Recently, we found that some sites still have the UBB cross-site scripting vulnerability. although cross-site scripting attacks rarely have a major impact on the server, it is not worthwhile for a website to have such a vulnerability! Small, click something to pop up, change the home page, and steal the user's COOKIES, and even worse, G the viewer's hard disk. who dares to make a website become a malicious website? If the webmaster of the station is "blind", isn't it a mess?
A small piece of code can really make a site like this? Let's take a look at the specific attack mode that the so-called cross-site scripting attack will become. enter a website with UBB functions, such as message boards, forums, or sites with submitted programs. first, let's talk about the simplest Script attack: filtering of HTML characters such as <td> </td>.
Log on to a CGI production site. looking at the CGI site from the original ASP perspective, CGI should be very good at filtering scripts. so I did the initial test. enter <td> in the user field. after submitting the information for user registration, no invalid characters are prompted. after the registration is complete, click the materials and you will find that the page is distorted. if the same problem occurs in other countries such as countries and gender fields, the page cannot be viewed. so I changed the site and submitted again. <td> An invalid character prompt appeared. It seems that the site has been filtered out <> and other HTML Script characters. That's good, we should replace the ASCII Code <> for example, & #60; & #62; after submitting the code, we can see that the page above is deformed. It seems that the illegal filtering mechanism is not perfect. what's more, I found that the name field of a website is not set in terms of word size, and no illegal characters are filtered. If I submit malicious code, it will not be enough for me?
Simple script attacks such as <td> and other HTML-format code must be filtered out, and some of the above sites have not involved UBB yet, so there is a problem. next, let's focus on UBB's vulnerability filtering. UBB is a format symbol used to replace HTML editing in the forum. For example, [B] [/B] can be replaced with <B> </B> in HTML .. however, this replacement problem has become the best accumulation of cross-site scripting attacks. I tested an ASP message board and a whole-Site program code:
Question: [url] Filtering: when you submit this code, you can build a malicious code for the onmouseover function. Since onmouseover can take effect, what else cannot be done? When some original code programs transform [url] [/url, simply submit s2 in [url] s2 [/url] to <a href = "s2" target = _ blank> S2 </a>. we can use & #34; in the corresponding ASCII code to replace ", we will submit one more" and then operate on the onmouseover function. What are the consequences? You should know! : P
[Img] filtering is really an old and difficult problem. A long time ago, the script attack of [img] became popular. during this test, many sites still have this vulnerability. some programs are not filtered at all. in particular, many websites that provide free message boards have such problems. the following describes the [IMG] label:
Very simple [img] javascript: alert (); [/img] The Code converted to after submission is well, now we can see that javascript: alert (); is activated by the tag. the dialog box is displayed. it says what you want to submit in. such as documents. cookie haha .. most people should know what this is. what's more, use document. write (); function, you can write web pages. what to write? Of course it is malicious code, such as [img] javascript: document. write (); [/img]. () add in the middle what you want to add, write what you want to write, think more dangerous is more dangerous.
Advanced problem: because of the primary problem of [img], many sites start to filter sensitive characters. for example, ja connection, do connection, and wr connection are automatically divided into j a, d o, w r. or filter characters such as java and document. however, only a small number of people can be defeated. we can still use ASCII code instead. some may be confused when the replaced code is still not properly displayed. okay. Here is a complete example:
The UBB filtering code segment of a website is as follows:
<%
Function code_ssstrers)
Dim strer: strer = strers
If strer = "" or isnull (strer) then code_ss "": exit function
Strer = replace (strer, "<", "<")
Strer = replace (strer, ">", "> ")
Strer = replace (strer, "", "") Space
Strer = replace (strer, CHR (9), "") table
Strer = replace (strer, "", "") single quotes
Strer = replace (strer, ",") double quotation marks
Dim re, re_v
Re_v = "[^ \ (\) \;" \ [] *"
Re_v = ". [^ \ [] *"
Set re = new RegExp
Re. IgnoreCase = True
Re. Global = True
Re. Pattern = "(javascript :)"
Strer = re. Replace (strer, "javascript :")
Re. Pattern = "(javascript )"
Strer = re. Replace (strer, "javascript ")
Re. Pattern = "(jscript :)"
Strer = re. Replace (strer, "jscript :")
Re. Pattern = "(js :)"
Strer = re. Replace (strer, "js :")
Re. Pattern = "(value )"
Strer = re. Replace (strer, "value ")
Re. Pattern = "(about :)"
Strer = re. Replace (strer, "about :")
Re. Pattern = "(file :)"
Strer = re. Replace (strer, "file &:")
Re. Pattern = "(document .)"
Strer = re. Replace (strer, "document :")
Re. Pattern = "(vbscript :)"
Strer = re. Replace (strer, "vbscript :")
Re. Pattern = "(vbs :)"
Strer = re. Replace (strer, "vbs :")
Re. Pattern = "(on (mouse | exit | error | click | key ))"
Strer = re. Replace (strer, "on $2 ")
If you can understand ASP, you can see that the above code snippet is for javascript, jscript:, js:, about; value, document ., the onmouse and onexit statements are filtered and replaced. some special characters are replaced. for example ". ","; "" (",") "[Replace the Code with" intermediate ".. after carefully observing the code, we will find that the filtering mechanism is not as perfect as we think. submit: [mg] & #176 & #93 & #118 & #97 & #115 & # 79rip & #106 & #57 then en & #115 & #76 write & #30 &# 29 Haha again hacked & #29 & #61 & #29 [/mg] similar code can achieve more advanced script attacks. note: Because this problem still exists in many websites, the Code has been modified and is not offensive.
Open your FT2000 and use text editing to find the ASCII code of any special character. such as: semicolon; can be replaced by 59, periods. it can be replaced by 46. In this form, we submit the code again. sure enough, the entire filtering mechanism was almost totally ineffective. it does not play any defensive role at all.
After reading the above attack methods, do you feel very depressed? Can this problem be avoided?
1. if your website program contains forums, message boards, and other programs that contain submitted data formats, there is no good filtering mechanism, please download the upgrade program immediately or stop using it. avoid more problems.
2. For free forums and free message board websites, Please disable the UBB format or find a better analysis of the UBB. ASP program page.
3. For some friends who will write ASP, I suggest you filter out the characters: (all characters will be written in []) for example:
["|. |; |: | \ |/| & | $ | # | '|) |, |" |-| ~ | [| (|] Note: | it is a delimiter.
4. we recommend that you remove message boards with many problems or other submitted programs for some sites. for example, the guestbook used by www.sangel.net has many unknown program bodies. we recommend that you replace it.
5. I have also modified a message board outside China, and the front-end has basically been modified. the background is catching up these days. after the modification, the system can filter the submitted text, input text, and message. I originally intended to use the English interface, but considering N many chinese are not good at English, I still write some programs in chinese. interested friends can http://www.e3i5.com/guestbook/ test. we welcome the test in good faith.
The following are the address of the message board of some websites that have been tested by myself in China. (Please pay attention to it and fix it in time to avoid unnecessary troubles ), the test time is relatively short, and some sites may not be found. there may be more serious problems.
The above is all the content of this script attack test. Looking at all the sites, it seems that security is really not enough to think about it. There are many problems.
Although the problem can be solved with just one hand, it will cause a big problem if you are not careful.
