Recently i was studying about the XSS attacks and how devastating they can be on a website.
What surprised me was that, web (even SO) is full about how to prevent xss attack but there is no relevant resource on how to recover a website, after it has been attacked through xss.
There are some things which i came across like :
- upload the backup website code back on server
- download the entire site and manually look for any malicious script
but these doesn't sound good enough....i mean, isn't there any other professionaly active method to recover the sites once hacked???
With XSS the code is not actually modified. Instead what usually happens are one of two scenarios: reflected and stored XSS.
In reflected XSS, there is some parameter in the request (usually a query string parameter) that gets echoed onto the page without being sanitized. This could lead to an attacker providing a malicious link to a user, and them clicking and having their session hijacked.
In stored XSS, the attacker finds some way to persist a malicious string (usually stored in a database, in the form of a forum post or website comment) that other users will come across when viewing this site. That script is then executed in the context of the user that viewed the page, and the attacker could again hijack the session.
To "recover" from reflected XSS - you would want to fix the reflected parameter (do something like output encoding) and invalidate all sessions, making users have to log in again.
To "recover" from reflected XSS - you would want to identify where the malicious code was provided, add sanitization of the input and encoding of the output of that data. Then clean the database of these malicious values, then invalidate all sessions, forcing users to log back in again.
@Stefan_H got it right. (+1)
Indeed you only need to recover from stored XSS.
However, what you also need to consider, is that store XSS attack is often just a symptom of the actual illness.
Simply put, to execute such XSS attacks, an attacker must have high-level access to your website/server resources. This means that - besides the malicious XSS code - your site also holds a backdoor shell which allows the attacker that level of access.
And so, in fact, you don't need to recover from XSS but from the backdoor shell. Failing to do so will allow the hacker to re-inject your site, even once the code was sanitized.
Some backdoors exist on a site level, others will affect whole servers. The type of control they provide will vary but - in most cases - they will allow total access to most website resources. This will lead to:
- XSS and other malware injection
- Hijacking the site/server for the purpose of DDoS (joining a Botnet)
- Data theft
- Eventual defacement
To prevent re-occurring attacks you`ll need to:
- Use some very early backup (you don't know how long the backdoor was present in your file system)
- Better yet, use some kind of backdoor detection tool (there are some free ones but few are actually good)
- Understanding how the shell got there in the 1st place (RFI and password hacks are the two prime suspects)
GL
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 相关推荐>> 的文章《How to recover a site after an xss attack?》','https://www.manongdao.com/article-875263.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}