2. 질의 응답
  3. 레일 예외입니다. 내 앱이 취약한가요? <script> 경고 ("xssvuln")</script>

레일 예외입니다. 내 앱이 취약한가요? <script> 경고 ("xssvuln")</script>

2017-10-28 14 views
0

나는 exception notification 내 응용 프로그램에 설치되어, 나는 이러한 알림의 몇 어젯밤 가지고 :레일 예외입니다. 내 앱이 취약한가요? <script> 경고 ("xssvuln")</script>

ActionView :: 템플릿 : 오류 코스 # 온라인에서 발생

PG::InvalidTextRepresentation: ERROR: invalid input syntax for integer: "<script>alert("xssvuln")</script>" 
LINE 1: ..."."class_type" = 'online' AND (content_areas.id = '<script>a... 
                  ^
: SELECT "courses"."id" AS t0_r0, "courses"."title" AS t0_r1, "courses"."description" AS t0_r2, "courses"."certificate_note" AS t0_r3, "courses"."note" AS t0_r4, "courses"."ceu" AS t0_r5, "courses"."created_at" AS t0_r6, "courses"."updated_at" AS t0_r7, "courses"."slug" AS t0_r8, "courses"."old_id" AS t0_r9, "courses"."active" AS t0_r10, "courses"."sap_qualifying" AS t0_r11, "courses"."sap_renewing" AS t0_r12, "courses"."sae_qualifying" AS t0_r13, "courses"."sae_renewing" AS t0_r14, "content_areas"."id" AS t1_r0, "content_areas"."name" AS t1_r1, "content_areas"."created_at" AS t1_r2, "content_areas"."updated_at" AS t1_r3, "content_areas"."old_id" AS t1_r4 FROM "courses" INNER JOIN "course_classes" ON "course_classes"."course_id" = "courses"."id" LEFT OUTER JOIN "course_content_areas" ON "course_content_areas"."course_id" = "courses"."id" LEFT OUTER JOIN "content_areas" ON "content_areas"."id" = "course_content_areas"."content_area_id" WHERE "courses"."active" = 't' AND "cours 
e_classes"."active" = 't' AND "course_classes"."class_type" = 'online' AND (content_areas.id = '<script>alert("xssvuln")</script>') ORDER BY "courses"."title" ASC 
    app/views/courses/online.html.erb:17:in `_app_views_courses_online_html_erb___2231748092449029729_69943584017620' 


------------------------------- 
Request: 
------------------------------- 

    * URL  : https://www.my_app.org/online-courses?=%3Cscript%3Ealert(%22xssvuln%22)%3C/script%3E&content_area=%3Cscript%3Ealert(%22xssvuln%22)%3C/script%3E&search=%3Cscript%3Ealert(%22xssvuln%22)%3C/script%3E&utf8=%3Cscript%3Ealert(%22xssvuln%22)%3C/script%3E 
    * HTTP Method: GET 
    * IP address : 184.154.139.18 
    * Parameters : {"content_area"=>"<script>alert(\"xssvuln\")</script>", "search"=>"<script>alert(\"xssvuln\")</script>", "utf8"=>"<script>alert(\"xssvuln\")</script>", "controller"=>"courses", "action"=>"online"} 
    * Timestamp : 2017-10-28 05:09:26 UTC 
    * Server : localhost 
    * Rails root : /home/deployer/my_app/releases/20171026113054 
    * Process: 25937

실제로 쿼리가 실패했지만 SQL이 실제로 주입 된 것처럼 보입니다. 이것은 바로 문제입니까? 또한 <script>alert("xssvuln")</script>은 어딘가에 서식 파일이나 일부 HTML에있는 코드입니까?

출처

2017-10-28 Lumbee

답변

1

누군가가 귀하의 웹 사이트가 XSS (Cross-Site Scripting) 취약성 여부를 확인하고있는 것 같습니다. 좀 더 구체적으로 누군가 'Reflected XSS'를 시도했으며 경고 (\ "xssvuln \")가 검색 ​​매개 변수로 전달되었지만 예외적으로 정수를 사용하여 예외를 발생 시켰습니다.

출처

2017-10-28 14:42:07

 관련 문제

  • 관련 문제 없음^_^