The road to js injection hacker is essential !, Js injection hacker's path

The road to js injection hacker is essential !, Js injection hacker's path

Recently, a piece of news came out. Four employees of Alibaba's Network Security Department used Web vulnerabilities to write js scripts to grab Moon cakes. So I was excited and wanted to know how to write this js script, how can we achieve all kinds of snatching of guns and scams.

What is a javascript injection attack?

1. The website is vulnerable to JavaScript injection whenever you accept and re-Display user input. Let's look at a specific application that is vulnerable to JavaScript injection attacks. Assume that a customer feedback website has been created. Customers can visit the website and enter feedback on the product. When the customer submits feedback, the feedback is displayed on the feedback page again.
The customer feedback website is a simple website. Unfortunately, this website is vulnerable to JavaScript injection attacks.
Assume that the following text is being input into the customer feedback form:

<Script> alert ("Attack !") </Script>

This text indicates the JavaScript script that displays the warning message box. After someone submits this script to the customer feedback form, the message Attack! It will be displayed when anyone accesses the customer feedback website in the future.

2. Enter a piece of js code in the browser address bar to change the js variable and TAG content of the page.

With Javascript injection, you can change the content of a webpage without closing or saving it. This is done in the address bar of the browser. The command syntax is as follows:

Javascript: alert (# command #)

For example, if you want to see an alert warning box on the http://www.example.com site, first enter the URL in the address bar and wait until the page load is complete, then delete the URL and enter:

Javascript: alert ("Hello World ")

As a new URL. This will pop up a "Hello World" Warning box, using this technology can almost change any content of the web page, such as an image. Suppose there is a website logo image. We can find a piece of HTML code from the page source file:

The image is named “hihei, the source file is “hello.gif ", we want to change it to the “bye.jpeg file stored on our site (http://www.mysite.com), so the complete URL of the image is done, we just need to enter in the address bar:

Javascript: alert (document. hi. src = "http://www.mysite.com/bye.jpeg ")

You will see the prompt "http://www.mysite.com/bye.20.alertwarning", and the image will be changed later. Note that these changes are temporary! If you refresh the page or re-enter the page, your changes will disappear because you only made these changes on your PC, not on the Web server.

In the same way, we can view or change the value of a variable. For example, we can find a piece of code like this on the webpage:

<SCRIPT LANGUAGE="JavaScript">var a="test"</SCRIPT> 

The value of variable a is "test". Now we enter:

Javascript: alert ()

Then we change the value to "hello ":

Javascript: alert (a = "hello ")

Javascript injection is usually used to change the form attributes. Suppose there is a piece of code like this:

<form name="format" action="send.php" method="post"><input type="hidden" name="mail" value="someone@somewhere.com"><input type="text" name="name"><input type="submit" value="submit"></form> 

We want the form to be sent to our mailbox, not the someone@somewhere.com. Run the following command:

Javascript: alert (document. format. mail. value = "me@hacker.com ")

• You may have noticed the hierarchical relationships of these commands:
• We will explain in sequence from left to right:
• 1) the leftmost part is document.
• 2) then the name of the object we want to change (such as document. hi. src) or its contained object (such as document. format. mail. value)
• 3) The last attribute we want to change (such as the Source Path: document. hi. src, or the variable value: document. format. mail. value)
• 4) Use "." To separate
• 5) when we want to change the attribute value, we use "=" and the new attribute value.
• * Note: when the new property value is a string (for example, document. format. mail. value = "me@hacker.com"), it needs to be enclosed in double quotation marks.
• If we want to use it as the value of a variable, we do not need to use double quotation marks "". For example, if we want to assign the value of variable B to variable a, we can enter javascript: alert (a = B ).
• However, most labels on the page do not have names, for example:

<form action="send.php" method="post"><input type="hidden" name="mail" value="someone@somewhere.com"><input type="text" name="name"><input type="submit" value="submit"></form> 

In this Code, there is no form name. You can use this command to combine the above information:

Javascript: alert (document .. mail. value = "me@hacker.com ")

In this case, we must calculate and find the form sequence number. The following is an example:

<form action="send.php" method="post"><input type="text" name="name"><input type="submit" value="submit"></form><form action="send.php" method="post"><input type="hidden" name="mail" value="someone@somewhere.com"><input type="text" name="name"><input type="submit" value="submit"></form><form action="send.php" method="post"><input type="text" name="name"><input type="submit" value="submit"></form> 

• We saw three forms in the code above, but we were only interested in the second one, so we wanted the form number to be 2. Do not forget that we start from 1, for example, 1, 2, 3, 4... javascript is calculated from 0, for example, 0, 1, 2, 3... therefore, the actual form sequence number is 1, not 2. We usually need to subtract one from the list sequence number. We will use this serial number to complete our command:

Javascript: alert (document. forms [1]. mail. value = "me@hacker.com ")

• In this way, you can change images or links without names. You can change "forms" to any tag type you want. For images

Javascript: alert (document. images [3]. src = "# the url of the picture you want #")

The link is

Javascript: alert (document. links [0]. href = "# the url you want #")

Finally, we can use this technique to edit cookies. The following command is compiled by Dr_aMado of triviasecurity.net. I only modified it a little and it is displayed before the user edits it. You just need to copy them to the address bar:

javascript:alert(window.c=function a(n,v,nv){c=document.cookie;c=c.substring(c.indexOf(n)+n.length,c.length);c=c.substring(1,( (c.indexOf(";")>-1) ? c.indexOf(";") : c.length));nc=unescape(c).replace(v,nv);document.cookie=n+"="+escape(nc);return unescape(document.cookie);});alert('The cookie is: "'+document.cookie+'"');alert(c(prompt("The name of the cookie:",""),prompt("Change this value:",""),prompt("with this:",""))) 

// If You Want To manually change your cookie, use the following command:

Javascript: alert (document. cookie)

This will display your current cookie, for example, "userid = 1". If you want to change it to "userid = 2", you can use the following command:

Javascript: alert (document. cookie = "userid = 2 ")

Finally, I must emphasize that all the changes are only made on the client! It is like saving a webpage on your PC and modifying it. Even so, using this technique you can still cheat pages (such as cookies) or bypass security verification. For example, some web pages will detect the locations where the user sends data, if the table is from orders/www.test.com/form.php. In addition, if you plan to enter your own JavaScript code on the page, you will be able to change the image and keep it unchanged by using some of these techniques!

In the end, since javascript injection is so terrible, what are the solutions to prevent js injection for websites we write on our own?

Method 1:

One simple way to prevent JavaScript injection attacks is to use HTML to encode the data input by any Website user when displaying data in the view again.
For example: <% = Html. Encode (feedback. Message) %>
What is the meaning of using HTML to encode a string? When an HTML encoded string is used, dangerous characters such as <and> are replaced with HTML entities, such as <and>. Therefore, when an HTML encoded string <script> alert ("Boo! ") </Script>, it is converted to <script> alert (" Attack! ") </Script>. The browser does not execute JavaScript scripts when parsing encoded strings. But displays harmless pages.

Method 2:

In addition to HTML-encoded data when displaying data in the view, you can also use HTML-encoded data before submitting data to the database.

StringEscapeUtils. escapeHtml ("data submitted on the frontend ");

Generally, people prefer to use the first method discussed in this tutorial, rather than the second method. The second problem is that HTML-encoded data will be retained in the database. In other words, the data in the database contains strange characters. What are the disadvantages? If you need to display database data in a form other than the web page, you will encounter problems. For example, you cannot easily display data in Windows Forms applications.

Thanks to the sharing: http://zxf-noimp.iteye.com/blog/1130771

The above is all the content of this article. I hope it will be helpful for your learning and support for helping customers.