Question

我在我的应用上安装了exception notification，昨晚我收到了一些通知：

ActionView :: Template ::在＃online：

课程中出现错误

  PG::InvalidTextRepresentation: ERROR:  invalid input syntax for integer: "<script>alert("xssvuln")</script>"
LINE 1: ..."."class_type" = 'online' AND (content_areas.id = '<script>a...
                                                             ^
: SELECT "courses"."id" AS t0_r0, "courses"."title" AS t0_r1, "courses"."description" AS t0_r2, "courses"."certificate_note" AS t0_r3, "courses"."note" AS t0_r4, "courses"."ceu" AS t0_r5, "courses"."created_at" AS t0_r6, "courses"."updated_at" AS t0_r7, "courses"."slug" AS t0_r8, "courses"."old_id" AS t0_r9, "courses"."active" AS t0_r10, "courses"."sap_qualifying" AS t0_r11, "courses"."sap_renewing" AS t0_r12, "courses"."sae_qualifying" AS t0_r13, "courses"."sae_renewing" AS t0_r14, "content_areas"."id" AS t1_r0, "content_areas"."name" AS t1_r1, "content_areas"."created_at" AS t1_r2, "content_areas"."updated_at" AS t1_r3, "content_areas"."old_id" AS t1_r4 FROM "courses" INNER JOIN "course_classes" ON "course_classes"."course_id" = "courses"."id" LEFT OUTER JOIN "course_content_areas" ON "course_content_areas"."course_id" = "courses"."id" LEFT OUTER JOIN "content_areas" ON "content_areas"."id" = "course_content_areas"."content_area_id" WHERE "courses"."active" = 't' AND "cours
 e_classes"."active" = 't' AND "course_classes"."class_type" = 'online' AND (content_areas.id = '<script>alert("xssvuln")</script>')  ORDER BY "courses"."title" ASC
  app/views/courses/online.html.erb:17:in `_app_views_courses_online_html_erb___2231748092449029729_69943584017620'


-------------------------------
Request:
-------------------------------

  * URL        : https://www.my_app.org/online-courses?=%3Cscript%3Ealert(%22xssvuln%22)%3C/script%3E&content_area=%3Cscript%3Ealert(%22xssvuln%22)%3C/script%3E&search=%3Cscript%3Ealert(%22xssvuln%22)%3C/script%3E&utf8=%3Cscript%3Ealert(%22xssvuln%22)%3C/script%3E
  * HTTP Method: GET
  * IP address : 184.154.139.18
  * Parameters : {"content_area"=>"<script>alert(\"xssvuln\")</script>", "search"=>"<script>alert(\"xssvuln\")</script>", "utf8"=>"<script>alert(\"xssvuln\")</script>", "controller"=>"courses", "action"=>"online"}
  * Timestamp  : 2017-10-28 05:09:26 UTC
  * Server : localhost
  * Rails root : /home/deployer/my_app/releases/20171026113054
  * Process: 25937

在我看来，虽然查询实际失败，但确实注入了sql。这是一个问题吧？另外，<script>alert("xssvuln")</script>的代码是生活在模板或某些html中的代码？

Answer 1

看起来有人正在检查您的网站是否是易受攻击的跨站点脚本（XSS）。更具体地说，有人试过'Reflected XSS'，并且警告（\“xssvuln \”）作为搜索参数传递，但幸运的是你使用参数作为整数引起了异常。

Rails异常;我的应用程序易受攻击<SCRIPT>警报（ “xssvuln”）</SCRIPT>

1 个答案: