XSS Attack Detection

= Ph4nt0m Security Team =

Issue 0x02, Phile #0x07 of 0x0A

| = --------------------------------------------------------------------------- = |
| = ----------------------- = [XSS attack detection] = ----------------------------- = |
| = --------------------------------------------------------------------------- = |
| = --------------------------------------------------------------------------- = |
| = ---------------------- = [By Xy7] = ---------------------- = |
| = -------------------- = [<Xuanmumu_at_gmail.com>] = -------------------- = |
| = --------------------------------------------------------------------------- = |

Preface:

This is not a popular science, not an analysis. If you are interested in the basic knowledge of XSS attacks, you can search for them on the Internet.
For example, Baidu Popular Science. This article only explores XSS protection as a third-party program from the perspective of a defender.
There are some difficulties and disorganized ideas in the attack process.

I. HTML tag XSS under B/S structure

This is the most common type of cross-site attack, that is, the type that is often mentioned. The specific cause of the vulnerability can be:
The following process is used:
Javascript: DrawImage (this);>
When a malicious user submits <script> alert ("80sec") </script> where no filtering is available
When other users browse, this code will be executed in IE of other users. Of course, this is only the most basic one.
Test method: If the XSS is just a box, there is nothing to say about it. To defend against such attacks, filter HTML tags.
. But what about so many tag events? CSS attributes, various encodings... To write such a comprehensive filtering risk
The character detection function is not a simple task, and the effect is certainly not perfect. The best defense method is the most
Check the WEB application code carefully to restrict user input. However, this may not work in reality.
Because not every WEB application user has the ability to read code or be aware of WEB security, such websites have XSS
Vulnerabilities are not surprising. websites or companies with a little financial resources hope to have a group of professionals to help them fix vulnerabilities.
To enhance the security of WEB applications, which brings business opportunities to many organizations or vendors that provide WEB detection services.
In fact, services are not sold for money, so small companies sell services, large companies push products, and the filtering of products is naturally inefficient.
Services cannot be perfect, so the security levels are uneven. Nowadays, WEB security is becoming increasingly popular.
At the same time, XSS attacks are not surprising.

Ii. xss of the ubb label

The use of UBB labels in major forums or BLOG programs is very mature. UBB provides limited standards
You can set a filter. The common UBB conversion code is as follows:

<?
Function ubb ($ text ){
$ Text = trim ($ text );
$ Text = ereg_replace ("", "<br>", $ Text );
$ Text = preg_replace ("/\ t/is", "", $ Text );
$ Text = preg_replace ("/[h1] (. + ?) [/H1]/is "," $ Text = preg_replace ("/[h2] (. + ?) [/H2]/is "," $ Text = preg_replace ("/[h3] (. + ?) [/H3]/is "," $ Text = preg_replace ("/[h4] (. + ?) [/H4]/is "," $ Text = preg_replace ("/[h5] (. + ?) [/H5]/is "," $ Text = preg_replace ("/[h6] (. + ?) [/H6]/is "," $ Text = preg_replace ("/[center] (. + ?) [/Center]/is "," <center> \ 1 </center> ", $ Text );
$ Text = preg_replace ("/[url] (http: //. ++ ?) [/Url]/is "," <a href = \ 1> \ 1 </a> ", $ Text );
$ Text = preg_replace ("/[url] (. + ?) [/Url]/is "," <a href = "http: // \ 1", $ Text> http: // \ 1 "> http: // \ 1 </a> ", $ Text );
$ Text = preg_replace ("/[url = (http: //. ++?)] (. *) [/Url]/is "," <a href = \ 1> \ 2 </a> ", $ Text );
$ Text = preg_replace ("/[url = (. +?)] (. *) [/Url]/is "," <a href = http: // \ 1> \ 2 </a> ", $ Text );
$ Text = preg_replace ("/[img] (. + ?) [/Img]/is "," ", $ Text );
$ Text = preg_replace ("/[color = (. +?)] (. + ?) [/Color]/is "," <font color = \ 1> \ 2 </font> ", $ Text );
$ Text = preg_replace ("/[size = (. +?)] (. + ?) [/Size]/is "," <font size = \ 1> \ 2 </font> ", $ Text );
....
Return $ text;
?>

Because the UBB Code does not filter accepted variables, the exploitation of the vulnerability code is also very simple.
Similar code is converted into
The so-called cross-site UBB is formed. There is nothing to say from the perspective of utilization, but from the perspective of defense? Leave the check procedure aside
For services such as code, [img] can bypass the label detection mechanism. By
UBB Code does not exist in all WEB programs. To detect such cross-site attacks through a common third-party program
First, we need to implement a code restoration for the UBB code within the third-party program engine. First, we need to restore the UBB code to HTML
Tags, and then match the XSSpayload that may form an attack. In this way, some performance will be spent on restoring tags,
In addition, it does not take into account the WEB application. If the WEB application does not have UBB code, this part of the performance will be white-faced.
Fees...

So what about another method? With the learning + model detection mechanism, the third-party
The detection program can familiarize itself with the data flow of the WEB program and establish a normal data flow model.
The Code adopts a common detection mechanism. Otherwise, the UBB is loaded to restore the code. This seems like an intelligent detection and analysis machine.
In fact, this makes the product detection code more complex, coupled with the cost of maintenance and analysis models, resulting in a successful detection ratio.
Utilitarian attacks are much more difficult. Only the emergence of UBB Code makes the XSS detection mechanism have to be greatly increased.
The workload is analyzed, but the actual use is actually not much different. It's really amazing!

Iii. POST form XSS

POST cross-site is also a common cross-site method. The cause of the vulnerability is not well analyzed. The key is the from table.
A single attribute may cause a stumbling block to third-party XSS products. Generally, XSS attackers
Don't you think about it, huh, huh. The two form attributes are:

Multipart/form-data and application/x-www-form-urlencoded.

First, read the x-www-form-urlencoded attribute. The enctype attribute of the FROM form specifies that the form data is submitted to the server.
The encoding type used during the transaction. The default attribute value is "application/x-www-form-urlencoded". When an attacker
When <script> alert (document. cookie) </script> is sent to the server, capture the packet and check
The format is as follows:

HTTP-Hyper Text Transfer Protocol
HTTP Command: POST
URI:/xblog/insert. php
HTTP Version: HTTP/1.1 <CR> <LF>
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd. ms-excel, application/vnd. ms-powerpoint, application/msword, */* <CR> <LF>
Referer: Http: // 192.168.13.216/xblog/creatnew. php? Id = 4 <CR> <LF>
Accept-Language: zh-cn <CR> <LF>
Content-Type: application/x-www-form-urlencoded <CR> <LF>
Accept-Encoding: gzip, deflate <CR> <LF>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;. net clr 1.1.4322) <CR> <LF>
Host: 192.168.13.216 <CR> <LF>
Content-Length: 105 <CR> <LF>
Connection: Keep-Alive <CR> <LF>
Cache-Control: no-cache <CR> <LF>
Line 1: id = 4 & author = % D0 % FD % C4 % BE % C4 % BE & title = eee & content = 111% 3 Cscript % 3 Ealert % 28 document
Line. cookie % 29% 3C % 2 Fscript % 3E
FCS-Frame Check Sequence
FCS: 0x89D1A7DB Calculated

We can see that the submitted characters are transmitted in URL encoding in the POST data packet. When detecting such POST
You can use the "&" character to separate variables, and then use "=" to separate the values of variables and variables. Finally form such a set
Combined detection rules:
Javascript: DrawImage (this);>
It is not complicated to use a program to implement such a detection function. The key is to look at the xsspayload detection rules. However
The problem with these two attributes is not in the detection rules. When the form attribute is application/x-www-form-urlencoded
You can easily locate the location where the XSS statement appears, because the previous protocol variables are fixed. However
Take a look at the format of the POST package when the form attribute is multipart/form-data:

HTTP-Hyper Text Transfer Protocol
HTTP Command: POST
URI:/sql1/post. php
HTTP Version: HTTP/1.1 <CR> <LF>
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd. ms-excel, application/vnd. ms-powerpoint, application/msword, */* <CR> <LF>
Referer: Http: // 192.168.13.216/sql1/post. php <CR> <LF>
Accept-Language: zh-cn <CR> <LF>
Content-Type: multipart/form-data; boundary = --------------------------- 7d822d8550650 <CR> <LF>
Accept-Encoding: gzip, deflate <CR> <LF>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;. net clr 1.1.4322) <CR> <