On the Way of XSS Attack and Defense

Source: Internet
Author: User

By Xylitol
Riusksk (quange: http://riusksk.blogbus.com)
 
0x100 The Cross Frame Scripting
 
0x110 theoretical explanation
 
The Cross Frame Scripting is abbreviated as "XFS", which is mainly caused by The lack of detection of variables in The frame address of The accessed page.
For example:
Http://www.site.com/navigate.php? Url = guestbook/index. php
The message book is displayed in the frame, but we can change it:
Http://www.site.com/navigate.php? Url = http://google.com
Direct it to the google homepage (do not confuse it with the vulnerability ).
Cross Frame Scripting is mainly used for phishing attacks because the vulnerability is harmful. A Cross-site attacker (xsser) can construct the following URL addresses:
? Url = http://xsser.com/phishing.php
At the same time, it is encoded as a hexadecimal value:
% 3F % 75% 72% 6C % 3D % 68% 74% 74% 70% 3A % 2F % 2F % 6C % 61% 6D % 7A % 6F % 72% 2E
% 63% 6F % 6D % 2F % 70% 68% 69% 73% 68% 69% 6E % 67% 2E % 70% 68% 70
 
Vulnerability trigger:

 





0x111 vulnerability code samples
 
We recommend a vulnerable micro-site. First, you need to create four files:
1. en_tete.htm
2. accueil.htm
3. navigation.htm
4. index. php
 
Navigation.htm:
<! DOCTYPE html PUBLIC "// W3C // dtd xhtml 1.0 Transitional // EN"
Http://www.w3.org/TR/xhtml1/DTD/xhtml1transitional.dtd>
<Html xmlns = "http://www.w3.org/1999/xhtml">
<Head>
<Meta httpequiv = "ContentType" content = "text/html; charset = utf8"/>
<Title> Menu </title>
</Head>
<Body bgcolor = "# CCCCCC">
<Pre> & nbsp;
 
</Pre>
<P> & nbsp; </p>
<P> & nbsp; </p>
<Ul>
<Li> <a href = "index. php? Iframe = http://google.com "target =" _ parent "> google </a> </li>
<Li> <a href = "index. php? Iframe = http://fr.wikipedia.org/wiki/Accueil"
Target = "_ parent"> wiki </a> </li>
<Li> <a href = "index. php? Iframe = http://xylitol.free.fr/"target =" _ parent "> Xylitol </a> </li>
</Ul>
<P> & nbsp; </p>
</Body>
</Html>
 
En_tete.htm:
<! DOCTYPE html PUBLIC "// W3C // dtd xhtml 1.0 Transitional // EN"
Http://www.w3.org/TR/xhtml1/DTD/xhtml1transitional.dtd>
<Html xmlns = "http://www.w3.org/1999/xhtml">
<Head>
<Meta httpequiv = "ContentType" content = "text/html; charset = utf8"/>
<Title> en tete </title>
<Style type = "text/css">
<!
. Style1 {
Color: # FFFFFF;
Fontsize: 36px;
}
>
</Style>
</Head>
<Body bgcolor = "# rj7f">
<Span class = "Style1"> Welcome in: mysiteisnotsecure. fr! </Span>
<Br/>
Valid W3C! 1! 1! 1 !! 1 Greetz: shésponspony
</Body>
</Html>
 
 
 
 
Accueil.htm:
<! DOCTYPE html PUBLIC "// W3C // dtd xhtml 1.0 Transitional // EN"
Http://www.w3.org/TR/xhtml1/DTD/xhtml1transitional.dtd>
<Html xmlns = "http://www.w3.org/1999/xhtml">
<Head>
<Meta httpequiv = "ContentType" content = "text/html; charset = utf8"/>
<Title> Accueil </title>
</Head>
<Body bgcolor = "# FFCC66">
<H1> What the Hell? </H1>
</Body>
</Html>
 
 
Index. php:
<! DOCTYPE html PUBLIC "// W3C // dtd xhtml 1.0 Transitional // EN"
Http://www.w3.org/TR/xhtml1/DTD/xhtml1transitional.dtd>
<Html xmlns = "http://www.w3.org/1999/xhtml">
<Html>
<Head>
<Meta httpequiv = "ContentType" content = "text/html; charset = utf8"/>
<Title> Welcome in mysiteisnotsecure. fr </title>
</Head>
<Frameset rows = "*" cols = "110, *" frameborder = "NO" border = "0" framespacing = "0">
<Frame src = "navigation.htm" name = "navigation" frameborder = "yes" scrolling = "" NO"
Bordercolor = "# 0000CC" id = "navigation">
<Frameset rows = "98, *" cols = "*" framespacing = "0" frameborder = "NO" border = "0">
<Frame src = "en_tete.htm" name = "entete" frameborder = "yes" scrolling = "NO"
Bordercolor = "#000000" id = "entete">
<Frame src = "<? Php
If (isset ($ _ GET [iframe])
Echo $ _ GET [iframe]; // OMG Epic fail!
Else
Echo "accueil.htm ";
?> "Name =" corps "scrolling =" auto "id =" corps ">
</Frameset>
</Frameset> <noframes> No frames :( </noframes>
</Html>
 
Syntax: index. php? Iframe = http://google.com
 
0x112 write Security Code
 
We can fix this vulnerability in the following ways:
 
Index. php:
<! DOCTYPE html PUBLIC "// W3C // dtd xhtml 1.0 Transitional // EN"
Http://www.w3.org/TR/xhtml1/DTD/xhtml1transitional.dtd>
<Html xmlns = "http://www.w3.org/1999/xhtml">
<Html>
<Head>
<Meta httpequiv = "ContentType" content = "text/html; charset = utf8"/>
<Title> Welcome in mysiteissecurenow. fr </title>
</Head>
<Frameset rows = "*" cols = "110, *" frameborder = "NO" border = "0" framespacing = "0">
<Frame src = "navigation.htm" name = "navigation" frameborder = "yes" scrolling = "" NO"
Bordercolor = "# 0000CC" id = "navigation">
<Frameset rows = "98, *" cols = "*" framespacing = "0" frameborder = "NO" border = "0">
<Frame src = "en_tete.htm" name = "entete" frameborder = "yes" scrolling = "NO"
Bordercolor = "#000000" id = "entete">
<Frame src = "<? Php
// Secure code
If (isset ($ _ GET [iframe])
{
$ AllowUrls = array ("http://google.com", "http://fr.wikipedia.org/wiki/Accueil ",
"Http://xylitol.free.fr/"); // add your allowed links here
 
If (in_array ($ _ GET [iframe], $ allowUrls ))
Echo $ _ GET [iframe]; // if iframe have an url allowed
Else // for show the main page (or an error page)
Echo "accueil.htm ";
}
Else //!!!
Echo "accueil.htm ";
?> "Name =" corps "scrolling =" auto "id =" corps ">
</Frameset>
</Frameset> <noframes> No frames :( </noframes>
</Html>
 
 
Other solutions:
 
// Checking urls with regex
<? Php
If (isset ($ _ GET [iframe])
{
If (preg_match ("# http: // xylitolSfreeSfr/SiteSecure/[0-9A-Za-z .-
Optional bytes 1, 132.16.htm # ", $ _ GET [iframe]) // The document must make between 1 and 13 letters in front
". Htm", it leaves a short number preferably
Echo htmlentities ($ _ GET [iframe]); // we secure xss
Else // Show main page (or an error page)
Echo "accueil.htm ";
}
?>

0x200 Header for fun and profit
0x210 Cross Agent Scripting
 
Cross Agent Scripting (XAS) refers to executing html or JavaScript code in the User-Agent string of the browser. Assume that you have accessed a site and the site has provided you with User-Agent information. After the User-Agent is modified

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.