XSS Solution Series 3: after the example, let's look back at the products you are maintaining

[Description]
1. The example takes a large part. Here is a detailed example. Currently, only typical two-dimensional encoding examples are provided.
2. if you want to run this example, You need to implement functions similar to urlEncoder/jsEncoder/htmlEncoder In the example. For the implementation of these functions, multinational companies need to consider multiple languages, many bugs often occur. Many coding functions in open-source components are not completely implemented, and their implementation is the most reliable. In the future, we will have the opportunity to write a special article
3. Similarly, this article does not refer to any documentation and does not involve any copyrights. It is original.
4. Because the code Display Module on this site is not HTML-encoded, my html-encoded string is automatically decoded into the original text. No way, I can only use small ones to complete it.
5. there are many combinations of codes corresponding to the combination decoding, which cannot be listed one by one. I hope it can be used as an example. Please believe that, the XSS solution described in this ID is the top three levels of Wudang Shaolin, not the left side door. Haha.
The following sample code is a simplified client and server processor stored in the same fileJSP Document:

 
Code explanation:

In the preceding two parts, the Java code before *** Output Filter *** is the code used by the server to process user requests, the JAVA code after *** Output Filter *** is used for Output code. In this example, as described in the previous article, the decoding environment at <% = htmlEncoer ("searchBox" %> should be: HTML Decoding and JS decoding. The final string value is given to the alert () function. So,
The correct solution should be: Alert ('<% = htmlEncoder (jsEncoder ("searchBox") %> ')


If I do not do this
HTML
Cannot it be encoded?
OK
, Only
HTML
Encoding and running result
SourceCode
As follows:

1. Run the URL: http: // localhost: 8080/xssSolution/js_in_html_onlyhtmlfilter.jsp? SearchBox = <script> alert ("this is jiayzhan") </script> & submit = Search + Me +-1

This URL is injected with a string [<script> alert ("this is jiayzhan") </script>] The resource file snippets are as follows:



2. the preceding resource file shows that the encoding is encoded. Click the Letusgo button to find the string [<script> alert ("this is jiayzhan ") </script>] the script is normally output by alert, but the script I injected is not executed.


Shouldn't there be any problems, right? 
The answer must be wrong. Now we reconstruct
XSS
Attack String :【A'); alert ('hacked by jiayzhan]

3. Run the URL: http: // localhost: 8080/xssSolution/js_in_html_onlyhtmlfilter.jsp? SearchBox = A'); alert ('hacked by jiayzhan & submit = Search + Me +-1, resource file:




Click
Letusgo
, 
At this point, the situation is different. Give it a try:




The above
Alert
The output content is not as expected. Then click OK:




Indicates that the injection script has been executed. This should be done.
JS
And
HTML
The combination of encoding, because only
HTML
Encoding causes
XSS
The problem persists. Have you ever encountered this problem? 
Confused? 
Check whether a similar problem exists in your product?

[Process Analysis]

1. When the string
【A'); alert ('hacked by jiayzhan] is changed:

,

When browsing the rendering line:

 

The onclick attribute value is first HTML decoded, resulting in







,

Restored
【A'); alert ('hacked by jiayzhan]: [alert (A'); alert ('hacked by jiayzhan )], do you understand?

 


[Exercise]

Analyze the encoding in the following syntax environment,
If no combined encoding is performed, what is the consequence?

1.


<script>        function clickme()        {            document.writeln("<%=request.getParameter("searchBox")%>");                   }           </script>
 
2.


<script>            function GoBackURL()            {                var link = "<%=request.getParameter("searchBox")%>";                     location.href=link;                 }         </script>