当前位置: 文江博客话题详情

尝试通过 pci 合规性,但存在跨站点脚本问题

发布于 2024-10-11 08:29:37 字数 1374 浏览 4 评论 0原文

我目前正在尝试通过我的一个客户站点的 PCI 合规性,但测试公司正在标记一个我不明白的漏洞!

测试公司(网站已删除)详细信息如下:

这里的问题是跨站点 脚本漏洞是 通常与电子商务相关 应用程序。其中一项测试 在 GET 中附加了一个无害的脚本 请求在您网站的末尾 网址。它被标记为跨站点 脚本漏洞,因为这个 与输入的脚本相同 用户(我们的扫描仪)被返回 服务器的标头未经过消毒。在 在这种情况下,脚本被返回 标题,因此我们的扫描仪标记了 漏洞。

这是我从我的 终端复制此内容:

获取 /?osCsid=%22%3E%3Ciframe%20src=foo%3E%3C/iframe%3E HTTP/1.0 主机:(已删除)

HTTP/1.1 302 Found
Connection: close
Date: Tue, 11 Jan 2011 23:33:19 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://www.(removed).co.uk/index.aspx?osCsid="><iframe src=foo></iframe>
Set-Cookie: ASP.NET_SessionId=bc3wq445qgovuk45ox5qdh55; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 203

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www.(removed).co.uk/index.aspx?osCsid=&quot;>&lt;iframe src=foo>&lt;/iframe>">here</a>.</h2>
</body></html>

这个问题的解决办法是 清理这些类型的用户输入 请求,确保字符 可以触发可执行脚本的是 未在标题或页面上返回。

首先,我无法得到测试器所做的结果,它只返回一个 200 标头,其中不包含位置,也不会返回对象移动的页面。其次,我不确定如何(在 iis 6 上)阻止它返回带有查询字符串的标头!最后,为什么标头中的代码很重要,浏览器肯定不会实际执行 http 标头中的代码?

原文

I'm currently trying to pass PCI compliance for one of my client's sites but the testing company are flagging up a vulnerability that I don't understand!

The (site removed) details from the testing company are as follows:

The issue here is a cross-site
scripting vulnerability that is
commonly associated with e-commerce
applications. One of the tests
appended a harmless script in a GET
request on the end of the your site
url. It flagged as a cross-site
scripting vulnerability because this
same script that was entered by the
user (our scanner) was returned by the
server unsanitized in the header. In
this case, the script was returned in
the header so our scanner flagged the
vulnerability.

Here is the test I ran from my
terminal to duplicate this:

GET
/?osCsid=%22%3E%3Ciframe%20src=foo%3E%3C/iframe%3E
HTTP/1.0 Host:(removed)

HTTP/1.1 302 Found
Connection: close
Date: Tue, 11 Jan 2011 23:33:19 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://www.(removed).co.uk/index.aspx?osCsid="><iframe src=foo></iframe>
Set-Cookie: ASP.NET_SessionId=bc3wq445qgovuk45ox5qdh55; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 203

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www.(removed).co.uk/index.aspx?osCsid="><iframe src=foo></iframe>">here</a>.</h2>
</body></html>

The solution to this issue is to
sanitize user input on these types of
requests, making sure characters that
could trigger executable scripts are
not returned on the header or page.

Firstly, I can't get the result that the tester did, it only ever returns a 200 header which doesn't include the location, nor will it return the object moved page. Secondly, i'm not sure how (on iis 6) to stop it returning a header with the query string in it! Lastly, why does code in the header matter, surely browsers wouldn't actually execute code from the http header?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

二货你真萌 2024-10-18 08:29:37

请求:GET /?osCsid=%22%3E%3Ciframe%20src=foo%3E%3C/iframe%3E HTTP/1.0 Host:(已删除)

是这里的问题。

响应文本:

 <html><head><title>Object moved</title></head><body>
 <h2>Object moved to <a href="http://www.(removed).co.uk/index.aspx?osCsid="><iframe src=foo></iframe>">here</a>.</h2>
 </body></html>

响应链接为:

  http://www.(removed).co.uk/index.aspx?osCsid="><iframe src=foo></iframe>

其中包含请求字符串的内容。

基本上,某人可以向其他人发送一个链接,其中您的 osCsid 包含允许以不同方式呈现页面的文本。您需要确保 osCsid 清理输入或过滤器以防止出现类似情况。例如,我可以提供一个字符串,让我加载我想要的任何 JavaScript,或者使页面呈现完全不同。

附带说明一下,它会尝试将您的浏览器转发到该不存在的页面。

Request: GET /?osCsid=%22%3E%3Ciframe%20src=foo%3E%3C/iframe%3E HTTP/1.0 Host:(removed)

The <iframe src=foo></iframe> is the issue here.

Response text:

 <html><head><title>Object moved</title></head><body>
 <h2>Object moved to <a href="http://www.(removed).co.uk/index.aspx?osCsid="><iframe src=foo></iframe>">here</a>.</h2>
 </body></html>

The response link is:

  http://www.(removed).co.uk/index.aspx?osCsid="><iframe src=foo></iframe>

Which contains the contents from the request string.

Basically, someone can send someone else a link where your osCsid contains text that allows the page to be rendered in a different way. You need to make sure that osCsid sanitizes input or filters against things that could be like this. For example, I could provide a string that lets me load in whatever javascript I want, or make the page render entirely different.

As a side note, it tries to forward your browser to that non-existent page.

回复 原文
云之铃。 2024-10-18 08:29:37

事实证明,我有一个 Response.redirect 用于通过 https 访问的任何页面,这些页面不需要安全,并且这将返回位置作为重定向的一部分。将此更改为:

Response.Status = "301 Moved Permanently";
Response.AddHeader("Location", Request.Url.AbsoluteUri.Replace("https:", "http:"));
Response.End();

解决了问题

It turned out that I have a Response.redirect for any pages which are accessed by https which don't need to be secure and this was returning the location as part of the redirect. Changing this to:

Response.Status = "301 Moved Permanently";
Response.AddHeader("Location", Request.Url.AbsoluteUri.Replace("https:", "http:"));
Response.End();

Fixed the issue

回复 原文
~没有更多了~

关于作者

番薯

暂无简介

0 文章
0 评论
24 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

留蓝

文章 0 评论 0

18790681156

文章 0 评论 0

zach7772

文章 0 评论 0

Wini

文章 0 评论 0

ayeshaaroy

文章 0 评论 0

初雪

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文