PHP_SELF 和 XSS
我发现一篇文章声称 $_SERVER['PHP_SELF'] 容易受到 XSS 攻击。
我不确定我是否理解正确,但我几乎可以肯定这是错误的。
这怎么可能容易受到 XSS 攻击!?
<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<!-- form contents -->
</form>
I've found an article claiming that $_SERVER['PHP_SELF'] is vulnerable to XSS.
I'm not sure if I have understood it correctly, but I'm almost sure that it's wrong.
How can this be vulnerable to XSS attacks!?
<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<!-- form contents -->
</form>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(7)
为了使其安全使用,您需要使用
htmlspecialchars()。请参阅 我写过的几乎所有 PHP 表单中都存在 XSS 漏洞,了解如何攻击
$_SERVER["PHP_SELF"]。To make it safe to use you need to use
htmlspecialchars().See A XSS Vulnerability in Almost Every PHP Form I’ve Ever Written for how
$_SERVER["PHP_SELF"]can be attacked.这确实是一个XSS漏洞。我确实理解您认为它可能不会损害您的网站,但这并不意味着它不是真实的。
如果您不相信,请尝试以下操作:
我们假设您有一个页面,例如“registration.php”。
我们假设你有一个表单,其中的操作是:
正如你确实写下的那样:
现在只需在下面附加字符串
实际上并不难理解,因为 PHP_SELF 是 URL 的反映,你的应用程序将读取你在 URL 中输入的任何内容并回应它。就这么简单。
htmlspecialchars 应该处理好这件事,没有理由对证据提出异议。
然而,即使这是窃取 cookie 的第一步,也不是自动发生的。即使攻击很容易(因为攻击者会在您的网站上注册并查看 cookie 的外观等),但要达到窃取 cookie 的目的,还必须满足一系列其他因素情况。例如,cookie 不能过期。这取决于 cookie 的复杂程度。也许您在服务器上采取了其他预防措施,但不一定所有身份验证都基于 cookie 的存在!
虽然我确实相信要满足所有条件,这是相当困难且非常糟糕的编程(即使 yahoo.mail 例如有这样的漏洞,如果你在互联网上查找,你甚至会发现漏洞利用和 cookie 解码器),XSS 是真实的,谁知道如果您的网站遭受攻击,狡猾的攻击者会做什么。治疗方法很简单...
It is indeed a XSS vulnerability. I do understand that you believe it may not harm your website, but this doesn't mean it is not real.
If you do not believe it, try the following:
We assume you have a page such as "registration.php".
We assume you have a form where action is:
as you put it down indeed:
Now simply append the string below
It is not actually hard to understand, because PHP_SELF is a reflection of the URL, your application will read whatever you put in the URL and echo it. It is simple as that.
htmlspecialchars should take care of the matter, no reason to dispute the evidence.
However, even this is a first step in stealing a cookie, it's not that it take place automatically. Even if it's quite easy to craft the attack (as the attacker will register on your site and will see how the cookie looks...etc.), a series of other factors must be true to get to the point of having a cookie stealing situation. For instance, the cookie must not be expired. Than it depends of how complex the cookie is. Than maybe you have other precautions in placed on server, it doesn't have to be all authentication based on the presence of cookie!
While I do believe it is rather difficult and really bad programming for all conditions to met (even if yahoo.mail for example had such a vulnerability and if you look on internet you will find even the exploit and the cookie decoder), the XSS is real and who knows what a crafty attacker may do if your site suffer of it. The cure is simple...
您链接的那篇文章给了您:
什么不清楚?
编辑:这是一个 XSS 攻击,因为我可以隐藏从我的网站到你的网站的链接,并在 URL 中添加一些 JS,这些 JS 会向我发送你的 cookie,所以当你点击该链接时,你就被 pwnd 了。
The very article you linked gives you:
what's not clear?
Edit: this is an XSS attack because I can hide a link from my site to yours with some JS added to the URL which sends me your cookies so the moment you click that link, you are pwnd.
您应该使用 filter_input() 来访问 PHP 中的超全局变量。如果您将过滤器设置为 FILTER_SANITIZE_FULL_SPECIAL_CHARS ,它将去除通常使用的不安全字符在 XSS 中。鉴于你的例子:
You should be using filter_input() to access superglobals in PHP. If you set the filter to FILTER_SANITIZE_FULL_SPECIAL_CHARS it will strip the unsafe characters typically used in XSS. Given your example:
该漏洞是用户可以在表单中输入恶意 JavaScript 代码。为了防止这种情况,使用了 htmlspecialchars 函数。
预定义字符(如 >、<、"、')被转换为实体(> < 等)
htmlspecialchars($_SERVER["PHP_SELF"]) 确保所有提交的表单变量都被转换 要了解有关
此漏洞的更多信息,请访问:https://www.w3schools.com/php/php_form_validation.asp
另一个可以帮助您的链接:https://www.w3schools.com/php/php_form_validation.asp bit Degree.org/learn/php-form-validation/amp" rel="nofollow noreferrer">https://www.google.com/amp/s/www.bit Degree.org/learn/php-form-validation/amp
The vulnerability is that a user can enter malicious JavaScript codes in the form. To prevent this,
htmlspecialcharsfunction is used.Predefined characters (like >, <, ", ') are converted into entities(> < etc)
htmlspecialchars($_SERVER["PHP_SELF"]) ensures that all submitted form variables are converted into entities.
To read more about this vulnerability, visit: https://www.w3schools.com/php/php_form_validation.asp
Another link that can help you: https://www.google.com/amp/s/www.bitdegree.org/learn/php-form-validation/amp
我正在研究有关 PHP_SELF 变量和 XSS 攻击的问题。有一些我仍然无法理解的事情: PHP_SELF 变量应该引用脚本文件(正在运行的脚本)的名称。那么,为什么它要从 URL 中获取值呢? (允许XSS问题)。
I am studying this issue about the PHP_SELF variable and the XSS attack. There is something that I still can't understand: PHP_SELF variable is suposed to reference the name of the script file (the script that is running). Then, why does it take its value from the URL? (allowing the XSS problem).
我意识到为什么我不清楚之前的答案:
基本上,我认为 example.php/some/extra/things 只会导致“404 页面未找到”。然而,服务器实际上还是执行了
/example.php。(相比之下,它不适用于
/example.html/some/extra/things或/example.php"some/extra/things因为两者都会导致 404 。由于
$_SERVER['PHP_SELF']包含.php/之后的部分(与$_SERVER['SCRIPT_NAME']不同) 像这样的代码这:如果有人点击链接
/example.php/%22%3E%3Cscript%3Econsole.log('XSS')%3C/script%3E%3C!--浏览器向服务器发送请求并接收:结果在浏览器中看起来与
/example.php/相同,但它运行 JS 代码。有评论询问
htmlspecialchars如何防止它。如果使用 htmlspecialchars:
则得到:
所以它不会运行该脚本。
I realized why something about the previous answers was unclear to me:
Basically, I thought
example.php/some/extra/thingswould simply lead to "404 page not found". However, the server actually executes the/example.phpanyway.(In contrast, it doesn’t work for
/example.html/some/extra/thingsor/example.php"some/extra/thingsas both result in 404).Since
$_SERVER['PHP_SELF']includes the part after.php/(unlike$_SERVER['SCRIPT_NAME']), given a code like this:If someone clicks on a link to
/example.php/%22%3E%3Cscript%3Econsole.log('XSS')%3C/script%3E%3C!--the browser sends a request to the server and receives:The result looks the same as
/example.php/in a browser but it runs the JS code.A comment asked how
htmlspecialcharscan prevent it.If one uses htmlspecialchars:
One gets:
So it won't run the script.