当我使用“Acunetix Web漏洞扫描程序”扫描我的网站时,我非常惊讶。当我使用带xss过滤的get参数时,Programm在页面上显示了很多xss漏洞。 例如:
URL encoded GET input state was set to " onmouseover=prompt(967567) bad="
The input is reflected inside a tag parameter between double quotes.
我认为这是因为当结果为空时我不会显示404错误(应该是)。我显示“请求为空”的消息
我的控制器:
$this->pagination->initialize($config);
$this->load->model('aircraft_model');
$data['type'] = $this->input->get('type', TRUE);
$data['year'] = $this->input->get('year', TRUE);
$data['state'] = $this->input->get('state', TRUE);
$type_param = array (
'type' => $this->input->get('type', TRUE),
);
$parameters = array(
'year' => $this->input->get('year', TRUE),
'state_id' => $this->input->get('state', TRUE),
);
foreach ($parameters as $key=>$val)
{
if(!$parameters[$key])
{
unset($parameters[$key]);
}
}
$data['aircraft'] = $this->aircraft_model->get_aircraft($config['per_page'], $this->uri->segment(3, 1),$parameters, $type_param);
$data['title'] = 'Самолеты | ';
$data['error'] = '';
if (empty($data['aircraft']))
{
$data['error'] = '<br /><div class="alert alert-info"><b>По таким критериям не найдено ниодного самолета</b></div>';
}
$name = 'aircraft';
$this->template->index_view($data, $name);
即使我打开全局xss过滤程序找到xss漏洞。 也许消息可能的xss是假的?
我也有一个SQL注入。
Attack details:
Path Fragment input / was set to \
Error message found:
You have an error in your SQL syntax
SQL错误:
Error Number: 1064
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-10, 10' at line 3
SELECT * FROM (`db_cyclopedia`) LIMIT -10, 10
控制器:
$this->load->model('cyclopedia_model');
$this->load->library('pagination');
$config['use_page_numbers'] = TRUE;
[pagination config]
$config['suffix'] = '/?'.http_build_query(array('type' => $this->input->get('type', TRUE)), '', "&");
$config['base_url'] = base_url().'cyclopedia/page/';
$count_all = $this->cyclopedia_model->count_all($this->input->get('type', TRUE));
if (!empty($count_all)){
$config['total_rows'] = $count_all;
}
else
{
$config['total_rows'] = $this->db->count_all('cyclopedia');
}
$config['per_page'] = 10;
$config['first_url'] = base_url().'cyclopedia/page/1'.'/?'.http_build_query(array('type' => $this->input->get('type', TRUE)), '', "&");
$this->pagination->initialize($config);
$parameters = array(
'cyclopedia_cat_id' => $this->input->get('type', TRUE),
);
foreach ($parameters as $key=>$val)
{
if(!$parameters[$key])
{
unset($parameters[$key]);
}
}
$data['type'] = $this->input->get('type', TRUE);
$data['cyclopedia'] = $this->cyclopedia_model->get_cyclopedia($config['per_page'], $this->uri->segment(3, 1),$parameters);
$data['title'] = 'Энциклопедия | ';
if (empty($data['cyclopedia']))
{
show_404();
}
$name = 'cyclopedia';
$this->template->index_view($data, $name);
HTTP参数污染的一些问题(获取参数)。
Attack details
URL encoded GET input state was set to &n954725=v953060
Parameter precedence: last occurrence
Affected link: /aircraft/grid/?type=&year=&state=&n954725=v953060
Affected parameter: type=
很抱歉很多代码,但这是我第一次使用codeigniter / framework和安全性。
更新: 当像这个site.com/1 codeigniter的网站网址显示:
An Error Was Encountered
Unable to load your default controller. Please make sure the controller specified in your Routes.php file is valid.
如何制作节目404代替此消息?
答案 0 :(得分:2)
这需要用户输入:
$config['first_url'] = base_url().'cyclopedia/page/1'.'/?'.http_build_query(array('type' => $this->input->get('type', TRUE)), '', "&");
然后Pagination.php库中的这一行将它吐入输出页面而没有正确的HTML转义:
$output .= $this->first_tag_open.'<a '.$this->anchor_class.'href="'.$first_url.'">'.$this->first_link.'</a>'.$this->first_tag_close;
虽然自动扫描工具确实会产生大量误报,但这是一个真正的HTML注入漏洞,导致跨站点脚本攻击的真正风险。
要修复,请将注入到HTML上下文中的所有输出(例如$first_url)与htmlspecialchars()一起包装。不幸的是,这是库代码,你必须开始自己的分页。可能更好地使用其他库。
不要依赖xss_clean,因为它无法可靠地保护您。它试图处理输入层的输出问题,它永远不会正常工作 - 它会错过攻击以及破坏完全有效的输入。整个想法背叛了一个基本的,新手对XSS问题的误解。
Pagination中有更多的地方需要相同的修复,但我不想再花时间阅读CodeIgniter那些令人痛苦的低质量代码。
我不明白CodeIgniter是如何获得这种程度的受欢迎程度的。