Recently, some sites were found to be vulnerable to UBB Cross-site scripting attacks. Cross-site scripting attacks are rarely a significant impact on the server, but for a site, this vulnerability is too unworthy! Small, play point what dongdong come out, then change the homepage; Heavy theft of the user's cookies, even more will be g off the viewer's hard drive. A site is turned into a malicious website, who dares to come? If the station's webmaster more "blind" some, not a mess?
A small piece of code can really make a site like this? So we can take a look at what the so-called Cross-site scripting attack will be like. Enter a site with UBB functions, such as message boards, forums, or sites with submitting programs. First, talk about the simplest script attack: <TD Filtering of HTML characters such as ></TD >.
Logged on to a CGI production site. The original ASP's vision to see the CGI site, feel that the CGI filter should be very good script. So I did the initial test. In the user column to fill in <TD, submitted to the user after registration found no illegal characters prompted. After the registration is completed, Click on the data also found that the page is distorted. If in several other countries such as the country, the gender fills in also can appear the same question, that page cannot look. So changed a site, submitted <td > appeared illegal character prompts, it seems that the site is already filtered <> and other HTML script characters, Well, we'll switch to ASCII-code replacement <> such as & #60; & #62; instead of submitting it again, it appears that the above page deformation, it seems that the illegal filtration mechanism is not perfect. What's more, I found a site in the Name column filled with no word size settings, no filter any illegal characters, if I submit a malicious code that does not fulfill me?
Simple scripting attacks such as <TD > HTML-formatted code must be filtered well, some of the above sites have not been involved in the UBB on the issue. Then we'll focus on the problem of UBB filtering vulnerabilities. UBB is a format symbol used by the forum to replace HTML edits, such as [b] [ /b] can replace the < b></b> in HTML. This substitution problem, however, is the best place to build a Cross-site scripting attack. Test an ASP message board and an entire station program code:
Primary problem: [url] filtering, when submitting the code can build a onmouseover function of malicious code, since the onmouseover can be effective, then what could not do? Some source code program in the transformation [url][/url], only [url]s2[/url] in the S2 directly to the < a href= "S2" target=_blank>s2</a > See this conversion we can use the & #34 in the corresponding ASCII code instead of ", we submit one more" and then build the onmouseover function to operate, the consequences? You should know!:P
[img] Filtration, this is really a long-standing problem. It was a long time ago that [img] script attack was a fad. In this test, Many sites still have this vulnerability. Some programs do not filter at all. In particular, a number of free message board to provide a lot of sites have such a problem. Below we will focus on [IMG] tag problems:
Very simple [img]
JavaScript: Alert (); [/img] translated into code for < img src= "
JavaScript: Alert (); " Well, here we can see
JavaScript: alert (); Was activated by the < img src= "" > tag. The expression is a pop-up dialog box. It says what you are going to submit in (). such as Documents.cookie hehe. Most people should know what this thing does. What's more, you can write a Web page by using the document.write () function. What do you write? Of course, malicious code, such as [IMG]
JavaScript:d Ocument.write (); [/IMG]. () in the middle add what you want to add, write what you want to write, think more dangerous is more dangerous.
Advanced issues: Because [img] 's primary problem is harassing many sites to start filtering on a sensitive character. such as JA connection, do connection, WR connection, automatically divided into J A,d o,w R after submission. Or filter the characters to Java,document, And so on. And these can only beat a small number of people. We can still use ASCII code instead. Some people may be puzzled by the replacement code that still does not display properly. OK, let's take a complete example here:
A site UBB filter code snippet is as follows:
<%
Function code_ssstrers)
Dim strer:strer=strers
If strer= "" or IsNull (strer) then Code_ss "": Exit Function
Strer=replace (Strer, "<", "<")
Strer=replace (Strer, ">", ">")
Strer=replace (Strer, "", "") "Space
Strer=replace (STRER,CHR (9), "") ' Table
Strer=replace (Strer, "'", "'") ' single quote
Strer=replace (Strer, "" "", "" ") ' double quotes
Dim re,re_v
Re_v= "[^\ (\) \;\ ';" " \[]*"
' re_v= '. [^\[]*"
Set re=new REGEXP
Re. IgnoreCase =true
Re. Global=true
Re. Pattern= "(JavaScript:)"
Strer=re. Replace (Strer, "javascript:")
Re. Pattern= "(JavaScript)"
Strer=re. Replace (Strer, "JavaScript")
Re. pattern= "(JScript:)"
Strer=re. Replace (Strer, JScript:)
Re. Pattern= "(JS:)"
Strer=re. Replace (Strer, "JS:")
Re. Pattern= "(value)"
Strer=re. Replace (Strer, "value")
Re. Pattern= "(about:)"
Strer=re. Replace (Strer, "about:")
Re. Pattern= "(File:)"
Strer=re. Replace (Strer, "file&:")
Re. Pattern= "(document.)"
Strer=re. Replace (Strer, "Document:")
Re. Pattern= "(VBScript:)"
Strer=re. Replace (Strer, "VBScript:")
Re. Pattern= "(VBS:)"
Strer=re. Replace (Strer, "VBS:")
Re. Pattern= "(On (Mouse|exit|error|click|key))"
Strer=re. Replace (Strer, "on$2") |
Can understand the ASP's friend, you can see that the above code section of Javascript,jscript:,js:,about;value,document.,onmouse and OnExit and other statements are filtered and replaced. Some special characters are replaced. ".",";"" (",") [Replace code with ' middle '. After careful observation of the code, we find that its filtration mechanism is not as perfect as it might think. Submit: [mg]& #176 & #93 & #118 & #97 & #115 & #79rip & #106 & # 57documen& #115 & #76write & #30 & #29哈哈又被黑了 & #29 & #61 & #29 [/MG] Similar code enables more advanced scripting attacks. NOTE: Because many sites still have this problem, the code has been modified to be free of attack.
Open your FT2000, using text editing, you can find the ASCII code that any special character belongs to. such as: semicolon; can be substituted for &# 59, period. Can be substituted for &# 46, in this form we submit the code again. Sure enough, The entire filtration mechanism is almost completely ineffective. There was no defensive effect.
Look at the above attack method, is not feel very depressed? If you can avoid the above problems occur?
1. If your site program contains forums, message boards, and other programs with the format of submitting data, there is no good filtering mechanism, please download the upgrade program immediately or stop using. Avoid causing more problems.
2. Provide free forum, free to apply for a message board station, please UBB format closed. Or find a better resolution ubb.asp program page.
3. For some friends who will write ASP, I suggest that you filter the characters: (all characters will be written in []) such as:
["|.|;|:| \|/|&|$|#| ' |) |,| ' | | -|~| [| (||] Note: where | is the separator
4. Some sites suggest removing more of the message boards, or other procedures with submissions. For example: The original www.sangel.net used guestbook, some unknown program body problem is more. It is recommended to replace it.
5. I have also modified a foreign message board, the front desk has been basically modified. The background is catching up in the past few days. After the modification, the feeling is filtered in the text submission and the input as well as the message. Originally intended to use the English interface, but considering the N more Chinese to English not pass, I still have part of the program in Chinese. Interested friends can http://www.e3i5.com/guestbook/test. We welcome the Goodwill test.
The following is some of the site after I test the message board has the problem address, (please webmaster attention, timely patch to avoid causing unnecessary trouble), the test time is relatively short, there may be some sites did not find. There may be more serious problems.
These are the full contents of this script attack test. Look at all the sites, looks safe really dare not think again. There are many problems.
Although only a small effort can solve the problem, but a little careless will cause big problems
