Protect from cross-site scripting attacks?

匆匆过客 提交于 2019-12-13 00:38:18

问题


We recently set up a website (http://www.doverjewelry.com/) with hikashop, the domain has godaddy website protection so it scans the website and warns against vulnerabilities. The scan is currently reporting the the website is vulnerable to cross-site scripting attacks. This the scan output:

Using the GET HTTP method, Site Scanner found that :
+ The following resources may be vulnerable to XSS (on parameters names) :
/bands-and-settings/category/371-all-ring-settings/limit_hikashop_catego
ry_information_module_223_371-0/limitstart_hikashop_category_information
_module_223_371-0/filter_order_hikashop_category_information_module_223_
371-a.ordering/filter_order_Dir_hikashop_category_information_module_223
_371-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-atom?<<<<<<<<<<foo"bar'
314>>>>>=1
-------- request --------
GET /bands-and-settings/category/371-all-ring-settings/limit_hikashop_category_information_module_223_371-0/limitstart_hikashop_category_information_module_223_371-0/filter_order_hikashop_category_information_module_223_371-a.ordering/filter_order_Dir_hikashop_category_information_module_223_371-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-atom?<<<<<<<<<<foo"bar'314>>>>>=1 HTTP/1.1\r
Host: www.doverjewelry.com\r
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1\r
Accept-Language: en\r
Connection: Close\r
Cookie: 7eedc822c6dd39ecf3c8ab00003d56f9=764a229107bda6b48c2863965f50ca03\r
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; MSIE 6.0; Site Scanner Bot; +http://www.websiteprotection.com) Firefox/2.0.0.3\r
Pragma: no-cache\r
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
------------------------
-------- output --------

[...] bd44a6ec-1/type-atom?<<<<<<<<<<foo"bar'314>>>>>=1" method="post" name="ad [...]
<div class="hikashop_products_pagination hikashop_products_paginat [...]
------------------------
/engagement-rings/category/366-antique-engagement-rings/limit_hikashop_c
ategory_information_module_222_366-25/limitstart_hikashop_category_infor
mation_module_222_366-0/filter_order_hikashop_category_information_modul
e_222_366-a.ordering/filter_order_Dir_hikashop_category_information_modu
le_222_366-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-atom?<<<<<<<<<<fo
o"bar'314>>>>>=1
-------- request --------
GET /engagement-rings/category/366-antique-engagement-rings/limit_hikashop_category_information_module_222_366-25/limitstart_hikashop_category_information_module_222_366-0/filter_order_hikashop_category_information_module_222_366-a.ordering/filter_order_Dir_hikashop_category_information_module_222_366-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-atom?<<<<<<<<<<foo"bar'314>>>>>=1 HTTP/1.1\r
Host: www.doverjewelry.com\r
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1\r
Accept-Language: en\r
Connection: Close\r
Cookie: 7eedc822c6dd39ecf3c8ab00003d56f9=764a229107bda6b48c2863965f50ca03\r
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; MSIE 6.0; Site Scanner Bot; +http://www.websiteprotection.com) Firefox/2.0.0.3\r
Pragma: no-cache\r
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
------------------------
-------- output --------

[...] bd44a6ec-1/type-atom?<<<<<<<<<<foo"bar'314>>>>>=1" method="post" name="ad [...]
<div class="hikashop_products_pagination hikashop_products_paginat [...]
------------------------
/engagement-rings/category/366-antique-engagement-rings/limit_hikashop_c
ategory_information_module_222_366-25/limitstart_hikashop_category_infor
mation_module_222_366-0/filter_order_hikashop_category_information_modul
e_222_366-a.ordering/filter_order_Dir_hikashop_category_information_modu
le_222_366-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-rss?<<<<<<<<<<foo
"bar'314>>>>>=1
-------- request --------
GET /engagement-rings/category/366-antique-engagement-rings/limit_hikashop_category_information_module_222_366-25/limitstart_hikashop_category_information_module_222_366-0/filter_order_hikashop_category_information_module_222_366-a.ordering/filter_order_Dir_hikashop_category_information_module_222_366-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-rss?<<<<<<<<<<foo"bar'314>>>>>=1 HTTP/1.1\r
Host: www.doverjewelry.com\r
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1\r
Accept-Language: en\r
Connection: Close\r
Cookie: 7eedc822c6dd39ecf3c8ab00003d56f9=764a229107bda6b48c2863965f50ca03\r
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; MSIE 6.0; Site Scanner Bot; +http://www.websiteprotection.com) Firefox/2.0.0.3\r
Pragma: no-cache\r
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
------------------------
-------- output --------

[...] abd44a6ec-1/type-rss?<<<<<<<<<<foo"bar'314>>>>>=1" method="post" name="ad [...]
<div class="hikashop_products_pagination hikashop_products_paginat [...]
------------------------
/engagement-rings/category/50-estate-engagement-rings/limit_hikashop_cat
egory_information_module_222_50-0/limitstart_hikashop_category_informati
on_module_222_50-0/filter_order_hikashop_category_information_module_222
_50-a.ordering/filter_order_Dir_hikashop_category_information_module_222
_50-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-atom?<<<<<<<<<<foo"bar'3
14>>>>>=1

We think it is refering to the pagination form at the bottom of the product pages. Here is the form code for one of the product pages:

<form action="http://www.doverjewelry.com/engagement-rings/category/50-estate-engagement-rings?filter_order_hikashop_category_information_module_222_50=%3C%3C%3C%3C%3C%3C%3C%3C%3C%3Cfoo%22bar'204%3E%3E%3E%3E%3E" method="post" name="adminForm_hikashop_category_information_module_222_50_bottom">

        <div class="hikashop_products_pagination hikashop_products_pagination_bottom">

        <div class="list-footer">

<div class="limit">Display #<select id="limit_hikashop_category_information_module_222_50" name="limit_hikashop_category_information_module_222_50" class="inputbox" size="1" onchange="this.form.submit()">
    <option value="20" selected="selected">20</option>
    <option value="5">5</option>
    <option value="10">10</option>
    <option value="15">15</option>
    <option value="20" selected="selected">20</option>
    <option value="25">25</option>
    <option value="30">30</option>
    <option value="50">50</option>
    <option value="100">100</option>
    <option value="0">all</option>
</select>
</div><span class="pagenav_start_chevron">&lt;&lt; </span><span class="pagenav pagenav_text">Start</span><span class="pagenav_previous_chevron"> &lt; </span><span class="pagenav pagenav_text">Prev</span> <span class="pagenav">1</span> <a class="pagenav" title="2" onclick="javascript: document.adminForm_hikashop_category_information_module_222_50_bottom.limitstart_hikashop_category_information_module_222_50.value=20; document.adminForm_hikashop_category_information_module_222_50_bottom.submit();return false;">2</a> <a class="pagenav" title="3" onclick="javascript: document.adminForm_hikashop_category_information_module_222_50_bottom.limitstart_hikashop_category_information_module_222_50.value=40; document.adminForm_hikashop_category_information_module_222_50_bottom.submit();return false;">3</a> <a class="pagenav" title="Next" onclick="javascript: document.adminForm_hikashop_category_information_module_222_50_bottom.limitstart_hikashop_category_information_module_222_50.value=20; document.adminForm_hikashop_category_information_module_222_50_bottom.submit();return false;">Next</a><span class="pagenav_next_chevron"> &gt;</span> <a class="pagenav" title="End" onclick="javascript: document.adminForm_hikashop_category_information_module_222_50_bottom.limitstart_hikashop_category_information_module_222_50.value=40; document.adminForm_hikashop_category_information_module_222_50_bottom.submit();return false;">End</a><span class="pagenav_end_chevron"> &gt;&gt;</span>
<div class="counter">Page 1 of 3</div>
<input type="hidden" name="limitstart_hikashop_category_information_module_222_50" value="0">
</div>
        <span class="hikashop_results_counter">
Results 1 - 20 of 48</span>

        </div>

        <input type="hidden" name="filter_order_hikashop_category_information_module_222_50" value="a.ordering">

        <input type="hidden" name="filter_order_Dir_hikashop_category_information_module_222_50" value="ASC">

        <input type="hidden" name="18aa959f74c6262cdb2863f0ffaff82e" value="1">
    </form>

We have talked to the hikashop people about this and they say we need to update to their most recent version (our version is just one below the latest one) but we have made some major mods to the code to include some of the clients requests so we do not want to lose those changes (maybe in the future we will update to the latest version, but for now we just want to know if there is a quick fix for this).

Is the form really vulnerable to cross-site scripting attacks? what can we do to protect it or make godaddy site scanner stop showing this warning message?


回答1:


From the output of scanner he thinks that when he issued a request with additional parameter:

<<<<<<<<<<foo"bar'314>>>>>=1

and this param got printed what we can see in output:

type-atom?<<<<<<<<<<foo"bar'314>>>>>=1

that could mean that your page is prone to XSS, but many of those scanners forgets encodings... the same issue is for example with scannig LifeRay with w3af. But your html code prints:

%3C%3C%3C%3C%3C%3C%3C%3C%3C%3Cfoo%22bar'204%3E%3E%3E%3E%3E

So it seems that the param althogh appended, is escaped... so it is not strictly prone to XSS. If you want to know more visit XSS - Cheat Sheet, and you can use some other vuln scanners/proxies to confirm this issue: ZAP, WebScarab, w3af.



来源:https://stackoverflow.com/questions/13918207/protect-from-cross-site-scripting-attacks

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!