Javascript 注入 URL
我们有一个相对受欢迎的网站,最近我们开始看到日志中弹出一些奇怪的 URL。我们的页面引用了 jQuery,并且我们开始看到这些脚本的片段被插入到 URL 中。所以我们有这样的日志条目:
/js/,data:c,complete:function(a,b,c){c=a.responseText,a.isResolved()&&(a.done(function(a){c=a}),i.html(g?d(
请求的用户代理字符串是 Java/1.6.0_06,所以我认为我们可以安全地假设它是一个可能用 Java 编写的机器人。另外,我可以在 jQuery 文件中找到附加的代码片段。
现在,我的问题是为什么机器人会尝试将引用的 Javascript 插入 URL 中?
We have a relatively popular website, and recently we started seeing some strange URL's popping up in our logs. Our pages reference jQuery and we started seeing pieces of those scripts being inserted into URL's. So we have logging entries like this:
/js/,data:c,complete:function(a,b,c){c=a.responseText,a.isResolved()&&(a.done(function(a){c=a}),i.html(g?d(
The User Agent string of the Request is Java/1.6.0_06, so I think we can safely assume it's a bot that's probably written in Java. Also, I can find back the piece of appended code in the jQuery file.
Now, my question is why would a bot try to insert referenced Javascript into the URL?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
它可能不是专门针对您的网站的——它可能是一次尝试寻找可 XSS 的网站,以便攻击者稍后可以找出可窃取的内容并发起攻击并编写一个网页来针对真实用户部署它。
在这种情况下,攻击者可能会使用机器人从站点收集 HTML,然后将该 HTML 传递给僵尸计算机上运行的 IE 实例,以查看发出的消息。
我在这里没有看到任何活动的有效负载,所以我假设您在这里截断了一些代码,但它看起来像 JSCompiled jQuery 代码,可能使用 jQuery 的
postMessage所以它可能是试图通过 XSS 窃取您的代码用户数据或凭据、安装 JavaScript 键盘记录器等。我会通过 grep 浏览您的 JavaScript,查找执行类似操作
或使用正则表达式或子字符串调用来获取部分内容的 代码。
location并使用eval或new Function来解压它。It may not be specifically targeted at your site -- it may be a shotgun attempt to find XSS-able sites so that an attacker later can figure out what's stealable and craft an attack and write a web-page to deploy it against real users.
In that cases, the attacker may use bots to collect HTML from sites, and then pass that HTML to instances of IE running on zombie machines to see what messages get out.
I don't see any active payload here so I assume you've truncated some code here, but it looks like JSCompiled jQuery code that probably uses jQuery's
postMessageso it's probably an attempt to XSS your code to exfiltrate user data or credentials, install a JavaScript keylogger, etc.I would grep through your JavaScript looking for code that does something like
or anything that uses a regexp or substring call to grab part of the
locationand usesevalornew Functionto unpack it.也许是检查跨站脚本漏洞。
如果机器人检测到成功注入,它可能会注入危险代码(例如窃取用户的密码或将他们重定向到恶意网站)。
Checking for Cross Site Scripting vulnerabilities, maybe.
If the bot detects a successful injection, it might inject dangerous code (e.g. stealing your users' passwords or redirecting them to malicious sites).