(system vulnerability) 尝试模拟将JavaScript注入到HTML模板中

huangapple go评论76阅读模式
英文:

(system vulnerability) Trying to simulate JavaScript injection into HTML templates

问题

我想重现一个情景,其中第三方测试团队在我们的前端HTML模板中注入了<script>标签。然后,我想添加代码来阻止这种情况发生(即前端的angular sanitize或后端)。通常,这个HTML模板会动态填充,然后发送到服务器,然后转换成PDF。在脚本注入的情况下,他们成功注入了document.write('failed'),这影响了生成的PDF。

以下是一个示例HTML模板,我尝试注入脚本。然而,它对最终的PDF没有影响。

我注意到在他们的注入脚本中,他们使用了onerror例程。也许这就是我需要做的...

使用Postman,我将Post到一个类似这样的URL:

https://myServer.myApp.com/TheReport/api/ireports/ConvertToPDF?sessionID=BLA-BLA&reportID=12868

在后端,这个html字符串被传递给.net中的C#方法。

最终的PDF如下:

在后端,这个html字符串被传递给.net中的C#方法。

感谢任何建议...

英文:

I'd like to REPRODUCE a scenario where a 3rd party testing team injected a &lt;script&gt; tag into an HTML template on our front end. Then I want to add code to prevent this (i.e. front end angular sanitize or on the backend).

Normally, this Html template gets filled out dynamically, then sent to the server where it gets converted to a PDF.

In the case of the script inject, they were able to inject document.write(&#39;failed&#39;), which affected the resulting PDF.

(system vulnerability) 尝试模拟将JavaScript注入到HTML模板中

Here is a sample html template, where I attempt to inject a script. However, it has NO affect on the final Pdf.

I noticed in their injection script they're using on onerror routine. Perhaps that's what I need to do...

Using Postman, I will Post to a Url something like this:

    https: // myServer.myApp.com/TheReport/api/ireports/ConvertToPDF?sessionID=BLA-BLA&amp;reportID=12868  

<!-- begin snippet: js hide: false console: true babel: false -->

<!-- language: lang-js -->

{
	&quot;htmlString&quot;: &quot;&lt;!DOCTYPE html&gt;&lt;head&gt; &lt;script&gt; var req = new XMLHttpRequest();req.open(\&quot;GET\&quot;, \&quot;https://www.bob22334455.com/ThisIsNotAPage.html\&quot;);req.send();req.onerror = function(){document.write(\&quot;FAILED\&quot;);}} &lt;meta charset=\&quot;utf-8\&quot;&gt;&lt;style&gt;@page{margin:0}html,body{margin:0;color:black;background-color:white}.page{margin:0;overflow:hidden;position:relative;box-sizing:border-box;page-break-after:always}body.A3 .page{width:297mm;height:419mm}body.A3.landscape .page{width:420mm;height:296mm}body.A4 .page{width:210mm;height:260mm}body.A4.landscape .page{width:297mm;height:209mm}body.A5 .page{width:148mm;height:209mm}body.A5.landscape .page{width:210mm;height:147mm}.page.padding-10mm{padding:10mm}.page.padding-15mm{padding:15mm}.page.padding-20mm{padding:20mm}.page.padding-25mm{padding:25mm}img{max-height:100%;max-width:100%;left:50%;position:absolute;top:50%;transform:translate(-50%,-50%)}.print-toolbar{position:absolute;right:100px;top:30px;z-index:99}.form-control,table{background-color:white;color:black;display:inline-block;width:auto}input,textarea{border:1px solid black}@page{size:A4}&lt;/style&gt;&lt;/head&gt;&lt;body class=&#39;A4&#39;&gt;\n&lt;/script&gt; &lt;div&gt;WELCOME HOME #555.&lt;/div&gt;&lt;/body&gt;&lt;/html&gt;&quot;,
	&quot;reportParameters&quot;: null
}

<!-- end snippet -->

The final PDF is as follows:
(system vulnerability) 尝试模拟将JavaScript注入到HTML模板中

On the backend, that html string is passed to the c# method in .net

<!-- begin snippet: js hide: false console: true babel: false -->

<!-- language: lang-js -->

public Stream ConvertHTMLStringToPDFStream(string htmlString, long uID, ref string ExceptionMsg)
        {
            string form = &quot;&quot;;
            string subject = &quot;&quot;;
            int formPos = htmlString.IndexOf(&quot;&lt;h4&gt;&quot;);
            if (formPos == -1)
            {
                formPos = htmlString.IndexOf(&quot;&lt;h5&gt;&quot;);
            }
            if (formPos != -1)
            {
                int formEndPos = htmlString.IndexOf(&quot;&lt;&quot;, formPos + 4);
                form = htmlString.Substring(formPos, formEndPos - formPos + 4);
                subject = form.Substring(4, form.Length - 8);
            }
            Stream stream = null;
            try
            {
                htmlString = Regex.Replace(htmlString, @&quot;&lt;link[^&gt;]*&gt;&quot;, string.Empty);
                htmlString = Regex.Replace(htmlString, @&quot;&lt;style&gt;[^&lt;]*&quot;, string.Empty);
                htmlString = Regex.Replace(htmlString, @&quot;&lt;/style&gt;[^&lt;]*&quot;, string.Empty);
                SelectPdf.HtmlToPdf converter = new SelectPdf.HtmlToPdf();

                // set converter options
                SelectPdf.PdfPageSize pageSize = SelectPdf.PdfPageSize.Letter;
                converter.Options.PdfPageSize = pageSize;
                converter.Options.PdfPageOrientation = SelectPdf.PdfPageOrientation.Portrait;
                converter.Options.PdfDocumentInformation.Title = uID == 0 ? &quot;Report&quot; : $&quot;Report ID: {Convert.ToString(uID)}&quot;;
                converter.Options.PdfDocumentInformation.Author = &quot;My Company&quot;;
                converter.Options.PdfDocumentInformation.Subject = $&quot;{subject}&quot;;
                //converter.Options.WebPageWidth = webPageWidth;
                //converter.Options.WebPageHeight = webPageHeight;

                // create a new pdf document converting an url
                SelectPdf.PdfDocument doc = converter.ConvertHtmlString(htmlString);
                stream = new MemoryStream(doc.Save());
            }
            catch (Exception ex)
            {
                ExceptionMsg = $&quot;ConvertHTMLStringToPDFStream form: {form}: {ex.Message} inner: {ex.InnerException}&quot;;
            }
            return stream;
        }

<!-- end snippet -->

Thanks for any advice...

答案1

得分: 1

在你提供的 htmlString 中,有一部分写成了 &lt;script req = new XMLHttpRequest(),但我认为应该是 &lt;script&gt;var req = new XMLHttpRequest()

你的 htmlString 中还有其他拼写错误:

  • 你有两个开启标签 &lt;script&gt;,但只有一个闭合标签 &lt;/script&gt;
  • 你需要将 window.onload=\function(){ 更改为 window.onload=function(){
英文:

In your provided htmlString, there is a part of it written &lt;script req = new XMLHttpRequest(), but I think should be &lt;script&gt;var req = new XMLHttpRequest().

There is other typos in your htmlString:

  • You have two opening tags &lt;script&gt;, but only closing one with &lt;/script&gt;.
  • You need change window.onload=\function(){ to window.onload=function(){.

huangapple
  • 本文由 发表于 2023年6月12日 23:28:44
  • 转载请务必保留本文链接:https://go.coder-hub.com/76458145.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定