Detailed explanation of js injection usage

This time I will bring you a detailed explanation of the use of js injection. What are the precautions when using js injection? Here are practical cases, let’s take a look.

There has been news recently that four employees of Alibaba’s network security department used web page vulnerabilities to write js scripts to steal moon cakes, so I became interested and wanted to know how to write this js script, and how to swipe orders in various ways. How is the gun robbery accomplished?

What is a javascript injection attack?

1. Whenever user input is accepted and redisplayed, the website is vulnerable to JavaScript injection attacks. Let’s examine a specific application that is vulnerable to JavaScript injection attacks. Let's say you've created a customer feedback website. Customers can visit the website and enter feedback about the product. When a customer submits feedback, the feedback information reappears on the feedback page.
Customer Feedback Website is a simple website. Unfortunately, this site is vulnerable to JavaScript injection attacks.
Suppose the following text is being entered into a customer feedback form:

<script>alert("Attack!")</script>

This Text represents the JavaScript script that displays the warning message box. After someone submits this script to a customer feedback form, the message Attack! appears when anyone visits the customer feedback site in the future.

2. Another method is to enter a js code in the browser address bar to change the content of the page js variables and page tags.

Using Javascript injection, the user can change the content of the web page without closing or saving it, which is done on the browser's address bar. The syntax of the command is as follows:

javascript:alert(#command#)

For example, if you want to go to http://www.example.comIf you see an alert warning box on the site, first enter the URL in the address bar and wait for the page to load, then delete the URL and enter:

javascript:alert("Hello World")

as the new URL. This will pop up a "Hello World" alert box, and you can use this technique to change almost any content on the web page, such as an image. Suppose there is a website logo picture, and we find a piece of HTML code by looking at the page source file:

The image is named "hi", the source file is "hello.gif", we want to change it to "bye.jpeg" stored on our site (http://www.mysite.com) file, so the complete URL address of the image is http://www.mysite.com/bye.jpeg. Using Javascript injection, we only need to enter on the address bar:

javascript:alert(document .hi.src="http://www.mysite.com/bye.jpeg")

You will see the pop-up "http://www.mysite.com/bye.jpeg" "alert warning, and then the picture was changed. It’s important to note that these changes are only temporary! If you refresh the page or re-enter, your changes will disappear because you only made the changes on your PC, not on the web server.

Using the same method, we can view or change the value of the variable . For example, we find a piece of code like this on the web page:

<SCRIPT LANGUAGE="JavaScript">
var a="test"
</SCRIPT>

means that the value of variable a is "test", now we enter:

javascript:alert(a)

Then we change its value to "hello":

javascript:alert(a="hello")

Javascript injection is usually used to change form properties. Suppose there is a piece of code like this:

<form name="format" action="send.php" method="post">
<input type="hidden" name="mail" value="someone@somewhere.com">
<input type="text" name="name">
<input type="submit" value="submit"></form>

We want the form to be sent to our email address, not someone@somewhere.com. You can use the following command:

javascript:alert(document.format.mail.value="me@hacker.com")

•也许你已经注意到了这些命令的层次关系：
 •我们按照从左到右的顺序依次说明：
 •1)最左边是document
 •2)然后是我们想要更改的对象名(比如document.hi.src)或其包含的对象(比如document.format.mail.value)
 •3)最后是我们想要更改的属性(比如源路径:document.hi.src，或变量值:document.format.mail.value)
 •4)使用“.”号分隔
 •5)当我们想要更改属性值的时候，我们使用“=”号和新的属性值
 •*注释:当新的属性值为字符串时(比如:document.format.mail.value="me@hacker.com")需要用双引号把它括起来。
 •如果我们想要把它作为一个变量的值，则不需要使用双引号""。例如我们想要将变量b的值赋予变量a，我们可以输入javascript:alert(a=b)。
 •但是,页面中的大部分标签都没有名字，比如： 

<form action="send.php" method="post">
<input type="hidden" name="mail" value="someone@somewhere.com">
<input type="text" name="name">
<input type="submit" value="submit"></form>

在这段代码中没有表单名，综合上面这些信息，可以使用此命令： 

javascript:alert(document. .mail.value="me@hacker.com")

在这种情况下我们必须统计并找出表单序号，下面是一个例子： 

<form action="send.php" method="post">
<input type="text" name="name">
<input type="submit" value="submit">
</form>
<form action="send.php" method="post">
<input type="hidden" name="mail" value="someone@somewhere.com">
<input type="text" name="name">
<input type="submit" value="submit">
</form>
<form action="send.php" method="post">
<input type="text" name="name">
<input type="submit" value="submit">
</form>

•在以上代码中我们看见了3个表单，但我们只对第二个感兴趣，因此我们想要的表单序号就是2。不要忘记我们是从1开始计算的,比如1,2,3,4...而javascript却从0开始计算，比如0,1,2,3...所以真正的表单序号是1，不是2，通常我们要把找到的表单序号减一。我们将用这个序号来补全我们的命令:

javascript:alert(document.forms[1].mail.value="me@hacker.com")

•这样你就可以更改没有名字的图片或链接了，你可以把“forms”换成任何你想要的标签类型。对于图片就是 

javascript:alert(document.images[3].src="#the url of the picture you want#")

对于链接就是 

javascript:alert(document.links[0].href="#the url you want#")

 最后，我们可以用这个技巧来编辑cookies。下面的命令由triviasecurity.net的Dr_aMado编写，我只修改了一点点，让它在用户编辑之前显示出来。你只要把它们复制到地址栏就可以了：

javascript:alert(window.c=function a(n,v,nv){c=document.cookie;c=c.substring(c.indexOf(n)+n.length,c.length);
c=c.substring(1,( (c.indexOf(";")>-1) ? c.indexOf(";") : c.length));nc=unescape(c).replace(v,nv);
document.cookie=n+"="+escape(nc);return unescape(document.cookie);});
alert('The cookie is: "'+document.cookie+'"');alert(c(prompt("The name of the cookie:",""),
prompt("Change this value:",""),prompt("with this:","")))

//如果你想要手动更改你的cookie，可以使用下面这条命令：

javascript:alert(document.cookie)

这将显示你的当前cookie，假设是“userid=1”，如果你想把它改成“userid=2”，可以使用下列命令：

javascript:alert(document.cookie="userid=2")

最后我必须强调的是，所有的更改都只是在客户端！就像是把网页保存在你的PC上然后修改它。尽管如此，使用这一技巧你仍然可以欺骗页面(例如cookies)或绕过安全验证。例如一些网页会检测用户发送数据的位置，如果从http://www.test.com/form.php发送数据到http://www.test.com/check.php，check.php可能会检测数据是否来自http: //www.test.com/form.php上的表单。除此之外，如果你打算在页面中输入你自己的JavaScript代码，通过使用一些这样的技巧，你将能够更改图片并保持不变！

最后的最后，既然js注入这么可怕，我们自己写的网站有什么解决办法来防止js注入呢？ 

方法一：

阻止 JavaScript 注入攻击的一种简单方法是重新在视图中显示数据时，用 HTML 编码任何网站用户输入的数据
如：<%=Html.Encode(feedback.Message)%>
使用 HTML 编码一个字符串的含意是什么呢？使用 HTML 编码字符串时，危险字符如 < 和 > 被替换为 HTML 实体，如 < 和 >。所以，当使用 HTML 编码字符串 <script>alert("Boo!")</script> 时，它将转换为 <script>alert("Attack!")</script>。浏览器在解析编码的字符串时不再执行 JavaScript 脚本。而是显示无害的页面。 

Method 2:

In addition to using HTML to encode the data when displaying it in the view, you can also use HTML to encode the data before submitting it to the database.

StringEscapeUtils.escapeHtml("Data submitted by the front desk");

Generally, people like to use the first method discussed in this tutorial rather than the second method. Two methods. The problem with the second approach is that you end up with HTML-encoded data in the database. In other words, the data in the database will contain strange characters. What's the harm? If you need to display database data in a form other than a web page, you will encounter problems. For example, data cannot be easily displayed in a Windows Forms application.

I believe you have mastered the method after reading the case in this article. For more exciting information, please pay attention to other related articles on the php Chinese website!

Recommended reading:

!=,==,!==,===Usage summary

In JS Time unit comparison method

The above is the detailed content of Detailed explanation of js injection usage. For more information, please follow other related articles on the PHP Chinese website!