XSS Alarm mechanism (front-end firewall: second article)
At the end of the first chapter I have already said, this chapter will be more detailed introduction of the front-end firewall alarm mechanism and code. After a chapter comes out, some people will ask why not direct defense, but do not defend the police. Quite simply, because of the defense, the attacker would locate the piece of JavaScript code and then bypass the code the next time the attack occurs. If the alarm is not defended, the attacker will be less alert and will not be looking at the JavaScript code (at least I am). Back to the point, the code below is based on the thinkphp framework and the bootstrap3.3.5 framework. If your site does not use the thinkphp3.2.3 framework, you can refer to my ideas to re-write one. Here I emphasize "front-end defense XSS is built on the back end forget to do filtering, do not filter, neglect to do filter on the basis of ...
What to do on the front end of 0x01
In fact, the title should be changed to "XSS alarm mechanism", because in this chapter used a lot of back-end code. But the title of the first chapter comes out, and it can't be changed.
The front-end thing to do in the first chapter of the time has been said, the code is as follows:
Now we are going to modify the 38th line and change it to the API URL we accepted in the background. Just like this:
Yes, that's the line. No other code. In the actual online environment, only the above 5 rows are required. You can copy directly to your online environment, and remember to change the URL of the second-to-last line to your own address. Is it that simple? No, the 0x05 section also has a subset of the front-end code. 0X01~0X04 is mainly for the platform.
What the 0x02 database is going to do
Altogether two tables. Fecm_user and Fecm_bugdata.
The field information for the Fecm_user is as follows:
Name: Administrator account name
Md5name:3 the MD5 of the second name value
The MD5 of the Password:3 times password
Email: admin Mailbox
Create_date: Administrator creation time
For the sake of security (in fact, lazy) did not write to add the administrator, to add themselves in the database
The field information for the Fecm_bugdata is as follows:
URL: URL address of the vulnerability
Category: Vulnerability type
Cookies: Attackers ' cookies
UA: Attacker's User-agent
HXFF_IP: Attacker's Http_x_forwarded_for
HCI_IP: Attacker's Http_client_ip
RA_IP: Attacker's REMOTE_ADDR
Time: Attacker's attack
Fixes: Whether the vulnerability is fixed (0 is not fixed, 1 is fixed)
0x03 what to do on the back end
Because there are too many backend code, I say some core backend processing code.
In the 0x01 section, there is a core code that is new Image (). src = ' http://fecm.cn/Api/addVul/';
Next, let's talk about how this API is handled (thinkphp code)
Public Function Addvul () {
if (I (' get.category ', ' ', ' int ') = = = "") {
$this->ajaxreturn (Array (
"Typemsg" = "Error",
"Msgtext" = "Vulnerability type error",
));
}
Switch (I (' get.category ', ', ' int ')) {
Case ' 1 ':
$vul [' category '] = "trigger Alret function";
Break
Case ' 2 ':
$vul [' category '] = "third-party JavaScript resources not found in the whitelist";
Break
Default
$this->ajaxreturn (Array (
"Typemsg" = "Error",
"Msgtext" = "Vulnerability type error",
));
Break
}
if ($_server[' http_x_forwarded_for ') = = = null) {
$vul [' hxff_ip '] = "The attacker has not been accessed through a proxy server";
}else{
$vul [' hxff_ip '] = I (' Server. Http_x_forwarded_for '); Get the attacker's http_x_forwarded_for
}
if ($_server[' http_client_ip ') = = = null) {
$vul [' hci_ip '] = "Attacker packet header has no http_client_ip";
}else{
$vul [' hci_ip '] = I (' Server. Http_client_ip ');//Get the attacker's http_client_ip
}
$vul [' ra_ip '] = I (' Server. Remote_addr '); Get the attacker's REMOTE_ADDR
$vulcookie = I (' cookie. '); Get the attacker's cookies
for ($i = 0; $icount ($vulcookie); $i + +) {
$vul [' cookies ']. = Array_keys ($vulcookie) [$i]. ' = '. $vulcookie [Array_keys ($vulcookie) [$i]]. '; ‘; Stitching into easy-to-view cookie format
}
$vul [' url '] = I (' Server. Http_referer '); Gets the URL of the attacker's successful attack
$vul [' ua '] = I (' Server. Http_user_agent '); Get the attacker's user-agent
$vul [' time '] = date ("y-m-d"); Gets the time of the attacker's attack
$vul [' fixes '] = 0; Default is bug not fixed
$bugData = M (' Bugdata '); Connecting the Fecm_bugdata Database
$bugData->data ($vul)->add (); Add to Database
}
Because this is the receive attack information, cannot have the administrator authentication.
Backstage there is a database visualization table, here I use the chart.js, here is the backend code:
Public Function index () {
$reportForm = M (' Bugdata '); Connecting the Fecm_bugdata Database
$dateTimeLabels = [];
$dateTimeTotal = [];
for ($i = 0; $i $i + +) {//Get data for nearly 7 days
$time = Date ("y-m-d", Strtotime (-$i. "Day"));
Array_unshift ($dateTimeLabels, $time);
$data [' time '] = array (' Like ', '% '. $time. ' %‘);
Array_unshift ($dateTimeTotal, $reportForm->where ($data)->count ());
}
$reportForm = Json_encode (["Labels" = + $dateTimeLabels, "Total" and $dateTimeTotal]); Convert to JSON format
$this->assign (' Reportform ', $reportForm)->assign (' Total ', total ()); Hand-Front Module
$this->display (); Front-end page generation
}
Front-End Code:
var linechartdata = {
Labels:eval ({$reportForm}) [' Labels '],
Datasets: [
{
FillColor: "Rgba (151,187,205,0.5)",
Strokecolor: "Rgba (151,187,205,1)",
Pointcolor: "Rgba (151,187,205,1)",
Pointstrokecolor: "#fff",
Data:eval ({$reportForm}) [' Total ']
}
]
}
var myline = new Chart (document.getElementById ("Statistics"). GetContext ("2d")). Line (Linechartdata);
The actual:
0x04 let's actually test it.
The code uses the code of the 0x01 section. We enter alert (1). Take a look:
Let's go to the platform and see:
The success shows.
0x05 detect if a third-party JS Resource is an XSS script
This section needs to be preceded by a short, long-shared code:
For (Var i=0,tags=document.queryselectorall (' Iframe[src],frame[src],script[src],link[rel=stylesheet],object[data ],EMBED[SRC] '), tag;tag=tags[i];i++) {
var a = document.createelement (' a ');
A.href = tag.src| | tag.href| | Tag.data;
Previous page
if (a.hostname!=location.hostname) {
Console.warn (location.hostname+ ' discovery of third-party resources [' +tag.localname+ ']: ' +a.href ');
}
}
But he just showed up here in the console, no further operation, and he was here to detect the IFRAME, frame, script, link, object, embed tag, for us only the script tag is OK, so I rewrite this code, First we need a whitelist list to place URLs where the site allows third-party loading:
var scriptlist = [
Location.hostname,
]
Here just the default only allows the current domain name to be loaded, and the fight love can be added according to your own needs.
Then you get all the script tags for the current page:
var webscript = Document.queryselectorall (' script[src] ');
The current address is assigned var webhost = Location.hostname; As for why not put in a for loop, because according to the JS optimization rule, the For loop avoids multiple assignments.
The following is the code in the For loop:
for (var i = 0;i
var a = document.createelement (' a '); Create a new A-tag for easy value
A.href = WEBSCRIPT[I].SRC; Assign src in the script to the href attribute in the a tag.
if (a.hostname! = webhost) {//contrast, is third-party resource
for (var j = 0;j
if (a.hostname! = Scriptlist[i]) {//Determine if the current third-party resource is in the whitelist
New Image (). src = ' http://fecm.cn/Api/addVul/category/2 '; Sent to FECM
}
}
}
}
Here I did a test to load the hi.baidu.com resources:
After the refresh, open the FECM platform and look at:
0X06 Conclusion
Because of the poor, there is no server and domain name, you can not add automatic email alert function. Interested can add their own, if later I have the money, I buy a server, will be added to email automatic reminders, the first time will be published in the cloud community. Originally intended to use the Ed's on event block code, but found that the on event in the program will be a lot of use, simply did not add, if you have ideas
: Http://pan.baidu.com/s/1jGVP7Ps
Remember to use the application\home\conf\config.php to change the configuration (I have all added comments, even if not thinkphp can be built)
The personal code does not write much good, the thought may also be quite rotten. If you have any comments to welcome the proposed, I will further revise.
Previous page
XSS Alarm mechanism (front-end firewall: second article)
