Shulou(Shulou.com)05/31 Report--

How to find XSS vulnerabilities in websites through Code Audit? For this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more small partners who want to solve this problem find simpler and easier methods.

I. Background

The author has previously recorded a set of video tutorials on XSS. In the vulnerability case section, he explains manual mining, tool mining and Code Audit. He is going to write the contents again in the form of articles. The first two articles have been written, and the contents have some relevance. The address of manual XSS mining is to quickly find out the possible XSS vulnerability practices in websites.

Here, it is mainly recorded that XSS vulnerability mining is carried out by means of Code Audit, which is divided into three parts: finding out key positions, forward audit and reverse audit. The audit system is permeate penetration test system. For the construction of test system, please refer to the first article of the author.

II. Operational summary

1. Find key locations

2. forward audit

3. reverse audit

3. Find out the key position

It shows that the efficiency of doing things in key positions will be higher. Code Audit finds vulnerabilities in the same way, so the author needs to find out the key positions of XSS. For most current Web applications, MVC pattern is a very mainstream form, so the author will find corresponding controllers and templates here. In this section, the idea of finding out the position is mainly explained.

3.1 Find the controller.

The way to find the controller is usually through the main entry file and URL address to analyze, now the author opened the home page, found the URL address is:

http://permeate.songboy.net/home/index.php

When you click on the block, the URL changes to the following address:

http://permeate.songboy.net/home/index.php? m=tiezi&a=index&bk=6

From the URL address, you can see that no matter the home page or the plate page, it passes through the URL address home/index.php, so the author can then view the location of the controller by opening the home/index.php file. After opening the code, the code is as follows:

You will now go to the browser, right-click on the current page and select View Source Code, as shown below:

In the source code, search for the string 11111, and sure enough, the string is found, as shown in the following figure:

IV. Forward audit

After finding the key position, the author can carry out Code Audit. XSS's Code Audit mainly has two ways: forward Code Audit and reverse Code Audit. Forward Code Audit means to check from the receipt of parameters to the final use of parameters, while reverse audit means to push from the position where variables are used to the receipt of parameters.

4.1 receiving parameter position

First, Code Audit is performed in the forward mode. The forward Code Audit is to investigate from the received parameters. Therefore, among the controllers, through the search function of the editor, the author searches the keyword $_GET in the controller file and finds the index method in the tiezi.php controller. The code is as follows:

public function index() { $id = $_GET['bk']; $bk = &$id; //Start page size $page_size = 15; //Get current page number $page_num = empty($_GET['page']) ? 1 : $_GET['page']; //Middle code................................................... omitted $data['bk'] = $bk; $data['count'] = $count; $data['page_size'] = $page_size; $data['page_count'] = $page_count; $data['page_num'] = $page_num; displayTpl('tiezi/index', $data); }4.2 Template Position Filter

From the above code, we can see that the parameter bk is not filtered, and it is directly placed in the template, which leaves security risks. If there is no security filtering in the template, then there is a reflective XSS vulnerability. Open the template file and search for the keyword bk. The code is as follows:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.