Cross-site scripting (XSS) in Web security testing

Last Update:2014-05-22 Source: Internet

Author: User

Tags html encode

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Cross-site scripting (XSS) attacks are the most common vulnerabilities in Web applications. An attacker embeds a client script (such as JavaScript) in a webpage. when a user browses the webpage, the script is executed in the browser of the user to achieve the target of the attacker. for example, attackers can obtain users' cookies, navigate to malicious websites, and carry Trojans. As a tester, you must

Cross Site Scripting (XSS) is the most common vulnerability in Web applications. An attacker embeds a client script (such as JavaScript) in a webpage. when a user browses the webpage, the script is executed in the browser of the user to achieve the target of the attacker. for example, attackers can obtain users' cookies, navigate to malicious websites, and carry Trojans.

As a tester, you need to understand the XSS principles, attack scenarios, and how to fix them. In order to effectively prevent the occurrence of XSS.

How does XSS happen?

Suppose there is a textbox below

Value1from is the input from the user. if the user does not enter value1from, But inputs "/> script alert (document. cookie) and script

The embedded JavaScript code will be executed.

Or if the user inputs "onfocus =" alert (document. cookie ),

When an event is triggered, the embedded JavaScript code is executed.

The attack power depends on the script entered by the user.

Of course, the data submitted by the user can also be sent to the server through QueryString (in the URL) and Cookie. for example

HTML Encode

XSS occurs because the data entered by the user is changed to code. Therefore, we need to perform HTML Encode processing on user input data. Encode special characters such as "brackets", "single quotes", and "quotation marks.

A ready-made method is provided in C #. you only need to call HttpUtility. HtmlEncode ("string . (System. Web assembly needs to be referenced)

Fiddler also provides a convenient tool. click "TextWizard" on the Toolbar.

XSS attack scenarios

1. Dom-Based XSS vulnerability attack process:

Tom found a page in Victim.com with an XSS vulnerability,

Example: http://victim.com/search.asp? Term = apple

The code for the Search. asp page on the server is as follows:

 　　 　　 　　　　Results  for <%Reequest.QueryString("term")%> 　　　　...

Tom first sets up a website http://badguy.com to receive "stolen" information.
Then Tom constructs a malicious url (as shown below) and sends it to Monica through some method (email, QQ ).

http://victim.com/search.asp?term=

Monica clicks this URL. the malicious Javascript code embedded in the URL will be executed in Monica's browser. then, the cookie of Monica on the victim.com website will be sent to the badguy website. In this way, the information of Monica in victim.com is stolen by Tom.

2. stored XSS (storage-type XSS vulnerability) is a vulnerability that is widely used and may affect the security of Web servers. attackers can Upload attack scripts to Web servers, this makes information leakage possible for all users accessing this page. The attack process is as follows:

Alex discovered an XSS vulnerability on website A, which allows the attacker to store the attack code in the database,

Alex published an article that embedded malicious JavaScript code.

When other people access this article, such as Monica, the malicious Javascript code embedded in the article will be executed in her browser, and her session cookie or other information will be stolen by Alex.

Dom-Based XSS vulnerabilities threaten individual users, while stored XSS vulnerabilities threaten a large number of users.

XSS vulnerability repair

Principle: do not trust customer input data
Note: the attack code is not necessarily in script

Mark important cookies as http only, so that the document. cookie statement in Javascript cannot get cookies.
Only allow users to enter the expected data. For example, in textbox of age, only users can enter numbers. Characters other than numbers are filtered out.
Html Encode processing of data
Filter or remove special Html tags, such as script,, & Nbsp; <for <,> for>, & quot for </li> <li style = "margin-left: 10px;"> Filter tags of JavaScript events. For example, "onclick =", "onfocus", etc. </Li> </ol> How to test XSS vulnerabilities Method 1: view the code and find the key variables. & nbsp; the client transmits data to the Web server in three ways: Querystring, Form, and cookie. & nbsp; for example, in an ASP program, obtain the client variable through the Request object <pre> <% strUserCode = Request. queryString ("code"); strUser = Request. form ("USER"); strID = Request. cookies ("ID"); %> </pre> If the variable is not processed by htmlEncode, this variable has an XSS vulnerability & nbsp; & nbsp; Method 2: Prepare the test script. <pre>"/> <script> al Ert (document. cookie) </script> <! -- Script alert (document. cookie) script <! -- "Onclick =" alert (document. cookie) </pre> & nbsp; enter these test scripts in Textbox or other places on the webpage to see if a dialog box is displayed, the XSS vulnerability & nbsp; check the variables in the URL to pass the values to the Web server through the URL, and return the values of these variables to our test script. & Nbsp; then check whether our script can be executed & nbsp; method 3: & nbsp; automated Test of XSS vulnerabilities Many XSS scanning tools are available now. It is very simple to implement XSS automated testing. you only need to use the HttpWebRequest class. Include the xss test script. Send to the Web server. Then, check whether our XSS test script has been injected into HttpWebResponse. differences between HTML Encode and URL Encode at the beginning, I always confuse these two things. actually, they are two different things. & Nbsp; we have already introduced HTML encoding to comply with URL standards. Because many characters in the standard url specification are not allowed to appear in the url. For example, search for" test Chinese character "in baidu ". The URL is changed to http://www.baidu.com/s?wd=%B2%E2%CA%D4%BA%BA%D7%D6&rsv_bp=0&rsv_spt=3&inputT=7477 & nbsp; The URL encoding is to replace all non-alphanumeric characters with a semicolon (%) followed by two hexadecimal numbers, space is encoded as the plus sign ( + ) & nbsp; a ready-made method is provided in C #, as long as HttpUtility is called. urlEncode ("string <scrui>. & Nbsp; (System must be referenced. web assembly) Fiddler also provides convenient tools. click the" TextWizard "button on the Toolbar XSS filter in the browser to prevent XSS, many browser vendors add security mechanisms to their browsers to filter XSS. For example, IE8, IE9, Firefox, and Chrome all have security mechanisms for XSS. The browser blocks XSS. For example, & nbsp; & nbsp; IE7 is recommended if you need to perform a test. & nbsp; ASP. & nbsp; ASP. NET has a mechanism to prevent XSS. the submitted form will automatically check whether XSS exists. when the user tries to input XSS code, ASP. NET will throw an error, such as many programmers do not know the concept of security or even the existence of XSS. ASP. NET provides default security. In this way, even a programmer without security awareness can write a "safer website". to disable this security feature, use <% @ & nbsp; Page & nbsp; validateRequest =" false "& nbsp; %>

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More