PHP code audit: XSS Vulnerability

Original link: https://blog.csdn.net/God_XiangYu/article/details/97839722

---

When your talent

When you can not afford to hang on ambition

Then you should stop learning

---

      Code audit online learning experiment, while CE are practical operation, while finishing notes later when convenient to look for quick reference.

table of Contents

XSS code audit

XSS vulnerabilities introduced

Reflective XSS

Storage-type XSS

XXS vulnerabilities Prevention

Reflective xss vulnerability prevention

xss vulnerabilities in php precautions Methods

 Storage type xss vulnerability prevention

---

XSS code audit

       XSS vulnerability is one of the most common Web application vulnerabilities.

       Online small companies most basic method of fixing sites may not prevent XSS vulnerabilities, it is likely there XSS vulnerability

 

XSS vulnerabilities introduced

       Cross-site scripting attack is a malicious attacker to insert malicious Web page using Script code, when a user browsing the page, embedded inside a Web Script code is executed, so as to achieve the purpose of malicious users. xss vulnerability is usually a function of the output through the output php javascript code to html page, so xss vulnerabilities key performed by the user's local browser is looking for unfiltered output parameter function . Common output functions are:  echo printf print print_r sprintf die var_dump var_export.

xss Category:

• Reflective XSS: <non-persistent>  attacker attacks in advance to make good link, you need to trick users to click on a link in order to trigger their own code for XSS (server no such pages and content), generally easy to appear in the search page.

• Storage type XSS: <persistence>  codes are stored in the server, such as personal information or publishing articles and other places, add code, if there is no filter or filter lax, then the code will be stored in the server whenever a user when accessing the page will trigger code execution, XSS this is very dangerous, likely to cause worms, a large number of thefts cookie (although there are kinds of DOM XSS type, but is still included in the storage type XSS).

       These would have to learn in the space where XSS will then detailed explanation, first here and then repeat it

 

Reflective XSS

       In the black-box testing, this type is easier to find through vulnerability scanner directly, we only need to make the appropriate verification in accordance with the results of the scan on it.

White box opposite the audit, we first find the output functions with parameters, followed by an output content back to the input parameters, to observe whether the filter

echo () function to demonstrate reflective XSS

   The following code, the variable $ XssReflex Get get passed by the input variable named variable value (a string value), and then directly through echo () function output, the middle note is not any user input filter to create x. php:

  
  
<html>
<head>
<meta http-equiv= "Content-Type" content= "text/html; charset=utf-8" />
<title>XSS</title>
</head>
<body>
<form action= "" method= "get">
<input type= "text" name= "input">
<input type= "submit">
</form>
<br>
<?php
$XssReflex = $_GET[ 'input'];
echo 'output:<br>'.$XssReflex;
?>
</body>
</html>
  
  

Page display of results, casually enter some content:

Above all for the normal output, but if we export some javascriptcode?

Through code analysis, we began construction of the payload is: <script> when the alert (1) </ script>, page successful pop and pop content to fill in the value of the string

Page source code checking a wave, an increase of 12 lines found XSS script that we just entered

注：<script>alert(1)</script>

       这个弹窗并没有什么实际的意义，但通过它我们知道输入javascript代码是可以被执行的，当我们输入一些其他函数，比如document.cookie就可以成功盗取用户的cookie信息，详细的XSS内容请移步看CE博客的XSS文章，这里就不做过多讲解

存储型XSS

       和反射性XSS的即时响应相比，存储型XSS则需要先把利用代码保存在比如数据库或文件中，当web程序读取利用代码时再输出在页面上执行利用代码。但存储型XSS不用考虑绕过浏览器的过滤问题，屏蔽性也要好很多。 存储型XSS攻击流程：

 

       存储型XSS的白盒审计同样要寻找未过滤的输入点和未过滤的输出函数，如果提示没有执行权限，请用chmod +x  文件名.php 赋予文件执行权限

代码如下，创建x1.php：

  
  
<span style= "font-size:18px;"><meta http-equiv= "Content-Type" content= "text/html;charset=utf-8"/>
<html>
<head>
<title>XssStorage</title>
</head>
<body>
<h2>Message Board<h2>
<br>
<form action= "x1.php" method= "post">
Message:<textarea id= 'Mid' name= "desc"></textarea>
<br>
<br>
Subuser:<input type= "text" name= "user"/><br>
<br>
<input type= "submit" value= "submit" οnclick= 'loction="x1.php"'/>
</form>
<?php
if( isset($_POST[ 'user'])&& isset($_POST[ 'desc'])){
$log=fopen( "sql.txt", "a");
fwrite($log,$_POST[ 'user']. "\r\n");
fwrite($log,$_POST[ 'desc']. "\r\n");
fclose($log);
}

if(file_exists( "sql.txt"))
{
$read= fopen( "sql.txt", 'r');
while(!feof($read))
{
echo fgets($read). "</br>";
}
fclose($read);
}
?>
</body>
</html></span>
  
  

这个页面采用POST提交数据，生成、读取文本模拟数据库，提交数据之后页面会将数据写入sql.txt，再打开页面时会读取sql.txt中内容并显示在网页上，实现了存储型xss攻击模拟，页面展示效果：

Message中输入<script>alert(1)</script>，成功弹窗

页面源代码，并且我们重启浏览器之后再加载该页面，页面依然会弹窗,这是因为恶意代码已经写入数据库中，每当有人访问该页面时，恶意代码就会被加载执行！

这就是所谓的存储型XSS漏洞，一次提交之后，每当有用户访问这个页面都会受到XSS攻击，危害巨大

 

XXS漏洞防范

反射型xss漏洞防范

php中xss的漏洞防范方法总结：

A.PHP直接输出html的，可以采用以下的方法进行过滤：

  •   1.htmlspecialchars函数
  •   2.htmlentities函数
  •   3.HTMLPurifier.auto.php插件
  •   4.RemoveXss函数

B.PHP输出到JS代码中，或者开发Json API的，则需要前端在JS中进行过滤：

  •   1.尽量使用innerText(IE)和textContent(Firefox),也就是jQuery的text()来输出文本内容
  •   2.必须要用innerHTML等等函数，则需要做类似php的htmlspecialchars的过滤

C.其它的通用的补充性防御手段

  •   1.在输出html时，加上Content Security Policy的Http Header
    （作用：可以防止页面被XSS攻击时，嵌入第三方的脚本文件等）
    （缺陷：IE或低版本的浏览器可能不支持）
  •   2.在设置Cookie时，加上HttpOnly参数
    （作用：可以防止页面被XSS攻击时，Cookie信息被盗取，可兼容至IE6）
    （缺陷：网站本身的JS代码也无法操作Cookie，而且作用有限，只能保证Cookie的安全）
  •   3.在开发API时，检验请求的Referer参数
    （作用：可以在一定程度上防止CSRF攻击）
    （缺陷：IE或低版本的浏览器中，Referer参数可以被伪造）

使用htmlentities()函数 演示：

  •   htmlentities() 函数把字符转换为 HTML 实体

代码如下，创建x2.php：

  
  
<html>
<head>
<meta http-equiv= "Content-Type" content= "text/html; charset=utf-8" />
<title>XSS</title>
</head>
<body>
<form action= "" method= "get">
<input type= "text" name= "input">
<input type= "submit">
</form>
<br>
<?php
$XssReflex = $_GET[ 'input'];
echo 'output:<br>'.htmlentities($XssReflex); #仅在这里对变量 $XssReflex 做了处理.
?>
</body>
</html>
  
  

htmlentities()函数对用户输入的<>做了转义处理,恶意代码当然也就没法执行了。 还有其他过滤函数，有兴趣的可以自己去尝试一番

检查页面源码：

 

 存储型xss漏洞防范

       存储型XSS对用户的输入进行过滤的方式和反射型XSS相同

使用htmlspecialchars() 函数 演示：

      htmlentities() :把预定义的字符 "<" （小于）和 ">" （大于）转换为 HTML 实体

htmlspecialchars和htmlentities的区别：

       htmlspecialchars 只转义 & 、" 、' 、< 、> 这几个html代码，而 htmlentities 却会转化所有的html代码，连同里面的它无法识别的中文字符也会转化，如果没有执行权限，请赋予权限，前面写过，这里就不再复述了，就是用chmod 赋予执行权限

代码如下，创建v3.php：

  
  
<span style= "font-size:18px;"><meta http-equiv= "Content-Type" content= "text/html;charset=utf-8"/>
<html>
<head>
<title>x1</title>
</head>
<body>
<h2>Message Board<h2>
<br>
<form action= "x3.php" method= "post">
Message:<textarea id= 'Mid' name= "desc"></textarea>
<br>
<br>
Subuser:<input type= "text" name= "user"/><br>
<br>
<input type= "submit" value= "submit" οnclick= 'loction="x1.php"'/>
</form>
<?php
if( isset($_POST[ 'user'])&& isset($_POST[ 'desc'])){
$log=fopen( "sqlStorage.txt", "a");
fwrite($log,htmlspecialchars($_POST[ 'user']). "\r\n"); # 在此对用户输入数据$_POST['user']进行过滤
fwrite($log,htmlspecialchars($_POST[ 'desc']). "\r\n"); # 在此对用户输入数据$_POST['desc']进行过滤
fclose($log);
}

if(file_exists( "sqlStorage.txt"))
{
$read= fopen( "sqlStorage.txt", 'r');
while(!feof($read))
{
echo fgets($read). "</br>";
}
fclose($read);
}
?>
</body>
</html></span>
  
  

试试输入<script>alert(1)</script> 发现输入的代码并没有被执行

检测页面源代码

htmlspecialchars()函数对用户输入的<>做了转义处理

 

参考链接：https://www.shiyanlou.com/courses/895

---

我不需要自由，只想背着她的梦

一步步向前走，她给的永远不重

---