English | 简体中文 | 繁體中文 | Русский язык | Français | Español | Português | Deutsch | 日本語 | 한국어 | Italiano | بالعربية
Recently, there was a news report that four employees of the Alibaba Network Security Department exploited web vulnerabilities to write a JavaScript script to steal mooncakes. Inspired by this, I want to understand how the JavaScript script is written, and how various刷单刷枪刷抢 are implemented.
What is a JavaScript injection attack?
1.Every time the website accepts user input and displays the content again, it is vulnerable to JavaScript injection attacks. Let's study a specific application that is vulnerable to JavaScript injection attacks. Suppose a customer feedback website has been created. Customers can visit the website and enter feedback information about the product. When the customer submits the feedback, the feedback information is displayed again on the feedback page.
The customer feedback website is a simple website. Unfortunately, this website is vulnerable to JavaScript injection attacks.
Suppose the following text is entered into the customer feedback form:
<script>alert(“Attack!”)</script>
This text represents a JavaScript script that displays a warning message box. If someone submits this script to a customer feedback form, the message Attack! will be displayed when anyone accesses the customer feedback website in the future.
2.There is also a way to enter a piece of JavaScript code in the browser address bar to change the content of the JavaScript variables and page tags on the page.
Using JavaScript injection, users can change the content of the webpage without closing or saving the webpage, which is done in the browser's address bar. The syntax of the command is as follows:
javascript:alert(#command#)
For example, if you want to access http://If you see an alert warning box on the www.example.com site, first enter the URL in the address bar and wait for the page to load, then delete the URL and enter:
javascript:alert("Hello World")
As a new URL. This will pop up a "Hello World" warning box, with this technique you can almost change any content on a webpage, such as an image. Suppose there is a website logo image, we find a piece of HTML code in the page source by looking at it:
<IMG Name="hi" SRC="hello.gif">
The image is named "hi", and the source file is "hello.gif", we want to change it to be stored on our site (http://The "bye.jpeg" file on www.mysite.com, so the complete URL of the image is http://www.mysite.com/bye.jpeg, using JavaScript injection, we only need to enter in the address bar: }}
javascript:alert(document.hi.src="http://www.mysite.com/bye.jpeg")
You will see a pop-up "http://www.mysite.com/bye.jpeg" alert message, and then the image is changed. It should be noted that these changes are temporary! If you refresh the page or re-enter, your changes will disappear because you are only making these changes on your PC, not on the web server.
Using the same method, we can view or change the value of variables, for example, we find a piece of code like this on a web page:
<SCRIPT LANGUAGE="JavaScript"> var a="test" </SCRIPT>
This means the value of variable a is "test", now we enter:
javascript:alert(a)
Then we change its value to "hello":
javascript:alert(a="hello")
JavaScript injection is usually used to change form properties, assuming there is a piece of code like this:
<form name="format" action="send.php" method="post"> <input type="hidden" name="mail" value="[email protected]"> <input type="text" name="name"> <input type="submit" value="submit"></form>
We want the form to be sent to our email address, not [email protected]. We can use the following command:
javascript:alert(document.format.mail.value="[email protected]")
• Maybe you have noticed the hierarchical relationship of these commands:
• We explain them in order from left to right:
•1); The leftmost is document
•2); Then, what we want to change is the object name (such as document.hi.src) or its containing object (such as document.format.mail.value)
•3); Finally, what we want to change is the property (such as source path: document.hi.src, or variable value: document.format.mail.value)
•4); Use the "." sign to separate
•5); When we want to change the property value, we use the "=" sign and the new property value
•*Comment: When the new property value is a string (for example: document.format.mail.value="[email protected]The closing parenthesis ")" needs to be enclosed in double quotes.
•If we want to use it as the value of a variable, we do not need to use double quotes "". For example, if we want to assign the value of variable b to variable a, we can enter javascript:alert(a=b).
•However, most of the tags on the page do not have names, such as:
<form action="send.php" method="post"> <input type="hidden" name="mail" value="[email protected]"> <input type="text" name="name"> <input type="submit" value="submit"></form>
In this code, there is no form name, combining the above information, we can use this command:
javascript:alert(document. .mail.value="[email protected]")
In this case, we must count and find the form number, here is an example:
<form action="send.php" method="post"> <input type="text" name="name"> <input type="submit" value="submit"> </form> <form action="send.php" method="post"> <input type="hidden" name="mail" value="[email protected]"> <input type="text" name="name"> <input type="submit" value="submit"> </form> <form action="send.php" method="post"> <input type="text" name="name"> <input type="submit" value="submit"> </form>
•In the above code, we see3forms, but we are interested in the second one, so the form number we want is2.Do not forget that we are from1starts counting, for example1,2,3,4...while JavaScript starts counting from 0, for example, 0,1,2,3...so the actual form number is1, not2Usually we need to subtract one from the form number we find. We will use this number to complete our command:
javascript:alert(document.forms[1].mail.value="[email protected]")
•This way you can change images or links without names, you can replace "forms" with any tag type you want. For images, it is
javascript:alert(document.images[3].src="#the url of the picture you want#")
For links, it is
javascript:alert(document.links[0].href="#the url you want#")
Finally, we can use this trick to edit cookies. The following command was written by Dr_aMado from triviasecurity.net, and I only made a few changes to make it display before the user edits it. Just copy them into the address bar:
javascript:alert(window.c=function a(n,v,nv){c=document.cookie;c=c.substring(c.indexOf(n)+) &
; c.indexOf(";") : c.length));nc=unescape(c).replace(v,nv);1document.cookie=n-1"="63escape(nc);return unescape(document.cookie);});
alert('The cookie is: "'+document.cookie+'"');alert(c(prompt("The name of the cookie:",""),
prompt("Change this value:",""),prompt("with this:","")))+If you want to manually change your cookie, you can use the following command:+javascript:alert(document.cookie)
This will display your current cookie, assuming it is "userid="
//If you want to change it to "userid="
You can use the following command:12
javascript:alert(document.cookie="userid=2")
Finally, I must emphasize that all changes are only on the client side! It's like saving the web page on your PC and modifying it. Nevertheless, using this trick, you can still deceive the page (such as cookies) or bypass security verification. For example, some web pages may detect the location from which the user sends data, if from http://www.test.com/form.php sends data to http://www.test.com/check.php, check.php may detect whether the data comes from http: //www.test.com/The form on form.php. In addition, if you plan to input your own JavaScript code on the page, by using some of these tricks, you will be able to change the image and keep it unchanged!
Finally, since JavaScript injection is so terrifying, what solutions do we have ourselves to prevent JavaScript injection on our websites?
Method one:
A simple method to prevent JavaScript injection attacks is to encode any data entered by website users with HTML when displaying data in the view
As: <%=Html.Encode(feedback.Message)%>
What does it mean to encode a string with HTML? When encoding a string with HTML, dangerous characters such as < and > are replaced with HTML entities such as < and >. Therefore, when using HTML encoded strings <script>alert("Boo!")</script> will be converted to <script>alert("Attack!")</script>. The browser no longer executes the JavaScript script when parsing the encoded string. Instead, it displays a harmless page.
Method Two:
In addition to using HTML encoded data to display data in the view, you can also use HTML encoded data before submitting data to the database.
StringEscapeUtils.escapeHtml("Front-end submitted data");
Generally, people prefer to use the first method discussed in this tutorial, rather than the second method. The problem with the second method is that HTML encoded data will eventually be retained in the database. In other words, the data in the database will contain strange characters. What's the harm? If you need to display database data in a form other than the web page, you will encounter problems. For example, it is not easy to display data in a Windows Forms application.
Thank you for the sharing by netizens: http://zxf-noimp.iteye.com/blog/1130771
That's all for this article. I hope it will be helpful to everyone's learning and that everyone will support the Shouting Tutorial more.
Declaration: The content of this article is from the Internet, the copyright belongs to the original author. The content is contributed and uploaded by Internet users spontaneously. This website does not own the copyright, has not been manually edited, and does not assume any relevant legal liability. If you find any content suspected of copyright infringement, please send an email to: notice#oldtoolbag.com (Please replace # with @ when sending an email to report abuse, and provide relevant evidence. Once verified, this site will immediately delete the content suspected of infringement.)