Javascript 可用于测试页面输入的 XSS 示例?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/7232405/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Examples of XSS that I can use to test my page input?
提问by KRB
I have had issues with XSS. Specifically I had an individual inject JS alert showing that the my input had vulnerabilities. I have done research on XSS and found examples but for some reason I can't get them to work.
我遇到了 XSS 问题。具体来说,我有一个单独的注入 JS 警报,显示我的输入存在漏洞。我已经对 XSS 进行了研究并找到了示例,但由于某种原因我无法让它们工作。
Can I get example(s) of XSS that I can throw into my input and when I output it back to the user see some sort of change like an alert to know it's vulnerable?
我是否可以获得 XSS 的示例,我可以将其放入我的输入中,并且当我将其输出给用户时,是否会看到某种更改,例如知道它易受攻击的警报?
I'm using PHP and I am going to implement htmlspecialchars() but I first am trying to reproduce these vulnerabilities.
我正在使用 PHP 并且我将实现 htmlspecialchars() 但我首先尝试重现这些漏洞。
Thanks!
谢谢!
采纳答案by Sarfraz
You can use this firefox addon:
您可以使用此 Firefox 插件:
XSS-Me is the Exploit-Me tool used to test for reflected Cross-Site Scripting (XSS). It does NOT currently test for stored XSS.
The tool works by submitting your HTML forms and substituting the form value with strings that are representative of an XSS attack. If the resulting HTML page sets a specific JavaScript value (document.vulnerable=true) then the tool marks the page as vulnerable to the given XSS string. The tool does not attempting to compromise the security of the given system. It looks for possible entry points for an attack against the system. There is no port scanning, packet sniffing, password hacking or firewall attacks done by the tool.
You can think of the work done by the tool as the same as the QA testers for the site manually entering all of these strings into the form fields.
XSS-Me 是 Exploit-Me 工具,用于测试反射跨站脚本(XSS)。它目前不测试存储的 XSS。
该工具通过提交您的 HTML 表单并用代表 XSS 攻击的字符串替换表单值来工作。如果生成的 HTML 页面设置了特定的 JavaScript 值 (document.vulnerable=true),则该工具会将页面标记为容易受到给定 XSS 字符串的攻击。该工具不会试图破坏给定系统的安全性。它寻找对系统进行攻击的可能入口点。该工具不会进行端口扫描、数据包嗅探、密码黑客攻击或防火墙攻击。
您可以认为该工具完成的工作与站点的 QA 测试人员将所有这些字符串手动输入表单字段相同。
回答by ComFreek
For example:
例如:
<script>alert("XSS")</script>
"><b>Bold</b>
'><u>Underlined</u>
回答by cyber-guard
It is very good to use some of the automated tools, however you won't gain any insight or experience from those.
使用一些自动化工具非常好,但是您不会从中获得任何见解或经验。
The point of XSS attack is to execute javascript in a browser window, which is not supplied by the site. So first you must have a look in what context the user supplied data is printed on the website; it might be within <script></script>code block, it might be within <style></style>block, it might be used as an attribute of an element <input type="text" value="USER DATA" />or for instance in a <textarea>. Depending on that you will see what syntax you will use to escape the context (or use it); for instance if you are within <script>tags, it might be sufficient to close parethesis of a function and end the line with semicolon, so the final injection will look like ); alert(555);. If the data supplied is used as an html attribute, the injection might look like " onclick="alert(1)"which will cause js execution if you click on the element (this area is rich to play with especially with html5).
The point is, the context of the xss is as much important as any filtering/sanatizing functions that might be in place, and often there might be small nuances which the automated tool will not catch. As you can see above even without quotes and html tags, in a limited number of circumstance you might be able to bypass the filters and execute js.
XSS 攻击的重点是在浏览器窗口中执行 javascript,这不是由站点提供的。所以首先你必须看看用户提供的数据是在什么情况下打印在网站上的;它可能在<script></script>代码块内,可能在<style></style>块内,可能用作元素的属性<input type="text" value="USER DATA" />或例如在<textarea>. 根据这一点,您将看到将使用什么语法来转义上下文(或使用它);例如,如果您在<script>标签内,关闭函数的括号并以分号结束该行可能就足够了,因此最终注入看起来像); alert(555);. 如果提供的数据用作 html 属性,则注入可能看起来像" onclick="alert(1)"如果您单击元素,这将导致 js 执行(该区域非常适合玩,尤其是 html5)。关键是,xss 的上下文与任何可能存在的过滤/清理功能一样重要,并且通常可能存在自动化工具无法捕捉到的细微差别。正如您在上面看到的,即使没有引号和 html 标签,在有限数量的情况下,您可能能够绕过过滤器并执行 js。
There also needs to be considered the browser encoding, for instance you might be able to bypass filters if the target browser has utf7 encoding (and you encode your injection that way). Filter evasion is a whole another story, however the current PHP functions are pretty bulletproof, if used correctly.
还需要考虑浏览器编码,例如,如果目标浏览器具有 utf7 编码(并且您以这种方式对注入进行编码),则您可能能够绕过过滤器。过滤器规避完全是另一回事,但是如果使用得当,当前的 PHP 函数是非常可靠的。
Also here is a long enough list of XSS vectors
这里还有一个足够长的XSS 向量列表
As a last thing, here is an actual example of a XSS string that was found on a site, and I guarantee you that not a single scanner would've found that (there were various filters and word blacklists, the page allowed to insert basic html formatting to customize your profile page):
最后,这是一个在站点上发现的 XSS 字符串的实际示例,我向您保证,没有一个扫描仪会发现它(有各种过滤器和单词黑名单,页面允许插入基本的html 格式以自定义您的个人资料页面):
<a href="Boom"><font color=a"onmouseover=alert(document.cookie);"> XSS-Try ME</span></font>
<a href="Boom"><font color=a"onmouseover=alert(document.cookie);"> XSS-Try ME</span></font>
回答by JJ.
Ad-hoc testing is OK, however I also recommend trying a web application vulnerability scanning tool to ensure you haven't missed anything.
临时测试是可以的,但是我还建议您尝试使用 Web 应用程序漏洞扫描工具以确保您没有遗漏任何内容。
acunetix is pretty good and has a free trial of their application:
acunetix 非常好,并且可以免费试用他们的应用程序:
http://www.acunetix.com/websitesecurity/xss.htm
http://www.acunetix.com/websitesecurity/xss.htm
(Note I have no affiliation with this company, however I have used the product to test my own applications).
(注意我与这家公司没有任何关系,但是我已经使用该产品来测试我自己的应用程序)。
