JS inject the road of hackers must! _javascript Tips

Recently out of the news, Ali Four network security Department employees use the Web page to write JS script to rob Mooncakes, so the interest came, want to know how this JS script in the end how to write, all kinds of brush a variety of gun snatching and how to achieve.

What is a JavaScript injection attack?

1. The site is vulnerable to JavaScript injection attacks whenever the user input is accepted and the content is displayed again. Let's look at a specific application that is susceptible to JavaScript injection attacks. Suppose you have created a customer feedback site. Customers can access the site and enter feedback about the product. Feedback is displayed back on the feedback page when the customer submits the feedback.
The customer feedback site is a simple website. Unfortunately, this site is vulnerable to JavaScript injection attacks.
Suppose you are entering the following text into the customer feedback form:

<script>alert ("attack!") </script>

This text represents a JavaScript script that displays a warning message box. After someone submits this script to the customer feedback form, the message attack! will be displayed in the future when anyone accesses the customer feedback site.

2. There is also a browser in the address bar to enter a paragraph of JS code, used to change the page JS variables, page label content.

With JavaScript injection, users can change their content without having to close or save the page, which is done in the browser's address bar. The syntax for the command is as follows:

Javascript:alert (#command #)

For example, if you want to see an alert warning box on the http://www.example.com site, first enter the URL on the address bar and wait for the page to load, then delete the URL and enter:

Javascript:alert ("Hello World")

As the new URL. This will pop up a "Hello World" warning box, which can be used to change almost anything on a Web page, such as a picture. Suppose there is a website logo picture, we look through the page source file to find a section of HTML code:

The picture is named "Hi", the source file is "Hello.gif", we want to change it to the "bye.jpeg" file stored on our site (http://www.mysite.com), so the complete URL of the picture is http:// Www.mysite.com/bye.jpeg, using JavaScript injection, we only need to enter on the address bar:

Javascript:alert (document.hi.src= "Yun_qi_img/bye.jpeg")

You will see the pop-up "http://www.mysite.com/bye.jpeg" alert warning, and the picture will be changed. It should be noted that these changes are only temporary! If you refresh the page or re-enter, your changes will disappear because you are only making these changes on your PC, not on the Web server.

Using the same method we can view or change the value of a variable, for example, we found a piece of code on a Web page:

<script language= "JavaScript" >
var a= "test"
</SCRIPT> 

The value of variable A is "test" and now we enter:

Javascript:alert (a)

We then change the value to "Hello":

Javascript:alert (a= "Hello")

JavaScript injection is often used to change form properties, assuming there is one such code:

<form name= "format" action= "send.php" method= "POST" >
<input type= "hidden" name= "Mail" value= " Someone@somewhere.com ">
<input type=" text "name=" name ">
<input type=" Submit "value=" Submit " ></form> 

We want the form to be sent to our mailboxes instead of someone@somewhere.com. You can use the following command:

Javascript:alert (document.format.mail.value= "me@hacker.com")

• Perhaps you have noticed the hierarchical relationship of these commands:
• We follow from left to right in sequence:
·1) is the document on the left
2) then is the name of the object (such as DOCUMENT.HI.SRC) that we want to change or the object it contains (for example, Document.format.mail.value)
3) Finally is the property we want to change (such as source path: DOCUMENT.HI.SRC, or Variable value: document.format.mail.value)
4) using the "." Number separation
5 When we want to change the property value, we use the "=" number and the new property value
* Note: When the new property value is a string (for example: document.format.mail.value= "me@hacker.com") you need to enclose it in double quotes.
• If we want to take it as a value for a variable, we don't need to use double quotes "". For example, we want to assign the value of variable b to variable A, and we can enter Javascript:alert (a=b).
• However, most of the labels on the page do not have names, such as:

<form action= "send.php" method= "POST" > <input type= "hidden"
name= "Mail" value= "someone@somewhere.com" >
<input type= "text" name= "name" >
<input type= "Submit" value= "Submit" ></form> 

There is no table single-name in this code, and you can use this command to synthesize the above information:

Javascript:alert (Document ... mail.value= "me@hacker.com")

In this case we have to count and find the form serial number, here is an example:

<form action= "send.php" method= "POST" >
<input type= "text" name= "name" >
<input type= "Submit" Value= "Submit" >
</form>

<form action= "send.php" method= "POST" >
<input type= "hidden" Name= "Mail" value= "someone@somewhere.com" >
<input type= "text" name= "name" >
<input type= "Submit Value= "Submit" >
</form>

<form action= "send.php" method= "POST" >
<input type= "text" Name= "Name" >
<input type= "Submit" value= "Submit" >
</form> 

• In the above code we see 3 forms, but we are only interested in the second one, so the form ordinal we want is 2. Don't forget that we started from 1, like 1,2,3,4 ... and JavaScript starts from 0, like 0,1,2,3 ... so the real form sequence number is 1, not 2, and usually we want to reduce the number of the found form by one. We will use this serial number to complement our command:

Javascript:alert (document.forms[1].mail.value= "me@hacker.com")

So that you can change a picture or link without a name, you can replace "forms" with any type of tag you want. For the picture is

Javascript:alert (document.images[3].src= "#the URL of the picture and want#")

For links is

Javascript:alert (document.links[0].href= "#the URL you want#")

Finally, we can use this technique to edit cookies. The following commands are written by Triviasecurity.net's Dr_amado, and I've only modified a little bit to show it before the user edits it. You can just copy them to the address bar:

Javascript:alert (Window.c=function A (N,V,NV) {c=document.cookie;c=c.substring (C.indexof (n) +n.length,c.length);
C=c.substring (1, (C.indexof (";") >-1)? C.indexof (";"): C.length)); Nc=unescape (c). replace (V,NV);
document.cookie=n+ "=" +escape (NC); return unescape (Document.cookie);});
Alert (' The cookie is: ' +document.cookie+ '); alert (Prompt ("The name of the cookie:", ""),
prompt Value: "," "), Prompt (" with: ","))) 

If you want to manually change your cookie, you can use the following command:

Javascript:alert (Document.cookie)

This will show your current cookie, assuming it is "userid=1" and if you want to change it to "userid=2", you can use the following command:

Javascript:alert (document.cookie= "userid=2")

The last thing I have to emphasize is that all the changes are just on the client! It's like keeping the Web page on your PC and modifying it. However, using this technique you can still cheat pages (such as cookies) or bypass security validation. For example, some Web pages will detect the location where the user sends the data, and if the data is sent from http://www.test.com/form.php to http://www.test.com/check.php, Check.php may detect whether the data is from a form on http://www.test.com/form.php. In addition, if you're going to enter your own JavaScript code on the page, by using some of these tips, you'll be able to change the picture and stay the same!

Finally, since JS injection so terrible, we write our own site what solutions to prevent JS injection it?

Method One:

An easy way to prevent JavaScript injection attacks is to use HTML to encode data entered by any site user when you re displaying data in the view
such as: <%=html.encode (feedback. Message)%>
What is the meaning of using HTML to encode a string? When using HTML-encoded strings, dangerous characters Furu < and > are replaced with HTML entities such as < and >. So, when using HTML-encoded string <script>alert ("Boo!") </script>, it will be converted to <script>alert ("attack!") </script>. The browser no longer executes JavaScript scripts when parsing encoded strings. Instead, it displays harmless pages.

Method Two:

In addition to using HTML-encoded data when displaying data in a view, you can also use HTML-encoded data before submitting the data to the database.

Stringescapeutils.escapehtml ("Data submitted by the front desk");

Generally, people prefer to use the first method discussed in this tutorial, rather than using the second method. The problem with the second approach is that HTML-encoded data will eventually be preserved in the database. In other words, the data in the database will contain strange characters. What's the downside? If you need to display database data in a form other than a Web page, you will experience problems. For example, you cannot easily display data in a Windows Forms application.

Thank the Netizen to share:http://zxf-noimp.iteye.com/blog/1130771

The above is the entire content of this article, I hope to help you learn, but also hope that we support the cloud habitat community.