We had a WhiteHat scan done of our site, and one of the vulnerabilites they returned was our URL appended with whscheck'*alert(13)*'a/. When we run the full URL (.php/whscheck'*alert(13)*'a/), the site loads and an alert with the value of 13 pops. Can anyone explain how this works? What exactly are the asterisks and the a/ doing?
We had a WhiteHat scan done of our site, and one of the vulnerabilites they returned was our URL appended with whscheck'*alert(13)*'a/. When we run the full URL (https://oursite./phorders3/index.php/whscheck'*alert(13)*'a/), the site loads and an alert with the value of 13 pops. Can anyone explain how this works? What exactly are the asterisks and the a/ doing?
-
3
What exactly does the php script do with the whole value of
whscheck'*alert(13)*'a? Somehow, the PHP script is processing this string and the alert(13) part is ending up on the webpage in a <script> tag, cross site scripting. – James T Commented Dec 6, 2013 at 22:58 - 2 You're including some part of the URL in the page in a JavaScript string constant, and you're not making sure that embedded quotes are escaped. – Pointy Commented Dec 6, 2013 at 23:00
-
1
To clarify @Pointy's point, suppose you have
var foo = '<?= $name_of_page ?>';Then with a specially-crafted name of page you can make a statement likevar foo = 'whscheck' * alert(13) * 'a';. This runs Javascript code on the page since you don't escape the name of the page. – Waleed Khan Commented Dec 6, 2013 at 23:05 - 1 Also, if you don't post the actual code involved, it's going to be impossible for anyone to tell you exactly what the problem is. – Pointy Commented Dec 6, 2013 at 23:05
2 Answers
Reset to default 6The code in your page is using the value from the URL in a string literal in the Javascript, without escaping the value properly. That means that anyone can just put Javascript in the URL and it will execute in the page.
That could for example be used for cross site scripting by linking to your site with such an URL, and when someone uses the link the script will run in their browser, pick up some information that is private to that user and send it somewhere.
The apostrophes and the asterisks are used to break out of a string literal. If you have some code like this in the Javascript in the page:
var s = '<? echo $variable ?>';
where the variable contains the value from the URL, it would end up like this in the rendered page:
var s = 'whscheck'*alert(13)*'a';
The apostrophe makes the string literal end, and makes the following expression a part of the Javascript code instead of content in a string.
The asterisk is just an operator between the expressions. It's easier to put in an URL than the + operator that would otherwise be a natural choise.
More than likely this injection is landing somewhere between script tags () and the URL is being reflected in some sort of function or variable inside the script. Here is a breakdown of the injection and how/why it works.
' breaks out of the string literal in the variable definition
* causes the javascript to focus on that portion of code first and is often a way of getting around filters that disallow ;
alert(13) is the proof of concept that causes the alert box with 13 inside to show execution of javascript
* again is more than likely to bypass a filter or WAF blocking ;
' to re-open the string literal to make the syntax of the javascript correct
a is just some arbitrary input to go into the string
/ is to close off the path of the URL itself in what appears to be a RESTful URL structure.
There is an option in the Sentinel interface for you to ask the Whitehat engineers these kinds of questions directly, which is a very helpful resource.
发布者:admin,转转请注明出处:http://www.yc00.com/questions/1742360755a4429345.html
评论列表(0条)