當我使用「Acunetix Web漏洞掃描器」掃描我的網站時,我非常驚訝。當我使用xss過濾獲取參數時,Programm在頁面上顯示了很多xss漏洞。 例如:Codeigniter xss漏洞和其他安全問題
URL encoded GET input state was set to " onmouseover=prompt(967567) bad="
The input is reflected inside a tag parameter between double quotes.
我認爲它是因爲我不`噸顯示404錯誤時,結果是空的(應該是)。我喜歡展示「的要求是空的」
我的控制器消息:
$this->pagination->initialize($config);
$this->load->model('aircraft_model');
$data['type'] = $this->input->get('type', TRUE);
$data['year'] = $this->input->get('year', TRUE);
$data['state'] = $this->input->get('state', TRUE);
$type_param = array (
'type' => $this->input->get('type', TRUE),
);
$parameters = array(
'year' => $this->input->get('year', TRUE),
'state_id' => $this->input->get('state', TRUE),
);
foreach ($parameters as $key=>$val)
{
if(!$parameters[$key])
{
unset($parameters[$key]);
}
}
$data['aircraft'] = $this->aircraft_model->get_aircraft($config['per_page'], $this->uri->segment(3, 1),$parameters, $type_param);
$data['title'] = 'Самолеты | ';
$data['error'] = '';
if (empty($data['aircraft']))
{
$data['error'] = '<br /><div class="alert alert-info"><b>По таким критериям не найдено ниодного самолета</b></div>';
}
$name = 'aircraft';
$this->template->index_view($data, $name);
即使當我打開全球XSS過濾程序發現XSS漏洞。 也許消息可能xss是錯誤的?
另外我有一個SQL注入。
Attack details:
Path Fragment input/was set to \
Error message found:
You have an error in your SQL syntax
SQL錯誤:
Error Number: 1064
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-10, 10' at line 3
SELECT * FROM (`db_cyclopedia`) LIMIT -10, 10
控制器:
$this->load->model('cyclopedia_model');
$this->load->library('pagination');
$config['use_page_numbers'] = TRUE;
[pagination config]
$config['suffix'] = '/?'.http_build_query(array('type' => $this->input->get('type', TRUE)), '', "&");
$config['base_url'] = base_url().'cyclopedia/page/';
$count_all = $this->cyclopedia_model->count_all($this->input->get('type', TRUE));
if (!empty($count_all)){
$config['total_rows'] = $count_all;
}
else
{
$config['total_rows'] = $this->db->count_all('cyclopedia');
}
$config['per_page'] = 10;
$config['first_url'] = base_url().'cyclopedia/page/1'.'/?'.http_build_query(array('type' => $this->input->get('type', TRUE)), '', "&");
$this->pagination->initialize($config);
$parameters = array(
'cyclopedia_cat_id' => $this->input->get('type', TRUE),
);
foreach ($parameters as $key=>$val)
{
if(!$parameters[$key])
{
unset($parameters[$key]);
}
}
$data['type'] = $this->input->get('type', TRUE);
$data['cyclopedia'] = $this->cyclopedia_model->get_cyclopedia($config['per_page'], $this->uri->segment(3, 1),$parameters);
$data['title'] = 'Энциклопедия | ';
if (empty($data['cyclopedia']))
{
show_404();
}
$name = 'cyclopedia';
$this->template->index_view($data, $name);
而且一個有些問題,HTTP參數污染(GET參數)。
Attack details
URL encoded GET input state was set to &n954725=v953060
Parameter precedence: last occurrence
Affected link: /aircraft/grid/?type=&year=&state=&n954725=v953060
Affected parameter: type=
對不起,很多代碼,但它的codeigniter /框架和安全第一次的經驗。
UPDATE: 當網站的網址是這樣site.com/1笨顯示:
An Error Was Encountered
Unable to load your default controller. Please make sure the controller specified in your Routes.php file is valid.
如何製作節目404,而不是此消息?
總的來說CI安全性很弱。關於XSS過濾,他們採取了一種有點可疑的方法。 XSS是一個輸出問題,他們把它當作輸入問題來對待。你可以(應該)做的是用正則表達式或類似的東西檢查每個輸入參數。忘記'全球XSS檢查',它不會那樣工作。將每個可接受的模式值列入白名單。還要確保你逃脫了你注入SQL或其他語言的一切。 – 2013-03-01 13:41:49
@ patrick-savalle是否可以做你寫的意思CodeIgniter? (如果是的話,你能告訴我如何對我的例子) 我不知道如何用正則表達式進行測試。 – Vitaliy 2013-03-01 14:05:11