At present, many websites have added general anti-injection system code, and you cannot input injection statements. At first glance, it feels like this anti-injection system is good, however, anti-injection only prevents QueryString and Form, but ignores Cookies! Therefore, Cookies are injected.
First, let's look at how Cookies can be injected! If you have learned ASP, you should knowID = Request. QueryString (GET)OrID = Request. Form (POST)These two methods are used. But sometimes, to simplify the code, it is written as ID = Request ("ID"), which is simple, but the problem arises. Let's first look at how the WEB Service reads data, he first obtains the data in GET, does not retrieve the data in POST, and also retrieves the data in Cookies.
Let's take a look at the anti-injection system. It will detect the data in GET and POST. If there are special characters (here, of course, injection characters), it will prohibit data submission! But he does not detect Cookies! Cookie injection is generated. Then, how can we test whether there is any cookie injection problem? Please take a look at the following connection (for example, the connection is not true ).
http://www.xxx.com/1.asp?id=123
If we only lose
http://www.xxx.com/1.asp
Normal data cannot be seen because there is no parameter! We want to know if there are any Cookies (that is, whether there are any format problems)
Request("XXX")
Input with IE
http://www.xxx.com/1.asp
Load the webpage and the page is abnormal (no reason for parameter input). Then enter it in the IE input box.
javascript:alert(document.cookie="id="+escape("123"));
Press enter and you will see a dialog box that is displayed: After id = 123, you refresh a Web page.
Request("ID")
Collect data in this format ~~~~, In this format, you can try to inject Cookies into the input box.
javascript:alert(document.cookie="id="+escape("123 and 3=3"));
Refresh the page. If the page is displayed normally, try again. (If the page is not displayed normally, it may be filtered out)
javascript:alert(document.cookie="id="+escape("123 and 3=4"));
Refresh the page. If the page is not displayed properly, it indicates an injection ~~~ If the programmer is using
Request.QueryString
Or
Request.Form
When collecting data, there is no cookie injection problem, because the service program directly captures data from GET or POST, and the WEB server ignores whether Cookies have data, therefore, Cookies cannot be used for injection!
-------------------------------------------------------------------------
To make it easier for friends who do not understand
javascript:alert(document.cookie="id="+escape("123"));
I want to explain
document.cookie="id="+escape("123")
Is to save 123 to the cookie ID.
alert(xxx)
The dialog box is displayed.