode special characters such as "brackets", "single quotes", and "quotation marks.

A ready-made method is provided in C #. you only need to call HttpUtility. HtmlEncode ("string . (System. Web assembly needs to be referenced)

Fiddler also provides a convenient tool. click "TextWizard" on the Toolbar.

 

XSS attack scenarios

1. Dom-Based XSS vulnerability attack process:

Tom found a page in Victim.com with an XSS vulnerability,

Example: http://victim.com/search.asp? Term = apple

The code for the Search. asp page on the server is as follows:

           Results  for <%Reequest.QueryString("term")%>     ...    

Tom first sets up a website http://badguy.com to receive "stolen" information.
Then Tom constructs a malicious url (as shown below) and sends it to Monica through some method (email, QQ ).

http://victim.com/search.asp?term=

Monica clicks this URL. the malicious Javascript code embedded in the URL will be executed in Monica's browser. then, the cookie of Monica on the victim.com website will be sent to the badguy website. In this way, the information of Monica in victim.com is stolen by Tom.

 

2. stored XSS (storage-type XSS vulnerability) is a vulnerability that is widely used and may affect the security of Web servers. attackers can Upload attack scripts to Web servers, this makes information leakage possible for all users accessing this page. The attack process is as follows:

Alex discovered an XSS vulnerability on website A, which allows the attacker to store the attack code in the database,

Alex published an article that embedded malicious JavaScript code.

When other people access this article, such as Monica, the malicious Javascript code embedded in the article will be executed in her browser, and her session cookie or other information will be stolen by Alex.

 

Dom-Based XSS vulnerabilities threaten individual users, while stored XSS vulnerabilities threaten a large number of users.

 

XSS vulnerability repair

Principle: do not trust customer input data
Note: the attack code is not necessarily in script

  1. Mark important cookies as http only, so that the document. cookie statement in Javascript cannot get cookies.
  2. Only allow users to enter the expected data. For example, in textbox of age, only users can enter numbers. Characters other than numbers are filtered out.
  3. Html Encode processing of data
  4. Filter or remove special Html tags, such as script,, &amp; Nbsp; &lt;for &lt;,&gt; for&gt;, &amp; quot for &lt;/li&gt; &lt;li style = "margin-left: 10px;"&gt; Filter tags of JavaScript events. For example, "onclick =", "onfocus", etc. &lt;/Li&gt; &lt;/ol&gt; How to test XSS vulnerabilities &lt;p style = "font-family: 'Black Verdana ', Arial, Helvetica, sans-serif; font-size: 14px; background-color: # FFFFFF; "&gt; Method 1: view the code and find the key variables. &amp; nbsp; the client transmits data to the Web server in three ways: Querystring, Form, and cookie. &amp; nbsp; for example, in an ASP program, obtain the client variable through the Request object &lt;/p&gt; &lt;pre&gt; &lt;% strUserCode = Request. queryString ("code"); strUser = Request. form ("USER"); strID = Request. cookies ("ID"); %&gt; &lt;/pre&gt; &lt;p style = "font-family: 'Black Verdana ', Arial, Helvetica, sans-serif; font-size: 14px; background-color: # FFFFFF; "&gt; If the variable is not processed by htmlEncode, this variable has an XSS vulnerability &lt;/p&gt; &lt;p style = "font-family: 'Black Verdana ', Arial, Helvetica, sans-serif; font-size: 14px; background-color: # FFFFFF; "&gt; &amp; nbsp; &lt;/p&gt; &lt;p style =" font-family: 'Black Verdana ', Arial, Helvetica, sans-serif; font-size: 14px; background-color: # FFFFFF; "&gt; &amp; nbsp; Method 2: Prepare the test script. &lt;/p&gt; &lt;pre&gt;"/&gt; &lt;script&gt; al Ert (document. cookie) &lt;/script&gt; &lt;! -- Script alert (document. cookie) script &lt;! -- "Onclick =" alert (document. cookie) &lt;/pre&gt; &lt;p style = "font-family: 'Black Verdana ', Arial, Helvetica, sans-serif; font-size: 14px; background-color: # FFFFFF; "&gt; &amp; nbsp; enter these test scripts in Textbox or other places on the webpage to see if a dialog box is displayed, the XSS vulnerability &lt;/p&gt; &lt;p style = "font-family: 'Black Verdana ', Arial, Helvetica, sans-serif; font-size: 14px; background-color: # FFFFFF; "&gt; &amp; nbsp; check the variables in the URL to pass the values to the Web server through the URL, and return the values of these variables to our test script. &amp; Nbsp; then check whether our script can be executed &lt;/p&gt; &lt;p style = "font-family: 'Black Verdana ', Arial, Helvetica, sans-serif; font-size: 14px; background-color: # FFFFFF; "&gt; &amp; nbsp; &lt;/p&gt; &lt;p style =" font-family: 'Black Verdana ', Arial, Helvetica, sans-serif; font-size: 14px; background-color: # FFFFFF; "&gt; method 3: &amp; nbsp; automated Test of XSS vulnerabilities &lt;br/&gt; Many XSS scanning tools are available now. It is very simple to implement XSS automated testing. you only need to use the HttpWebRequest class. Include the xss test script. Send to the Web server. Then, check whether our XSS test script has been injected into HttpWebResponse. &lt;/P&gt; differences between HTML Encode and URL Encode &lt;p style = "font-family: 'Black Verdana ', Arial, Helvetica, sans-serif; font-size: 14px; background-color: # FFFFFF; "&gt; at the beginning, I always confuse these two things. actually, they are two different things. &amp; Nbsp; &lt;/p&gt; &lt;p style = "font-family: 'Black Verdana ', Arial, Helvetica, sans-serif; font-size: 14px; background-color: # FFFFFF; "&gt; we have already introduced HTML encoding to comply with URL standards. Because many characters in the standard url specification are not allowed to appear in the url. &lt;/P&gt; &lt;p style = "font-family: 'Black Verdana ', Arial, Helvetica, sans-serif; font-size: 14px; background-color: # FFFFFF; "&gt; For example, search for" test Chinese character "in baidu ". The URL is changed to &lt;br/&gt; http://www.baidu.com/s?wd=%B2%E2%CA%D4%BA%BA%D7%D6&amp;rsv_bp=0&amp;rsv_spt=3&amp;inputT=7477 &lt;/P&gt; &lt;p style = "font-family: 'Black Verdana ', Arial, Helvetica, sans-serif; font-size: 14px; background-color: # FFFFFF; "&gt; &amp; nbsp; &lt;/p&gt; &lt;p style =" font-family: 'Black Verdana ', Arial, Helvetica, sans-serif; font-size: 14px; background-color: # FFFFFF; "&gt; The URL encoding is to replace all non-alphanumeric characters with a semicolon (&lt;em &gt;%&lt;/em&gt;) followed by two hexadecimal numbers, space is encoded as the plus sign (&lt;em&gt; + &lt;/em&gt;) &lt;/p&gt; &lt;p style = "font-family: 'Black Verdana ', arial, Helvetica, sans-serif; font-size: 14px; backgrou Nd-color: # FFFFFF; "&gt; &amp; nbsp; &lt;/p&gt; &lt;p style =" font-family: 'Black Verdana ', Arial, Helvetica, sans-serif; font-size: 14px; background-color: # FFFFFF; "&gt; a ready-made method is provided in C #, as long as HttpUtility is called. urlEncode ("string &lt;scrui&gt;. &amp; Nbsp; (System must be referenced. web assembly) &lt;/p&gt; &lt;p style = "font-family: 'Black Verdana ', Arial, Helvetica, sans-serif; font-size: 14px; background-color: # FFFFFF; "&gt; Fiddler also provides convenient tools. click the" TextWizard "button on the Toolbar &lt;/p&gt; XSS filter in the browser &lt;p style =" font-family: 'Black Verdana ', Arial, Helvetica, sans-serif; font-size: 14px; background-color: # FFFFFF; "&gt; to prevent XSS, many browser vendors add security mechanisms to their browsers to filter XSS. For example, IE8, IE9, Firefox, and Chrome all have security mechanisms for XSS. The browser blocks XSS. For example, &lt;/p&gt; &lt;p style = "font-family: 'Black Verdana ', Arial, Helvetica, sans-serif; font-size: 14px; background-color: # FFFFFF; "&gt; &lt;/p&gt; &lt;p style =" font-family: 'Black Verdana ', Arial, Helvetica, sans-serif; font-size: 14px; background-color: # FFFFFF; "&gt; &amp; nbsp; &lt;/p&gt; &lt;p style =" font-family: 'Black Verdana ', Arial, Helvetica, sans-serif; font-size: 14px; background-color: # FFFFFF; "&gt; &amp; nbsp; IE7 is recommended if you need to perform a test. &lt;/P&gt; &amp; nbsp; ASP. &lt;p style = "font-family: 'Black Verdana ', Arial, Helvetica, sans-serif; font-size: 14px; background-color: # FFFFFF; "&gt; &amp; nbsp; ASP. NET has a mechanism to prevent XSS. the submitted form will automatically check whether XSS exists. when the user tries to input XSS code, ASP. NET will throw an error, such as &lt;/p&gt; &lt;p style = "font-family: 'Black Verdana ', Arial, Helvetica, sans-serif; font-size: 14px; background-color: # FFFFFF; "&gt; &lt;/p&gt; &lt;p style =" font-family: 'Black Verdana ', Arial, Helvetica, sans-serif; font- Size: 14px; background-color: # FFFFFF; "&gt; many programmers do not know the concept of security or even the existence of XSS. ASP. NET provides default security. In this way, even a programmer without security awareness can write a "safer website". &lt;/P&gt; &lt;p style = "font-family: 'Black Verdana ', Arial, Helvetica, sans-serif; font-size: 14px; background-color: # FFFFFF; "&gt; to disable this security feature, use &lt;% @ &amp; nbsp; Page &amp; nbsp; validateRequest =" false "&amp; nbsp; %&gt; &lt;/p&gt;

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.