Beranda  ›  Artikel  ›  Pentest

Tutorial Patching Bug XSS

Ditulis Selasa, 05 Januari 2021 Tulis Komentar Edit
XSS atau cross site scripting adalah metode injection pada web dengan menggunakan script code, hal ini biasanya ditemui dikarenakan programmer tidak membuat validasi terhadapat html spesial karakter. Saya akan memberikan cara bagaimana mengamankan web dari bug xss.
 
Disini saya sudah memiliki contoh source code yang memiliki vulnerability pada bug xss, berikut source code awal yang memiliki celah xss:
<?php
/**
 * Max's Guestbook
 * 
 * This is the Max's Guestbook business logic class. 
 * For more details please read the readme.txt
 */
?>
<?php
class maxGuestbook{
   var $messageDir = 'messages';
   var $dateFormat = 'Y-m-d g:i:s A';
   var $itemsPerPage = 5;
   var $messageList;
   
function processGuestbook(){
   if (isset($_POST['submit'])) {
      $this->insertMessage();
   }
   $page = isset($_GET['page']) ? $_GET['page'] : 1;
   
   $this->displayGuestbook($page);
}
   
function getMessageList(){

   $this->messageList = array();
   
        // Open the actual directory
        if ($handle = @opendir($this->messageDir)) {
                // Read all file from the actual directory
                while ($file = readdir($handle))  {
                    if (!is_dir($file)) {
                       $this->messageList[] = $file;
        }
                }
        }

        rsort($this->messageList);

        return $this->messageList;
}   

function displayGuestbook($page=1){
      $list = $this->getMessageList();
      //echo "<center><a href='add.php'>Leave a message</a></center>";
      echo "<table class='newsList'>";
      
      //Get start point and end point
      $startItem = ($page-1)*$this->itemsPerPage;
      if (($startItem + $this->itemsPerPage) > sizeof($list)) $endItem = sizeof($list);
      else $endItem = $startItem + $this->itemsPerPage; 
      
      for ($i=$startItem;$i<$endItem;$i++){
         //foreach ($list as $value) {
         $value = $list[$i];
        $data = file($this->messageDir.DIRECTORY_SEPARATOR.$value);
        $name  = trim($data[0]);
        $email = trim($data[1]);
         $submitDate = trim($data[2]);
         unset ($data['0']);
         unset ($data['1']);
         unset ($data['2']);
      
         $content = "";
         foreach ($data as $value) {
               $content .= $value;
         }
      
        echo "<tr><th align='left'><a href=\"mailto:$email\">$name</a></th>
                  <th class='right'>$submitDate</th></tr>";
        echo "<tr><td colspan='2'>".nl2br(htmlspecialchars($content))."<br/></td></tr>";
      }
      echo "</table>";
      if (sizeof($list) == 0){
         echo "<center><p>No messages at the moment!</p><p>&nbsp;</p></center>";
      }
      // Create pagination
      if (sizeof($list) > $this->itemsPerPage){
         echo "<div id=\"navigation\">";
         if ($startItem == 0) {
            if ($endItem < sizeof($list)){
               echo "<div id=\"nright\"><a href=\"".$_SERVER['PHP_SELF']."?page=".($page+1)."\" >Next &raquo;</a></div>";
            } else {
               // Nothing to display
            }
         } else {
            if ($endItem < sizeof($list)){
               echo "<div id=\"nleft\"><a href=\"".$_SERVER['PHP_SELF']."?page=".($page-1)."\" >&laquo; Prev</a></div>";
               echo "<div id=\"nright\"><a href=\"".$_SERVER['PHP_SELF']."?page=".($page+1)."\" >Next &raquo;</a></div>";
            } else {
               echo "<div id=\"nleft\"><a href=\"".$_SERVER['PHP_SELF']."?page=".($page-1)."\" >&laquo; Prev</a></div>";
            }
         }
         
         echo "<br/></div><br/>";
      }
      echo "<hr />";
      $this->displayAddForm();
}

function displayAddForm(){
?>  
  <form class="iform" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
    Name:<br/>
    <input type="text" name="name" size="30"/><br/><br/>
    Email:<br/>
    <input type="text" name="email" size="30"/><br/><br/>
    Your message:<br/>
    <textarea name="message" rows="7" cols="49"></textarea><br/>
    <center><input type="submit" name="submit" value="Save" /></center>
  </form> 
   
<?php   
}

function insertMessage(){
   $name   = isset($_POST['name']) ? $_POST['name'] : 'Anonymous';
   $email  = isset($_POST['email']) ? $_POST['email'] : '';
   $submitDate  = date($this->dateFormat);
   $content = isset($_POST['message']) ? $_POST['message'] : '';
   
   if (trim($name) == '') $name = 'Anonymous';
   if (strlen($content)<5) {
      exit();
   }
   
   $filename = date('YmdHis');
   if (!file_exists($this->messageDir)){
      mkdir($this->messageDir);
   }
   $f = fopen($this->messageDir.DIRECTORY_SEPARATOR.$filename.".txt","w+");         
   fwrite($f,$name."\n");
   fwrite($f,$email."\n");
   fwrite($f,$submitDate."\n");
   fwrite($f,$content."\n");
   fclose($f);
   
}
}
?>
Didalam script ini saya sudah blok pada bagian merah, tidak memiliki validasi pada spesial karakter dan memungkinkan dapat dilakukan xss pada form input, seperti dibawah:
Ketika saya memasukan script code pada form input name, email, dan text box message makan akan mentrigger script xss untuk memunculkan alert seperti digambar.

Sekarang kita akan melakukan patching bug xss pada script dan menambahkan html spesial karakter.
<?php
/**
 * Max's Guestbook
 * 
 * This is the Max's Guestbook business logic class. 
 * For more details please read the readme.txt
 */
?>
<?php
class maxGuestbook{
   var $messageDir = 'messages';
   var $dateFormat = 'Y-m-d g:i:s A';
   var $itemsPerPage = 5;
   var $messageList;
   
function processGuestbook(){
   if (isset($_POST['submit'])) {
      $this->insertMessage();
   }
   $page = isset($_GET['page']) ? $_GET['page'] : 1;
   
   $this->displayGuestbook($page);
}
   
function getMessageList(){

   $this->messageList = array();
   
        // Open the actual directory
        if ($handle = @opendir($this->messageDir)) {
                // Read all file from the actual directory
                while ($file = readdir($handle))  {
                    if (!is_dir($file)) {
                       $this->messageList[] = $file;
        }
                }
        }

        rsort($this->messageList);

        return $this->messageList;
}   

function displayGuestbook($page=1){
      $list = $this->getMessageList();
      //echo "<center><a href='add.php'>Leave a message</a></center>";
      echo "<table class='newsList'>";
      
      //Get start point and end point
      $startItem = ($page-1)*$this->itemsPerPage;
      if (($startItem + $this->itemsPerPage) > sizeof($list)) $endItem = sizeof($list);
      else $endItem = $startItem + $this->itemsPerPage; 
      
      for ($i=$startItem;$i<$endItem;$i++){
         //foreach ($list as $value) {
         $value = $list[$i];
        $data = file($this->messageDir.DIRECTORY_SEPARATOR.$value);
        $name  = htmlspecialchars(trim($data[0]));
        $email = htmlspecialchars(trim($data[1]));
         $submitDate = trim($data[2]);
         unset ($data['0']);
         unset ($data['1']);
         unset ($data['2']);
      
         $content = "";
         foreach ($data as $value) {
               $content .= $value;
         }
      
        echo "<tr><th align='left'><a href=\"mailto:$email\">$name</a></th>
                  <th class='right'>$submitDate</th></tr>";
        echo "<tr><td colspan='2'>".nl2br(htmlspecialchars($content))."<br/></td></tr>";
      }
      echo "</table>";
      if (sizeof($list) == 0){
         echo "<center><p>No messages at the moment!</p><p>&nbsp;</p></center>";
      }
      // Create pagination
      if (sizeof($list) > $this->itemsPerPage){
         echo "<div id=\"navigation\">";
         if ($startItem == 0) {
            if ($endItem < sizeof($list)){
               echo "<div id=\"nright\"><a href=\"".$_SERVER['PHP_SELF']."?page=".($page+1)."\" >Next &raquo;</a></div>";
            } else {
               // Nothing to display
            }
         } else {
            if ($endItem < sizeof($list)){
               echo "<div id=\"nleft\"><a href=\"".$_SERVER['PHP_SELF']."?page=".($page-1)."\" >&laquo; Prev</a></div>";
               echo "<div id=\"nright\"><a href=\"".$_SERVER['PHP_SELF']."?page=".($page+1)."\" >Next &raquo;</a></div>";
            } else {
               echo "<div id=\"nleft\"><a href=\"".$_SERVER['PHP_SELF']."?page=".($page-1)."\" >&laquo; Prev</a></div>";
            }
         }
         
         echo "<br/></div><br/>";
      }
      echo "<hr />";
      $this->displayAddForm();
}

function displayAddForm(){
?>  
  <form class="iform" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
    Name:<br/>
    <input type="text" name="name" size="30"/><br/><br/>
    Email:<br/>
    <input type="text" name="email" size="30"/><br/><br/>
    Your message:<br/>
    <textarea name="message" rows="7" cols="49"></textarea><br/>
    <center><input type="submit" name="submit" value="Save" /></center>
  </form> 
   
<?php   
}

function insertMessage(){
   $name   = isset($_POST['name']) ? $_POST['name'] : 'Anonymous';
   $email  = isset($_POST['email']) ? $_POST['email'] : '';
   $submitDate  = date($this->dateFormat);
   $content = isset($_POST['message']) ? $_POST['message'] : '';
   
   if (trim($name) == '') $name = 'Anonymous';
   if (strlen($content)<5) {
      exit();
   }
   
   $filename = date('YmdHis');
   if (!file_exists($this->messageDir)){
      mkdir($this->messageDir);
   }
   $f = fopen($this->messageDir.DIRECTORY_SEPARATOR.$filename.".txt","w+");         
   fwrite($f,$name."\n");
   fwrite($f,$email."\n");
   fwrite($f,$submitDate."\n");
   fwrite($f,$content."\n");
   fclose($f);
   
}
}
?>
Kalian dapat melihat blok merah pada script diatas sudah saya tambahkan validasi htmlspecialchars(), agar jika dimasukan script code pada form input karakter pada script tidak akan mempengaruhi script form dan tidak akan mentrigger alert.

Untuk video demo lebih jelas dalam prakteknya, dapat dilihat dalam video dibawah:
 

Belum ada Komentar untuk "Tutorial Patching Bug XSS"

Posting Komentar

Langganan: Posting Komentar (Atom)

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel