IE 中的 XSS - 绕过方法?
既然 IE 8 有 XSS 过滤器,那么真的没有办法使用该浏览器来利用 XSS 漏洞吗?例如,cookie 窃取者不再对我的网站构成威胁?
(如果您认为这是不正确的并且您的过滤器可能存在缺陷,我想知道)
Since IE 8 has an XSS filter, is there really no way to exploit an XSS exploit using this browser? For example, a cookie stealer isn't a threat to my site anymore?
(If you think this is not correct and you have a possible flaw in the filter, I'd like to know)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
IE8 中的 XSS-Filter 肯定可以被击败。是否可能取决于页面中的XSS-Vuln。
例如,您可以使用奇怪的编码或双重 XSS 攻击。
编辑:
这是一个可以通过 IE8 过滤器的 XSS 攻击的野外示例:
esrb.org 上的 XSS
The XSS-Filter in IE8 can sure be beaten. It depends on the XSS-Vuln in the page whether it's possible or not.
For example you can use weird encodings or a double XSS attack.
Edit:
This is an in-the-wild example of an XSS-Attack that would pass the IE8-Filter:
XSS on esrb.org
即,基本 XSS 过滤器通过首先检查请求的生成位置来处理传出请求。我的意思是,对于反射型 XSS,请求可能是从攻击者系统生成的,以便放置恶意脚本。所以通过扩展
查看来自同一域的请求是没有意义的,因为这会浪费资源。
然而 IE 做出了一个错误的假设,XSS 可以来自任何地方、任何地方。
由于这种错误的假设,反射型 XSS 漏洞可能会被利用。 IE 已考虑“location:”HTTP 标头重定向以及
元刷新 HTML 标签。然而,还有其他可用于攻击的重定向方法。
现在让我们假设在我们的目标应用程序中发现了一个直接的 XSS 漏洞
xss.php 文件:
假设在 redir.php 文件中发现 OWASP a10 违规。
此类应用程序的概念验证漏洞如下:
上述链接可能来自任何地方,包括 url 收缩服务。 XSS 有效负载是“var”GET 变量。 PoC 的这一部分已经过双重 url 编码。这里有一个尖括号“>”变为“%253E”。这种编码欺骗了服务器上的 htmlspecialchars() 以及 IE 的过滤器。此编码的有效负载不受对 htmlspecialchars() 调用的影响,并且在不存在该负载的情况下也会以相同的方式运行。
Ie basic XSS filter processes the outgoing request by first checking where the request is been generated.I mean for a reflective XSS the request may be generating from attackers system in order do put malicious script. So by extension
there should be no point in looking at requests that originate from the same domain as this would be a waste of resources.
However IE is making an incorrect assumption, XSS can come from anywhere and there for any
reflective XSS vulnerability can become exploitable due to this incorrect assumption. IE has taken “location:” HTTP header redirects into consideration as well as
meta refresh HTML tags. There are however other redirection methods which can be used in an attack.
Now let us assume there is a straight forward XSS vulnerability in our target application found in the
xss.php file:
Assume OWASP a10 violation found in the redir.php file.
The Proof of Concept exploit for an application like this is as follows:
Above link could originate from anywhere, including a url shrinking services . The XSS payload is the “var” GET variable. This part of the PoC has been double url encoded. There for an angled bracket “>” becomes “%253E”. This is encoding fools both the htmlspecialchars() on the server as well as IE's filter. This encoded payload is unaffected by the call to htmlspecialchars() and would behave in the same way with its absence.
XSS 攻击有多种类型; IE XSS 过滤器旨在阻止最常见形式的反射 XSS 攻击。请参阅 http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx 了解过滤器的背景信息 做。
您绝对应该继续遵循预防 XSS 的最佳实践。
There are several types of XSS attack; the IE XSS filter is designed to block the most common form of Reflected XSS attacks. See http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx for background on what the filter does.
You absolutely should continue to follow best-practices for XSS prevention.