Security Codeigniter xss漏洞和其他安全问题
当我用“Acunetix Web漏洞扫描器”扫描我的网站时,我非常惊讶。当我在xss过滤中使用get参数时,程序在页面上显示了很多xss漏洞。 例如:Security Codeigniter xss漏洞和其他安全问题,security,codeigniter,xss,Security,Codeigniter,Xss,当我用“Acunetix Web漏洞扫描器”扫描我的网站时,我非常惊讶。当我在xss过滤中使用get参数时,程序在页面上显示了很多xss漏洞。 例如: URL encoded GET input state was set to " onmouseover=prompt(967567) bad=" The input is reflected inside a tag parameter between double quotes. 我想这是因为当结果为空(应该为空)时,我没有显示404错误。
URL encoded GET input state was set to " onmouseover=prompt(967567) bad="
The input is reflected inside a tag parameter between double quotes.
我想这是因为当结果为空(应该为空)时,我没有显示404错误。我显示类似“请求为空”的消息
我的控制器:
$this->pagination->initialize($config);
$this->load->model('aircraft_model');
$data['type'] = $this->input->get('type', TRUE);
$data['year'] = $this->input->get('year', TRUE);
$data['state'] = $this->input->get('state', TRUE);
$type_param = array (
'type' => $this->input->get('type', TRUE),
);
$parameters = array(
'year' => $this->input->get('year', TRUE),
'state_id' => $this->input->get('state', TRUE),
);
foreach ($parameters as $key=>$val)
{
if(!$parameters[$key])
{
unset($parameters[$key]);
}
}
$data['aircraft'] = $this->aircraft_model->get_aircraft($config['per_page'], $this->uri->segment(3, 1),$parameters, $type_param);
$data['title'] = 'Самолеты | ';
$data['error'] = '';
if (empty($data['aircraft']))
{
$data['error'] = '<br /><div class="alert alert-info"><b>По таким критериям не найдено ниодного самолета</b></div>';
}
$name = 'aircraft';
$this->template->index_view($data, $name);
$this->load->model('cyclopedia_model');
$this->load->library('pagination');
$config['use_page_numbers'] = TRUE;
[pagination config]
$config['suffix'] = '/?'.http_build_query(array('type' => $this->input->get('type', TRUE)), '', "&");
$config['base_url'] = base_url().'cyclopedia/page/';
$count_all = $this->cyclopedia_model->count_all($this->input->get('type', TRUE));
if (!empty($count_all)){
$config['total_rows'] = $count_all;
}
else
{
$config['total_rows'] = $this->db->count_all('cyclopedia');
}
$config['per_page'] = 10;
$config['first_url'] = base_url().'cyclopedia/page/1'.'/?'.http_build_query(array('type' => $this->input->get('type', TRUE)), '', "&");
$this->pagination->initialize($config);
$parameters = array(
'cyclopedia_cat_id' => $this->input->get('type', TRUE),
);
foreach ($parameters as $key=>$val)
{
if(!$parameters[$key])
{
unset($parameters[$key]);
}
}
$data['type'] = $this->input->get('type', TRUE);
$data['cyclopedia'] = $this->cyclopedia_model->get_cyclopedia($config['per_page'], $this->uri->segment(3, 1),$parameters);
$data['title'] = 'Энциклопедия | ';
if (empty($data['cyclopedia']))
{
show_404();
}
$name = 'cyclopedia';
$this->template->index_view($data, $name);
SQL错误:
Error Number: 1064
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-10, 10' at line 3
SELECT * FROM (`db_cyclopedia`) LIMIT -10, 10
控制器:
$this->pagination->initialize($config);
$this->load->model('aircraft_model');
$data['type'] = $this->input->get('type', TRUE);
$data['year'] = $this->input->get('year', TRUE);
$data['state'] = $this->input->get('state', TRUE);
$type_param = array (
'type' => $this->input->get('type', TRUE),
);
$parameters = array(
'year' => $this->input->get('year', TRUE),
'state_id' => $this->input->get('state', TRUE),
);
foreach ($parameters as $key=>$val)
{
if(!$parameters[$key])
{
unset($parameters[$key]);
}
}
$data['aircraft'] = $this->aircraft_model->get_aircraft($config['per_page'], $this->uri->segment(3, 1),$parameters, $type_param);
$data['title'] = 'Самолеты | ';
$data['error'] = '';
if (empty($data['aircraft']))
{
$data['error'] = '<br /><div class="alert alert-info"><b>По таким критериям не найдено ниодного самолета</b></div>';
}
$name = 'aircraft';
$this->template->index_view($data, $name);
$this->load->model('cyclopedia_model');
$this->load->library('pagination');
$config['use_page_numbers'] = TRUE;
[pagination config]
$config['suffix'] = '/?'.http_build_query(array('type' => $this->input->get('type', TRUE)), '', "&");
$config['base_url'] = base_url().'cyclopedia/page/';
$count_all = $this->cyclopedia_model->count_all($this->input->get('type', TRUE));
if (!empty($count_all)){
$config['total_rows'] = $count_all;
}
else
{
$config['total_rows'] = $this->db->count_all('cyclopedia');
}
$config['per_page'] = 10;
$config['first_url'] = base_url().'cyclopedia/page/1'.'/?'.http_build_query(array('type' => $this->input->get('type', TRUE)), '', "&");
$this->pagination->initialize($config);
$parameters = array(
'cyclopedia_cat_id' => $this->input->get('type', TRUE),
);
foreach ($parameters as $key=>$val)
{
if(!$parameters[$key])
{
unset($parameters[$key]);
}
}
$data['type'] = $this->input->get('type', TRUE);
$data['cyclopedia'] = $this->cyclopedia_model->get_cyclopedia($config['per_page'], $this->uri->segment(3, 1),$parameters);
$data['title'] = 'Энциклопедия | ';
if (empty($data['cyclopedia']))
{
show_404();
}
$name = 'cyclopedia';
$this->template->index_view($data, $name);
还有一个问题是HTTP参数污染(get参数)
很抱歉有很多代码,但这是我第一次体验codeigniter/framework和安全第一
更新:
当站点url如site.com/1 codeigniter显示:
An Error Was Encountered
Unable to load your default controller. Please make sure the controller specified in your Routes.php file is valid.
如何制作show 404而不是此消息?这需要用户的输入:
$config['first_url'] = base_url().'cyclopedia/page/1'.'/?'.http_build_query(array('type' => $this->input->get('type', TRUE)), '', "&");
然后,Pagination.php库中的这一行将其插入输出页面,而不进行适当的HTML转义:
$output .= $this->first_tag_open.'<a '.$this->anchor_class.'href="'.$first_url.'">'.$this->first_link.'</a>'.$this->first_tag_close;
$output.=$this->first\u tag\u open.''.$this->first\u tag\u close;
虽然自动扫描工具通常会产生大量误报,但这是一个真正的HTML注入漏洞,导致跨站点脚本攻击的真正风险
要修复此问题,请使用htmlspecialchars()
将所有注入HTML上下文(例如$first\uURL
)的输出包装起来。不幸的是,由于这是库代码,您必须启动自己的分页分支。使用其他库可能更好
不要依赖于xss_clean
,因为它不能可靠地保护您。它试图在输入层处理输出问题,这永远不会正常工作——它将错过攻击,并破坏完全有效的输入。整个想法暴露了一个基本的、新手对XSS问题的误解
分页中有更多的地方需要相同的修复,但我不想花更多的时间来阅读CodeIgniter质量极差的代码
我不明白CodeIgniter是如何达到如此受欢迎的程度的。总体而言,CI安全性很弱。关于XSS过滤,他们采取了一种有点可疑的方法。XSS是一个输出问题,他们将其视为一个输入问题。您可以(应该)做的是用正则表达式或类似的东西检查每个输入参数。忘记“全局XSS检查”,它不是那样工作的。白名单模式的每个可接受值。还要确保您避开了注入SQL或其他语言的所有内容。@patrick savalle您编写的代码点火器有可能做到吗?(如果是,你能在我的示例中演示如何)我不知道如何使用正则表达式进行测试。