Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about how to analyze reflective XSS. Many people may not know much about it. In order to make you understand better, the editor has summarized the following for you. I hope you can get something according to this article.

1. Reflective XSS

Reflective XSS means that the application obtains untrusted data through Web requests and transmits the data to Web users without verifying the existence of malicious code. Reflective XSS is generally constructed by attackers to URL with malicious code parameters. When the URL address is opened, the unique malicious code parameters are parsed and executed by HTML. It is characterized by non-persistence and must be caused by users clicking on a link with specific parameters. The editor takes the source code of JAVA language as an example to analyze CWE ID 80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

2. The harm of reflective XSS.

When a user visits a URL request with XSS code, the server receives data post-processing, and then sends the data with XSS code to the browser. After the browser parses the data with XSS code, it causes XSS vulnerability, which may lead to stealing the Cookie of the target website to the attacker's server, reading the user's undisclosed information or Click hijacking to carry out phishing attacks. From January to November 2018, CVE had a total of 126 vulnerability information related to it. Some of the vulnerabilities are as follows:

Overview of CVE vulnerabilities CVE-2018-19091tianti is a free lightweight CMS system written in Java that currently provides an overall solution from background management to front-end presentation. Tianti 2.3 has a reflective XSS vulnerability in the user management module through tianti-module-admin / user / list userName parameters. CVE-2018-14929Matera Banco 1.0.0 is vulnerable to multiple reflective XSS, as shown in the / contingency/web/index.jsp (aka home page) url parameter. CVE-2018-12996ZohoManageEngine Applications Manager provides a solution for monitoring and managing the underlying structure of J2EE and J2EE applications. The reflective Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager 13 (Build13800) allows remote attackers to inject arbitrary Web scripts or HTML into GraphicalView.do through the parameter 'method'. CVE-2018-12090LAMS is a new generation of JAVA-based learning software jointly developed by Macquarie University in Australia, LAMS International Co., Ltd. And LAMS Foundation. There were unauthenticated reflex cross-site scripting (XSS) in LAMS prior to 3.1, allowing remote attackers to access forgetPasswordChange.jsp? Key = arbitrary JavaScript is introduced during password change by manipulating unregulated GET parameters. 3. Sample code

The example is from Samate Juliet Test Suite for Java v1.3 (https://samate.nist.gov/SARD/testsuite.php), source file name: CWE80_XSS__CWE182_Servlet_URLConnection_03.java.

3.1 defect code

The above sample code operation is to get the age of the user, create a connection object on line 40, create an input stream on line 44 to get the urlConnection object response, read a row of data from the buffer stream on line 52, remove all tags from the obtained data and output the processed data to the page in line 100, even if the tags are filtered, you can still use other html tags, where a malicious url is constructed. However, when the site is not protected, the page will read the content of [xss_clean] and enter it into the page. This results in a reflective XSS.

The "reflective XSS" defect can be detected by using 360Code Guardian to detect the above sample code, and the display level is high. The pollution source and flow direction of the data can be analyzed from the tracking path, and the defect is reported on line 100 of the code line, as shown in figure 1:

Figure 1: reflective XSS detection example

3.2 fix the code

In the above fix code, because the output of the page is the age of the user, on line 96, the content of the response is converted into a number, so that other html characters are filtered. Even if there are characters, the code will report an exception and will not cause the occurrence of reflective XSS.

Using 360Code Guardian to detect the repaired code, you can see that there is no "reflective XSS" defect. Figure 2:

Figure 2: test results after repair

4. How to avoid reflective XSS

To avoid reflective XSS, you need to pay attention to the following:

(1) validate the user's input reasonably (for example, age can only be numeric), filter special characters (such as,', ", etc.) as well as, javascript, etc.

(2) properly encode the output of all untrusted data according to the different locations in the HTML context (HTML tags, HTML attributes, JavaScript scripts, CSS, URL).

(3) set the HttpOnly attribute to prevent attackers from exploiting XSS vulnerabilities to carry out Cookie hijacking attacks. In JavaEE, the code to add HttpOnly to Cookie is as follows:

After reading the above, do you have any further understanding of how to analyze reflective XSS? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.