Javascript 是什么让输入容易受到 XSS 攻击?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/2905886/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
What makes an input vulnerable to XSS?
提问by vtortola
I've been reading about XSS and I made a simple form with a text and submit input, but when I execute <script>alert();</script>on it, nothing happens, the server gets that string and that's all.
我一直在阅读有关 XSS 的内容,我制作了一个带有文本的简单表单并提交了输入,但是当我对其执行<script>alert();</script>时,什么也没有发生,服务器获取该字符串,仅此而已。
What do I have to do for make it vulnerable?? (then I'll learn what I shouldn't do hehe)
我该怎么做才能让它变得脆弱?(然后我会学习我不应该做的事情嘿嘿)
Cheers.
干杯。
回答by Quentin
Have the server output the input back to the client.
让服务器将输入输出回客户端。
回答by BalusC
Indeed just let the server output it so that the input string effectively get embedded in HTML source which get returned to the client.
实际上只是让服务器输出它,以便输入字符串有效地嵌入到返回给客户端的 HTML 源中。
PHP example:
PHP示例:
<!doctype html>
<html lang="en">
<head><title>XSS test</title></head>
<body>
<form><input type="text" name="xss"><input type="submit"></form>
<p>Result: <?= $_GET['xss'] ?></p>
</body>
</html>
JSP example:
JSP 示例:
<!doctype html>
<html lang="en">
<head><title>XSS test</title></head>
<body>
<form><input type="text" name="xss"><input type="submit"></form>
<p>Result: ${param.xss}</p>
</body>
</html>
Alternatively you can redisplay the value in the input elements, that's also often seen:
或者,您可以在输入元素中重新显示值,这也经常看到:
<input type="text" name="xss" value="<?= $_GET['xss'] ?>">
resp.
分别
<input type="text" name="xss" value="${param.xss}">
This way "weird" attack strings like "/><script>alert('xss')</script><br class="will work because the server will render it after all as
这样“奇怪的”攻击字符串"/><script>alert('xss')</script><br class="会起作用,因为服务器毕竟会将它呈现为
<input type="text" name="xss" value=""/><script>alert('xss')</script><br class="">
XSS-prevention solutions are among others htmlspecialchars()and fn:escapeXml()for PHP and JSP respectively. Those will replace among others <, >and "by <, >and "so that enduser input doesn't end up to be literally embedded in HTML source but instead just got displayed as it was entered.
XSS预防解决方案等htmlspecialchars(),并fn:escapeXml()分别对PHP和JSP。这些将取代等等<,>并"通过<,>并"让终端用户输入不落得字面嵌入在HTML源代码,而是刚刚显示有人进来。
回答by Henri
You should "inject" the script. So if you have a text-input, you should put in the form:
您应该“注入”脚本。因此,如果您有文本输入,则应输入以下形式:
" /> <script>alert();</script>
This way you first close the attribute of the existing HTML and then inject your own code. The idea is to escape out the quotes.
这样你首先关闭现有 HTML 的属性,然后注入你自己的代码。这个想法是逃避引号。
回答by Annie
回答by Troy Hunt
Three simple things:
简单的三件事:
- If you're not outputting untrusted data to the page at some point there is no opportunity for XSS
- All your untusted data (forms, querystrings, headers, etc) should be validated against a whitelist to ensure it's within an acceptable range
- All your output to the screen should be endcoded with an appropriate library (ie Anti-XSS for .NET) onto the appropriate language (HTML, CSS, JS, etc).
- 如果您在某些时候没有将不受信任的数据输出到页面,则 XSS 没有机会
- 所有未经验证的数据(表单、查询字符串、标题等)都应根据白名单进行验证,以确保其在可接受的范围内
- 您在屏幕上的所有输出都应该使用适当的库(即 .NET 的 Anti-XSS)以适当的语言(HTML、CSS、JS 等)进行编码。
More info with examples in OWASP Top 10 for .NET developers part 2: Cross-Site Scripting (XSS).
