FineUI 空项目登录页面有跨站脚本攻击Cross site scripting

1049104740

安全扫描工具：Acunetix Web Vulnerability Scanner 9
扫描登录页面（其实是整个后台）
This vulnerability affects /EVTBT/Admin/login.aspx.
Discovered by: Scripting (XSS.script).
Attack details
URL encoded POST input Window1%24SimpleForm1%24tbxCaptcha was set to e_967781'():;973361
The input is reflected inside <script> tag between single quotes.


[url=]file:///C:/ProgramData/Acunetix%20WVS%209/Data/Graphics/expand.gif View HTTP headers
[/url]Request
POST /EVTBT/Admin/login.aspx HTTP/1.1Content-Length: 1005Content-Type: application/x-www-form-urlencodedReferer: http://10.204.13.114/EVTBT/Admin/login.aspxCookie: ASP.NET_SessionId=mukvvhxuqzmdevbr0chtxrsvHost: 10.204.13.114Connection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36Accept: */*Window1%24SimpleForm1%24tbxCaptcha=e_967781'():;973361&Window1%24SimpleForm1%24tbxPassword=g00dPa%24%24w0rD&Window1%24SimpleForm1%24tbxUserName=qxpuxxws&Window1_Collapsed=false&Window1_Hidden=false&Window1_SimpleForm1_Collapsed=false&Window1_SimpleForm1_Panel1_Collapsed=false&X_AJAX=false&X_CHANGED=true&X_STATE=eyJXaW5kb3cxX1NpbXBsZUZvcm0xX1BhbmVsMV9pbWdDYXB0Y2hhIjp7IkltYWdlVXJsIjoifi9DYXB0Y2hhL2NhcHRjaGEuYXNoeD93PTE1MCZoPTMwJnQ9NjM1MzU2ODM4NDQwOTc4OTM2In19&__EVENTARGUMENT=&__EVENTTARGET=Window1%24SimpleForm1%24Panel1%24btnRefresh&__VIEWSTATE=HsyfSelzlwQZJsfvE5CwCV6th0hFA0ZPYIFokkZ8TYJtEJu9kNCoyggnVzBZA7aMB7ijGbsfSwy64bJSitpjn8S5f%2bxUcv2hAjhR5UpzmLYvyXminvOyV2sHw%2bMD5AlYHBALUPdetd5Kua7KxF2n79X6E5zMUeVfnCEa5R1vClLbYPmpW/ZA4688l/jDvhwDrUMC9iW2lO4qiyx92ze9sdnAwsJQ6DsFK69RlUARs6%2brQunWHSe5uDHXO6AKIUBkVfeUKk2TmcZcFdqCHt6ZRFqW9c65CFlTpwFg%2bHG1f8gexy0w/Bg/aTLHAVjDD8F80oPemkgmuJSm05v%2b4EiwKsz99rs8JDMqTbAgH9LB782sY0GZEsU9g%2bkoUNSYEAA7m3HgT7H0r74nBEb6v5xHq4Uf7f4%3d&__VIEWSTATEGENERATOR=B7BBC5C2Response
HTTP/1.1 200 OKCache-Control: privateContent-Type: text/html; charset=utf-8Vary: Accept-EncodingServer: Microsoft-IIS/7.5X-AspNet-Version: 4.0.30319X-Powered-By: ASP.NETDate: Wed, 14 May 2014 09:05:22 GMTContent-Length: 7342Original-Content-Encoding: gzip
[url=]file:///C:/ProgramData/Acunetix%20WVS%209/Data/Graphics/expand.gif View HTML response
[/url]                                  [Your user agent does not support frames or is currently configured                                  not to display frames. However, you may visit                                  <A href="iframes/idf18.html">the related document.</A>]                               
file:///C:/ProgramData/Acunetix%20WVS%209/Data/Graphics/target.gif Launch the attack with HTTP Editor
file:///C:/ProgramData/Acunetix%20WVS%209/Data/Graphics/target.gif Retest alert(s)
file:///C:/ProgramData/Acunetix%20WVS%209/Data/Graphics/target.gif Mark this alert as a false positive

The impact of this vulnerability
Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user.



登录页面的用户名、密码、验证码输入框扫描结果报一样的安全漏洞（如上：上面是验证码输入框）

@sanshi

sanshi

格式化一下你给的代码

1049104740

sanshi 发表于 2014-5-14 18:13
格式化一下你给的代码

上面的代码？还是我实际的代码格式化？如何格式化？上面的是工具扫描出来的说明。

1049104740

sanshi 发表于 2014-5-14 18:13
格式化一下你给的代码

图片既：扫描结果

1049104740

贴纸你说格式化的代码，即我发图片右侧的那段英文说明情况。

1049104740

fineUI 自带的输入框如何防止跨站脚本攻击，请有这方面经验的分享一下经验，谢谢

sanshi

不大明白为什么检测到XSS攻击脚本。
这个页面送到后台的POST参数如下所示：




你给的截图中的 %24 其实就是 $ 。 decodeURIComponent('%24') == "$"


所谓的XSS攻击，是用户可能会伪装脚本输入，后台还是作为正常的处理，并把这些伪装脚本保存下来，并展示到页面。http://baike.baidu.com/view/6666846.htm

Fine!

sanshi 发表于 2014-5-15 10:00
不大明白为什么检测到XSS攻击脚本。
这个页面送到后台的POST参数如下所示：

楼主用的AWVS扫的，我信息安全从业多年，这个明确表示不存在xss。
用户的输入并没有进一步输出。
应该是误报了。楼主要是想做信息安全审计工作可以联系我

1049104740

sanshi 发表于 2014-5-15 10:00
不大明白为什么检测到XSS攻击脚本。
这个页面送到后台的POST参数如下所示：

误报？我也奇怪为什么检测出xss