1. 首頁
  2. 問答
  3. Rails異常;我的應用程序易受攻擊<script>警報(「xssvuln」)</script>

Rails異常;我的應用程序易受攻擊<script>警報(「xssvuln」)</script>

2017-10-28 110 views
0

我安裝我的應用程序exception notification,和我有幾個這樣的通知,昨晚:Rails異常;我的應用程序易受攻擊<script>警報(「xssvuln」)</script>

的::的ActionView ::模板發生在課程#在線錯誤:

PG::InvalidTextRepresentation: ERROR: invalid input syntax for integer: "<script>alert("xssvuln")</script>" 
LINE 1: ..."."class_type" = 'online' AND (content_areas.id = '<script>a... 
                  ^
: SELECT "courses"."id" AS t0_r0, "courses"."title" AS t0_r1, "courses"."description" AS t0_r2, "courses"."certificate_note" AS t0_r3, "courses"."note" AS t0_r4, "courses"."ceu" AS t0_r5, "courses"."created_at" AS t0_r6, "courses"."updated_at" AS t0_r7, "courses"."slug" AS t0_r8, "courses"."old_id" AS t0_r9, "courses"."active" AS t0_r10, "courses"."sap_qualifying" AS t0_r11, "courses"."sap_renewing" AS t0_r12, "courses"."sae_qualifying" AS t0_r13, "courses"."sae_renewing" AS t0_r14, "content_areas"."id" AS t1_r0, "content_areas"."name" AS t1_r1, "content_areas"."created_at" AS t1_r2, "content_areas"."updated_at" AS t1_r3, "content_areas"."old_id" AS t1_r4 FROM "courses" INNER JOIN "course_classes" ON "course_classes"."course_id" = "courses"."id" LEFT OUTER JOIN "course_content_areas" ON "course_content_areas"."course_id" = "courses"."id" LEFT OUTER JOIN "content_areas" ON "content_areas"."id" = "course_content_areas"."content_area_id" WHERE "courses"."active" = 't' AND "cours 
e_classes"."active" = 't' AND "course_classes"."class_type" = 'online' AND (content_areas.id = '<script>alert("xssvuln")</script>') ORDER BY "courses"."title" ASC 
    app/views/courses/online.html.erb:17:in `_app_views_courses_online_html_erb___2231748092449029729_69943584017620' 


------------------------------- 
Request: 
------------------------------- 

    * URL  : https://www.my_app.org/online-courses?=%3Cscript%3Ealert(%22xssvuln%22)%3C/script%3E&content_area=%3Cscript%3Ealert(%22xssvuln%22)%3C/script%3E&search=%3Cscript%3Ealert(%22xssvuln%22)%3C/script%3E&utf8=%3Cscript%3Ealert(%22xssvuln%22)%3C/script%3E 
    * HTTP Method: GET 
    * IP address : 184.154.139.18 
    * Parameters : {"content_area"=>"<script>alert(\"xssvuln\")</script>", "search"=>"<script>alert(\"xssvuln\")</script>", "utf8"=>"<script>alert(\"xssvuln\")</script>", "controller"=>"courses", "action"=>"online"} 
    * Timestamp : 2017-10-28 05:09:26 UTC 
    * Server : localhost 
    * Rails root : /home/deployer/my_app/releases/20171026113054 
    * Process: 25937

它看起來像我的SQL確實注入,雖然查詢實際失敗。這是個問題吧?另外,那麼<script>alert("xssvuln")</script>是那些存在於模板或我的一些html中的代碼?

來源

2017-10-28 Lumbee

回答

1

它看起來像有人正在檢查您的網站是否跨站腳本(XSS)易受攻擊。 更具體地說,有人已經嘗試過「反射XSS」,警報(\「xssvuln \」)作爲搜索參數傳遞,但幸運的是,您使用的參數是導致異常的整數。

來源

2017-10-28 14:42:07

相關問題

 相關問題