How to analyze reflected XSS

1. Reflected XSS

Reflected XSS means that the application obtains untrustworthy data through Web requests, without checking whether the data contains malicious code. It is delivered to Web users. Reflected XSS is generally constructed by attackers with URLs containing malicious code parameters. When the URL address is opened, the unique malicious code parameters are parsed and executed by HTML. It is characterized by non-persistence and requires the user to click on a link with specific parameters. can cause. The editor takes the JAVA language source code as an example to analyze CWE ID 80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

2. The dangers of reflected XSS

When a user accesses a URL request with XSS code, the server receives the data and processes it, then sends the data with XSS code to the browser, and the browser parses the data with XSS code Finally, an XSS vulnerability is created, which may lead to stealing the cookies of the target website and transferring them to the attacker's server, reading the user's undisclosed information, or performing click hijacking to implement phishing attacks. From January to November 2018, there were a total of 126 vulnerability information related to it in CVE. Some of the vulnerabilities are as follows:

#CVEVulnerability OverviewCVE-2018-19091tianti is a free lightweight CMS system written in Java. It currently provides an overall solution from back-end management to front-end display. Among them, tianti 2.3 has a reflected XSS vulnerability in the user management module through the tianti-module-admin / user /list userName parameter. CVE-2018-14929Matera Banco 1.0.0 is vulnerable to multiple reflected XSS, as shown in /contingency/web/index.jsp (aka Home page) url parameters. CVE-2018-12996 ZohoManageEngine Applications Manager provides solutions for monitoring and managing J2EE underlying structures and J2EE applications. A reflected cross-site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager 13 (Build13800) allows remote attackers to inject arbitrary web script or HTML via the 'method' parameter to GraphicalView.do. CVE-2018-12090LAMS is a new generation of JAVA-based learning software jointly developed by Macquarie University in Australia, LAMS International Co., Ltd. and LAMS Foundation. . Unauthenticated reflected cross-site scripting (XSS) exists in LAMS before 3.1, allowing remote attackers in forgetPasswordChange.jsp? Introducing arbitrary JavaScript via manipulation of unspecified GET parameters during key = password change.

3. Sample code

The example comes from Samate Juliet Test Suite for Java v1.3 (https://samate.nist.gov/SARD/testsuite.php), source File name: CWE80_XSS__CWE182_Servlet_URLConnection_03.java.

3.1 Defect Code

The above example code operation is to obtain the user’s age and create a connection object on line 40 , create an input stream on line 44 to obtain the content of the urlConnection object response, read a row of data from the buffer stream on line 52, and on line 100, remove all from the obtained data. <script></script> tag and output the processed data to the page. Even if the <script></script> tag is filtered, other html tags can still be used, which is constructed here Malicious url, but when the website is not protected, the page will read the content of document.cookie and input it into the page. This creates reflected XSS.

Use 360 ​​Code Guard to detect the above sample code, you can detect the "reflected XSS" defect, and the display level is high. The source of data pollution and data flow direction can be analyzed from the tracking path, and the defect is reported at line 100 of the code, as shown in Figure 1:

Figure 1: Reflective XSS detection example

3.2 Repair code

#In the above repair code, since the content output by the page is the user’s age, in line 96, the response The content is converted into numbers, thus filtering out other html characters. Even if characters exist, the code will report an exception and will not cause reflected XSS to occur.

Use 360 ​​Code Guard to detect the repaired code, and you can see that there is no "reflected XSS" defect. As shown in Figure 2:

Figure 2: Detection results after repair

4. How to avoid reflected XSS

To avoid reflective ;, ', ", etc.) and

<script><p>, <code class="prettyprint code-in-text prettyprinted">javascript, etc. to filter. <code class="prettyprint code-in-text prettyprinted">(2) According to the different locations where the data will be placed in the HTML context (HTML tags, HTML attributes, JavaScript scripts, CSS, URLs), and perform appropriate output encoding on all untrusted data. <p>(3) Set the HttpOnly<p> attribute to prevent attackers from exploiting# The ##XSS<code class="prettyprint code-in-text prettyprinted"> vulnerability carries out Cookie<code class="prettyprint code-in-text prettyprinted"> hijacking attack. In JavaEE, the code to add HttpOnly<code class="prettyprint code-in-text prettyprinted"> to Cookie<code class="prettyprint code-in-text prettyprinted"> is as follows: <code class="prettyprint code-in-text prettyprinted"></script>

The above is the detailed content of How to analyze reflected XSS. For more information, please follow other related articles on the PHP Chinese website!