Work on web Security Fragment records (occasional updates)

1, about Html/css, JS, PHP, CGI some of the understanding

When our browser accesses a static file of a site, it will download the contents of the file (generally compressed), of course, if you encounter the css/js of the external, it will initiate the request

to. If we right-click on the page source code, a mess can't see, you can use Firefox + firebug, you can clearly see the HTML DOM tree, right-click Inspect

element can be set quickly bit to tree node, by then download to this Ground, the you can try to modify the element view effect, which does not affect the original

file. Finally, the browser will start rendering, including the execution of js such as document.write () and so on, the appearance of the Web page that we see.

cgi mean? Not a language, nor a technique, but a pattern. search for the definition of CGI common Gateway Interface, abbreviation

CGI. is a program that is physically stored on the server. as long as the server-side program that provides HTML can be called cgi,asp/php/jsp these are, you use

C + + Write a you can provide the server-side bin file for HTML, or called CGI, as for Python/perl/shell scripts, of course, can also write CGI.

For a CGI program, the only thing to do is to read the data from the environment variable (environment variables) and standard input, process the data,

Outputs data to standard output. Called Request meta-variables stored in environment variables, i.e., query_string,

Path_info , these are passed to the CGI program by the WEB Server through environment variables, and the CGI program is also read from the environment variables.

The standard input is often stored in the data submitted by the user via get or POST, which is also transmitted by the Web Server (client-side submission). of traditional

Get The past is transmitted in the form of url?key1=value1&key2=value2. And the Post form (HTTP request package body) is more, can be a traditional

Key=value, you can also is the form of json/xml, but these can be obtained from the standard input after a parsing process to get the desired key=value form

Present.

Of course, the body output of the CGI is also a variety of forms, can be a simple json/xml form, can also be a PHP echo out of a text/platin or text/html, but to clear

Yes in "

Output to the standard output number according to), image to said, is "poke once and move once", depending on the user input to produce different output results, that is, dynamic network

The concept of a page. Note that PHP, JS CSS, and HTML tags can be written in the same HTML file.

Sometimes access appears 403 forbidden, one reason is that the user of Apache settings, that is, the user running httpd is nobody (assuming), the target you want to access

Record/File not read or executed permissions, so the server is not able to read the execution file, it is forbidden to access.

2. Requests from the browser URL, if the urlencode, such as the "Turn to%22," the server side of the PHP received is the original

"or code after the%22 to see with $get[" key "] or $_server[' query_string '), but also to see in the PHP script is not done

Addslashes or Htmlspecialchars function calls, so you can determine the parsing script echo out of the HTML is how the organization, of course, the customer

The HTML requested by the client is in this form.

So why is there no alert pop-up window in chrome for <, just because some browsers have ANTI_XSS modules or filter, in the browser parsing HTML

Time to filter out these dangerous script and not execute it.

Htmlspecialchars will encode < into &lt; And, "," and so on.

the Addslashes () function adds a backslash before the specified predefined character. These predefined characters are:

Single quotation mark (')

Double quotation marks (")

Back slash (\)

Null

This way, the quoted parameters cannot be passed from the URL to close the quotation marks to achieve the purpose of XSS, but in the case of CHARSET=GBK, if the parameter contains greater than

a value of 127, such as%ae, followed by the quotation marks, although the quotation marks into the \ ', but%ae\ in GBK may seem to be a character, of course, we look like a

garbled, this also causes the quotation marks to be closed, SQL injection also has such a character set resolution problem. Setting a certain character set, the browser will press this

Code to parse the HTML to display to the user.

3. The backslash \ is escaped within the script field, and is the meaning of the character represented in the HTML tag, and the characters from the following alert () are known.

<script> var test= "A\" "; alert (test); </script>
<script> var test= ' a\ '; alert (test); </script>

<script> var test= ' a '; alert (test); </script>
<input type= "text" value= "A\" Onmousemove=alert (/xss/) "/>

Work on web Security Fragment records (occasional updates)