Identify XSS vulnerabilities in websites through code audit

The background,

The author recorded a set of XSS video tutorials before, and explained the three parts of manual mining, tool mining and code audit in the vulnerability case section. We are going to write the contents again in the form of articles. The first two have been finished, and the contents have some relevance. Thesis manual XSS mining which address to quickly find out the web site of the XSS holes practice (a) https://segmentfault.com/a/1190000016095198

This paper mainly records XSS vulnerability mining through code audit, which is divided into three parts: identifying key positions, forward audit and reverse audit. The audit system is permeate penetration testing system, which can be built by referring to the first article of the author.

Second, operation summary

1. Identify key locations
2. Positive audit
3. Reverse the audit

Three, find the key position

The author needs to find out the key position of XSS. For most Web applications at present, the MVC pattern is a very mainstream form, so the author will find the corresponding controller and template here, in this section mainly explains the idea of finding the location

3.1 Finding the Controller

The way to find out the controller is usually to analyze the main entry file and THE URL address. Now the author opens the home page and finds the URL address is

http://permeate.songboy.net/home/index.php
Copy the code

When you click on the plate, the URL changes to the following address

http://permeate.songboy.net/home/index.php?m=tiezi&a=index&bk=6
Copy the code

It can be seen from the URL that both the home page and the board page pass through the URL home/index.php. Therefore, the author can check the location of the controller by opening the home/index.php file, and the code after opening it is shown as follows

<? php require_once".. /core/common.php";
include "./public/header.php";
includeAction("$model"."$action");
include "./public/footer.php";
Copy the code

Open again.. The /core/common.php file, with the code shown below

function includeAction($model.$action) {// Check whether the controller exists$filePath = "./action/$model.php";
    if (is_readable($filePath)) {
        require_once $filePath;
        $class = new $model;
        if (is_callable(array($class.$action))) {
            $class->$action(a);return true; }} // If no controller is found, call the template file directly$tplFilePath = "./tpl/$model/$action.php";
    if (is_readable($tplFilePath)) {
        require_once $tplFilePath;
        return true;
    }

    echo 'Controller or template file' . $filePath . 'It doesn't exist! ';
    die;
}
Copy the code

As you can see from the code, the controller files are stored under home/action/. When I open this folder, I can see several PHP files, as shown below

Recall that the URL I just saw was as follows

http://permeate.songboy.net/home/index.php?m=tiezi&a=index&bk=6
Copy the code

Think of the controller file as tiezi.php, open it up and take a look

<? php class tiezi {function __construct()
    {

    }

    public function index() {...$data['count'] = $count;
        $data['page_size'] = $page_size;
        $data['page_count'] = $page_count;
        $data['page_num'] = $page_num;
        displayTpl('tiezi/index'.$data);
    }
Copy the code

Sure enough, the index method was found

3.2 Finding a Template

After obtaining the controller, the author also needs to find the location where the template is stored. Usually, the template is closely related to the controller, so it can be controlled to find clues. For example, in the above code, the last line of code is the displayTpl function, which literally can be understood as displaying the template. Therefore, the author directly skipped over to check the specific process of this function through the jump function of PHPStorm and found the code as shown below

/** * Load the template file * @param$tplPath* /function displayTpl($tplPath.$data = [])
{
    $filePath = "./tpl/$tplPath.php";
    if(! is_readable($filePath)) {
        echo 'Template file' . $filePath . 'It doesn't exist! ';
        die;
    }

    foreach ($data as $key= >$val) {$$key = $val;
    }

    require_once $filePath;

}
Copy the code

In the above code, you can see that the template is stored in the home/ TPL directory, and can be viewed by opening the folder, as shown in the figure below

3.3 Verifying Location

The position of the controller and template has been basically determined by the above operation flow, but in order to prevent accidents, it is better to verify exactly, output a string 1111111 in the controller, output a string 222222222 in the template, if the author expected before, then both sets of strings will be output, the reference code is as follows

Add the following test code to the controller

public function index()
{
    
    echo '11111111111';
Copy the code

The following test code was added to the template file

222222222222222 <? php$get = $_GET; ? > <section class="section">
Copy the code

Now go to the browser, right-click on the current page, and select view source, as shown below

In the source code, search for the string 11111 and find the string, as shown below

4. Forward audit

After finding the key position, the author can carry out targeted code audit. XSS code audit mainly has two ways: forward code audit and reverse code audit. A forward code audit means checking from the receipt of parameters to the end using this process, whereas a reverse audit reverses the process from the use of variables to the receipt of parameters

4.1 Location of receiving Parameters

First of all, forward code audit is carried out. Forward code audit is to check the parameters received, so the controller is found. Through the search function of the editor, the author searched the keyword $_GET in the controller file and found the index method in tiezi.php controller, the code is shown as follows

    public function index()
    {
        $id = $_GET['bk'];
        $bk = &$id; // Start paging size$page_size= 15; // Get the current page number$page_num = empty($_GET['page'])? 1:$_GET['page']; // Intermediate code................. omit$data['bk'] = $bk;
        $data['count'] = $count;
        $data['page_size'] = $page_size;
        $data['page_count'] = $page_count;
        $data['page_num'] = $page_num;
        displayTpl('tiezi/index'.$data);
    }
Copy the code

4.2 Whether to Filter Template Positions

As can be seen from the above code, the parameter Bk is directly put into the template without any filtering, which leaves security risks. If security filtering is not carried out in the template, then there is a reflective XSS vulnerability. Open the template file and search for the keyword Bk, as shown in the code below

<div class="post-list-controller">
    <div style="float: right">
        <a class="btn btn-primary" href="fatie.php? bk=<? php echo$bk? >"> Post </a> </div>Copy the code

As you can see, there really is no security filtering in the template

4.3 Vulnerability Verification

http://permeate.songboy.net/home/index.php?m=tiezi&a=index&bk=6%22%3E%3Cscript%3Ealert(123)%3C/script%3E
Copy the code

As shown in the figure below

Reverse audit

The reverse audit finds out from the template which variables are used and deduces the source of the variables and whether they are securely filtered

5.1 Finding variables in the template

Variables are matched using the regular expression feature of the PHPStrom editor, as shown below

echo \$([a-z]*)
Copy the code

This regular expression matches the output variable, such as echo $zhangsan. PHPStorm matches the result as shown below

Double-click the left mouse button to open the corresponding code file /home/search.php, as shown below

You can see in the code that the variable is placed directly in the template, and if the source of the variable is not escaped in the controller, then you are likely to have an XSS problem.

5.2 Finding variable sources

Trace the variable $keyword to its source

<? php include"public/header.php";
include ".. /core/common.php";

$keywords = $_REQUEST['keywords'];
if(! empty($keywords)) {
    $where = " where title like '%$keywords%' ";
Copy the code

As you can see from the above code, the variable $keywords is not filtered, so you can be sure that this XSS vulnerability is also present

5.3 Vulnerability Verification

Unlike the previous unique entry, this code file is not a class file, so try to access it directly and construct the URL address as follows

http://permeate.songboy.net/home/search.php?keywords=%E6%B5%8B%E8%AF%95%3Cscript%3Ealert(123)%3C/script%3E
Copy the code

When you access this URL from a Firefox browser, the result is shown below

In the prompt box indeed pop up the prompt of 123

Six, new book recommendation

If you are interested in the author’s Web security article, you can pay attention to the author’s more articles. The new book “PHP Web security Development Practice” is now on sale in various outlets, with the cover as shown below

Author: Tang Qingsong

WeChat: songboy8888

Date: 2018-10-09