1. 首页
  2. 问答
  3. Rails异常;我的应用程序易受攻击<script>警报(“xssvuln”)</script>

Rails异常;我的应用程序易受攻击<script>警报(“xssvuln”)</script>

2017-10-28 182 views
0

我安装我的应用程序exception notification,和我有几个这样的通知,昨晚:Rails异常;我的应用程序易受攻击<script>警报(“xssvuln”)</script>

的::的ActionView ::模板发生在课程#在线错误:

PG::InvalidTextRepresentation: ERROR: invalid input syntax for integer: "<script>alert("xssvuln")</script>" 
LINE 1: ..."."class_type" = 'online' AND (content_areas.id = '<script>a... 
                  ^
: SELECT "courses"."id" AS t0_r0, "courses"."title" AS t0_r1, "courses"."description" AS t0_r2, "courses"."certificate_note" AS t0_r3, "courses"."note" AS t0_r4, "courses"."ceu" AS t0_r5, "courses"."created_at" AS t0_r6, "courses"."updated_at" AS t0_r7, "courses"."slug" AS t0_r8, "courses"."old_id" AS t0_r9, "courses"."active" AS t0_r10, "courses"."sap_qualifying" AS t0_r11, "courses"."sap_renewing" AS t0_r12, "courses"."sae_qualifying" AS t0_r13, "courses"."sae_renewing" AS t0_r14, "content_areas"."id" AS t1_r0, "content_areas"."name" AS t1_r1, "content_areas"."created_at" AS t1_r2, "content_areas"."updated_at" AS t1_r3, "content_areas"."old_id" AS t1_r4 FROM "courses" INNER JOIN "course_classes" ON "course_classes"."course_id" = "courses"."id" LEFT OUTER JOIN "course_content_areas" ON "course_content_areas"."course_id" = "courses"."id" LEFT OUTER JOIN "content_areas" ON "content_areas"."id" = "course_content_areas"."content_area_id" WHERE "courses"."active" = 't' AND "cours 
e_classes"."active" = 't' AND "course_classes"."class_type" = 'online' AND (content_areas.id = '<script>alert("xssvuln")</script>') ORDER BY "courses"."title" ASC 
    app/views/courses/online.html.erb:17:in `_app_views_courses_online_html_erb___2231748092449029729_69943584017620' 


------------------------------- 
Request: 
------------------------------- 

    * URL  : https://www.my_app.org/online-courses?=%3Cscript%3Ealert(%22xssvuln%22)%3C/script%3E&content_area=%3Cscript%3Ealert(%22xssvuln%22)%3C/script%3E&search=%3Cscript%3Ealert(%22xssvuln%22)%3C/script%3E&utf8=%3Cscript%3Ealert(%22xssvuln%22)%3C/script%3E 
    * HTTP Method: GET 
    * IP address : 184.154.139.18 
    * Parameters : {"content_area"=>"<script>alert(\"xssvuln\")</script>", "search"=>"<script>alert(\"xssvuln\")</script>", "utf8"=>"<script>alert(\"xssvuln\")</script>", "controller"=>"courses", "action"=>"online"} 
    * Timestamp : 2017-10-28 05:09:26 UTC 
    * Server : localhost 
    * Rails root : /home/deployer/my_app/releases/20171026113054 
    * Process: 25937

它看起来像我的SQL确实注入,虽然查询实际失败。这是个问题吧?另外,那么<script>alert("xssvuln")</script>是那些存在于模板或我的一些html中的代码?

来源

2017-10-28 Lumbee

回答

1

它看起来像有人正在检查您的网站是否跨站脚本(XSS)易受攻击。 更具体地说,有人已经尝试过“反射XSS”,警报(\“xssvuln \”)作为搜索参数传递,但幸运的是,您使用的参数是导致异常的整数。

来源

2017-10-28 14:42:07

相关问题

 相关问题