Recently, it was discovered that some sites still have vulnerabilities in UBB's cross-site scripting attacks. Although cross-site scripting attacks rarely have a greater impact on the server, it is really not worth it for a site to have such a vulnerability! In the smallest, if something pops up, change the homepage in the middle; in the smallest, steal the user's COOKIES information, and even worse, it will drop the browser's hard drive. A site becomes a malicious website, who dares to come? If the website owner is more "blind", wouldn't it be messed up?
A small piece of code can really make a site like this? Let's take a look at what kind of attack mode the so-called cross-site scripting attack will become. Enter a site with UBB functions, such as message boards, forums, or site with submission programs. First, let's talk about the simplest script attack: <td ></td > and other HTML characters filtering issues.
Log in to a CGI production site. Looking at the CGI site from the perspective of the original ASP, I felt that CGI should filter scripts well. So I did the initial test. Fill in <td > in the user column, and after submitting the user registration, I found that I did not ask for illegal characters. After registering, I clicked on the information and found that the page was deformed. If the same problem would occur in other countries, such as gender, the page would not be able to be read. So I changed a site and submitted <td > again to appear With the illegal character prompt, it seems that the site is a filtered HTML script character. Well, we use ASCII code instead to replace <> and then look at it after submitting. The above page is deformed again. It seems that the illegal filtering mechanism is not very complete. What's more, I found that the name column in a site has no word size setting when filling in the name column, and no illegal characters are filtered. If I submit any malicious code, it won't make me complete?
Simple script attacks such as <td > must be filtered well. Some of the above sites have problems before UBB is involved. Let’s start to focus on the UBB filtering vulnerability. UBB is a format symbol used in the forum to replace HTML editing. For example, [b ][/b ] can be replaced with < b></ b> in HTML. However, this replacement problem has become the best place for cross-site scripting attacks. A ASP message version and a whole site program code were tested:
Primary question: [url ] filtering, when submitting the code, you can build a malicious code of the onmouseover function. Since onmouseover can take effect, what else can't be done? When some original code programs transform [url ][/url ], they just submit s2 in [url ]s2[/url] directly to < a href="s2" target=_blank>S2</a >. Seeing this conversion, we can use the corresponding ASCII code to replace ", and we submit one more" and then build the onmouseover function to operate. The consequences? You should know! :P
[img ] filtering is really a difficult problem. A long time ago, the script attacks of [img] were popular for a while. In this test, many sites still had this vulnerability. Some programs did not filter at all. Especially some sites that provide free message boards have such problems. Let’s mainly talk about the problem of the [IMG ] tag:
Very simple [img ]javascript:alert();[/ img] The code converted to after submission is < img src="javascript:alert();">, OK, we can see herejavascript:alert(); is activated by the < img src=""> tag. It is manifested as a pop-up dialog box. It says what you want to submit in (). For example, haha... Most people should know what this thing is for. What's more, using the(); function can write a web page. What to write? Of course it is malicious code, such as [ img]javascript:();[ /img]. Add what you want to add in the middle, write what you want to write, and the more dangerous you want.
Advanced problems: Because the primary problem of [img ] harasses many sites to filter a sensitive character. For example, ja connection, do connection, wr connection, and automatically divide it into j a, d o, w r after submission. Or filter characters java, document, etc. These can only stump a small number of people. We can still use ASCII code to replace it. Some people may be confused that the code after the substitution still cannot be displayed normally. OK, let's introduce it with a complete example below:
The UBB filtering code segment of a certain site is as follows:
Friends who can understand ASP can see that the above code snippet filters and replaces statements such as javascript, jscript:,js:,about;value, document., onmouse and onexit. They replace some special characters, such as ".",",";"(",")" [Replace the code to ""middle". After careful observation of the code, we will find that its filtering mechanism is not as perfect as imagined. .Committed: [ mg]& #176& #93& #118& #97& #115& #79rip& #106& #57documen& #115& #76write& #30& #29 Haha, I was hacked again& #29& #61& #29[/ mg] Similar code can implement more advanced script attacks. Note: Since many sites still have this problem, the code has been modified and it is not attackable.
Open your FT2000 and use text editing. You can find the ASCII code to which any special characters belong. For example: semicolon; can be replaced with &# 59, period. It can be replaced with &# 46. In this form, we submit the code again. Sure enough, the entire filtering mechanism above is almost completely invalid. It has no defensive effect at all.
After reading the above attack methods, do you feel very depressed? If you can avoid the above problems?
1. If your site program contains forums, message boards, and other programs that contain submission data formats, and do not have a good filtering mechanism, please download and upgrade the program immediately or stop using it to avoid causing more problems.
2. For sites that provide free forums and free application for message boards, please close the UBB format. Or find a better parser page.
3. For some friends who can write ASP, I suggest that you filter the characters: (all characters will be written in []) such as:
["|.|;|:|\|/|&|$|#|`|)|,|'|"|-|~|[|(||] Note: where | is the splitter
4. For some sites, it is recommended to remove message boards with more problems or other programs containing submissions. For example, the original guestbook is used, and there are many problems with some unknown program body. It is recommended to replace it.
5. I have also modified a foreign message board, and the front desk has basically been modified. The backend has been rushing in the past few days. After the modification, I feel that there is a good filtering when submitting text, inputting and leaving messages. I originally planned to use the English interface, but considering that N many chines are not up to standard in English, I still Chineseized some programs. Interested friends can http:///guestbook/ test. We welcome good faith tests.
The following are the addresses of the message boards of some domestic sites that have been tested by me (please pay attention to it, and fix the procedures in time to avoid unnecessary trouble). The test time is relatively short, and some sites may not be found. There may be more serious problems.
The above is all about this script attack test. Looking at all the sites, I really don’t dare to think about security anymore. There are many questions.
Although it can be solved by just a simple task, if you are not careful, it will cause big problems
A small piece of code can really make a site like this? Let's take a look at what kind of attack mode the so-called cross-site scripting attack will become. Enter a site with UBB functions, such as message boards, forums, or site with submission programs. First, let's talk about the simplest script attack: <td ></td > and other HTML characters filtering issues.
Log in to a CGI production site. Looking at the CGI site from the perspective of the original ASP, I felt that CGI should filter scripts well. So I did the initial test. Fill in <td > in the user column, and after submitting the user registration, I found that I did not ask for illegal characters. After registering, I clicked on the information and found that the page was deformed. If the same problem would occur in other countries, such as gender, the page would not be able to be read. So I changed a site and submitted <td > again to appear With the illegal character prompt, it seems that the site is a filtered HTML script character. Well, we use ASCII code instead to replace <> and then look at it after submitting. The above page is deformed again. It seems that the illegal filtering mechanism is not very complete. What's more, I found that the name column in a site has no word size setting when filling in the name column, and no illegal characters are filtered. If I submit any malicious code, it won't make me complete?
Simple script attacks such as <td > must be filtered well. Some of the above sites have problems before UBB is involved. Let’s start to focus on the UBB filtering vulnerability. UBB is a format symbol used in the forum to replace HTML editing. For example, [b ][/b ] can be replaced with < b></ b> in HTML. However, this replacement problem has become the best place for cross-site scripting attacks. A ASP message version and a whole site program code were tested:
Primary question: [url ] filtering, when submitting the code, you can build a malicious code of the onmouseover function. Since onmouseover can take effect, what else can't be done? When some original code programs transform [url ][/url ], they just submit s2 in [url ]s2[/url] directly to < a href="s2" target=_blank>S2</a >. Seeing this conversion, we can use the corresponding ASCII code to replace ", and we submit one more" and then build the onmouseover function to operate. The consequences? You should know! :P
[img ] filtering is really a difficult problem. A long time ago, the script attacks of [img] were popular for a while. In this test, many sites still had this vulnerability. Some programs did not filter at all. Especially some sites that provide free message boards have such problems. Let’s mainly talk about the problem of the [IMG ] tag:
Very simple [img ]javascript:alert();[/ img] The code converted to after submission is < img src="javascript:alert();">, OK, we can see herejavascript:alert(); is activated by the < img src=""> tag. It is manifested as a pop-up dialog box. It says what you want to submit in (). For example, haha... Most people should know what this thing is for. What's more, using the(); function can write a web page. What to write? Of course it is malicious code, such as [ img]javascript:();[ /img]. Add what you want to add in the middle, write what you want to write, and the more dangerous you want.
Advanced problems: Because the primary problem of [img ] harasses many sites to filter a sensitive character. For example, ja connection, do connection, wr connection, and automatically divide it into j a, d o, w r after submission. Or filter characters java, document, etc. These can only stump a small number of people. We can still use ASCII code to replace it. Some people may be confused that the code after the substitution still cannot be displayed normally. OK, let's introduce it with a complete example below:
The UBB filtering code segment of a certain site is as follows:
| <% Function code_ssstrers) dim strer:strer=strers if strer="" or isnull(strer) then code_ss"":exit function strer=replace(strer,"<","<") strer=replace(strer,">",">") strer=replace(strer," "," ") 'Space strer=replace(strer,CHR(9)," ") 'table strer=replace(strer,"'","'") 'Single quotes strer=replace(strer,"""",""") 'Double quotes dim re,re_v re_v="[^\(\)\;\';""\[]*" 're_v=".[^\[]*" Set re=new RegExp =True =True ="(javascript:)" strer=(strer,"javascript:") ="(javascript)" strer=(strer,"javascript") ="(jscript:)" strer=(strer,"jscript :") ="(js:)" strer=(strer,"js:") ="(value)" strer=(strer,"value") ="(about:)" strer=(strer,"about:") ="(file:)" strer=(strer,"file&:") ="(document.)" strer=(strer,"document :") ="(vbscript:)" strer=(strer,"vbscript :") ="(vbs:)" strer=(strer,"vbs :") ="(on(mouse|exit|error|click|key))" strer=(strer,"on$2") |
Friends who can understand ASP can see that the above code snippet filters and replaces statements such as javascript, jscript:,js:,about;value, document., onmouse and onexit. They replace some special characters, such as ".",",";"(",")" [Replace the code to ""middle". After careful observation of the code, we will find that its filtering mechanism is not as perfect as imagined. .Committed: [ mg]& #176& #93& #118& #97& #115& #79rip& #106& #57documen& #115& #76write& #30& #29 Haha, I was hacked again& #29& #61& #29[/ mg] Similar code can implement more advanced script attacks. Note: Since many sites still have this problem, the code has been modified and it is not attackable.
Open your FT2000 and use text editing. You can find the ASCII code to which any special characters belong. For example: semicolon; can be replaced with &# 59, period. It can be replaced with &# 46. In this form, we submit the code again. Sure enough, the entire filtering mechanism above is almost completely invalid. It has no defensive effect at all.
After reading the above attack methods, do you feel very depressed? If you can avoid the above problems?
1. If your site program contains forums, message boards, and other programs that contain submission data formats, and do not have a good filtering mechanism, please download and upgrade the program immediately or stop using it to avoid causing more problems.
2. For sites that provide free forums and free application for message boards, please close the UBB format. Or find a better parser page.
3. For some friends who can write ASP, I suggest that you filter the characters: (all characters will be written in []) such as:
["|.|;|:|\|/|&|$|#|`|)|,|'|"|-|~|[|(||] Note: where | is the splitter
4. For some sites, it is recommended to remove message boards with more problems or other programs containing submissions. For example, the original guestbook is used, and there are many problems with some unknown program body. It is recommended to replace it.
5. I have also modified a foreign message board, and the front desk has basically been modified. The backend has been rushing in the past few days. After the modification, I feel that there is a good filtering when submitting text, inputting and leaving messages. I originally planned to use the English interface, but considering that N many chines are not up to standard in English, I still Chineseized some programs. Interested friends can http:///guestbook/ test. We welcome good faith tests.
The following are the addresses of the message boards of some domestic sites that have been tested by me (please pay attention to it, and fix the procedures in time to avoid unnecessary trouble). The test time is relatively short, and some sites may not be found. There may be more serious problems.
The above is all about this script attack test. Looking at all the sites, I really don’t dare to think about security anymore. There are many questions.
Although it can be solved by just a simple task, if you are not careful, it will cause big problems