Javascript XSS 攻击和样式属性
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4546591/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
XSS attacks and style attributes
提问by Artyom
There are known Style Attribute XSS attacks like:
有已知的样式属性 XSS 攻击,例如:
<DIV STYLE="width: expression(alert('XSS'));">
Or
或者
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
All the examples I've seenuse either expression or url functionality - basically something function like that require "(" and ")".
我见过的所有示例都使用表达式或 url 功能 - 基本上类似的功能需要“(”和“)”。
I'm thinking of following method of filtering style tags, I would check them using following (approximately) grammar:
我正在考虑以下过滤样式标签的方法,我会使用以下(大约)语法检查它们:
identifier: [a-zA-Z_][a-zA-Z0-9\-]*
number: [0-9]+
string: '[a-zA-Z_0-9 ]*'
value : identifier | number | string | number + "(em|px)" | number +"%"
entry: identifier ":" value (\s value )*
style: (entry ;)*
So basically I allow ASCII properties with numeric values or very limited string values (basically for font names) not allowing using anything that looks like call.
所以基本上我允许带有数值或非常有限的字符串值(基本上用于字体名称)的 ASCII 属性不允许使用任何看起来像 call.
The question is this good enough? Are there any attacks that may do something like that:
问题是这样够好吗?是否有任何攻击可能会做这样的事情:
<DIV STYLE="this-is-js-property: alert 'XSS';">
And succeed?
并成功?
Can anybody think of XSS vulnerability of such test?
有人能想到这种测试的 XSS 漏洞吗?
To Make it clear
说清楚
I need style attributes as many tools like TinyMCE use them and filtering harmless style attributes off would significantly hurt the functionality.
我需要样式属性,因为像 TinyMCE 这样的许多工具都使用它们,过滤掉无害的样式属性会严重损害功能。
So I prefer pass common cases removing all things that may use @import, url, expression etc. And also make sure that basic css syntax is ok.
所以我更喜欢通过常见的情况删除所有可能使用@import、url、表达式等的东西。还要确保基本的 css 语法没问题。
Answer
回答
No it is not safe due to click-Hymaning vulnerability.
不,由于点击劫持漏洞,它不安全。
采纳答案by Artyom
This does not work due to click-Hymaningvulnerability.
由于点击劫持漏洞,这不起作用。
Example:
例子:
<a href="http://example.com/attack.html" style="display: block; z-index: 100000; opacity: 0.5; position: fixed; top: 0px; left: 0; width: 1000000px; height: 100000px; background-color: red;"> </a>
Found at: http://www.bioinformatics.org/phplabware/forum/viewtopic.php?id=164
位于:http: //www.bioinformatics.org/phplabware/forum/viewtopic.php?id=164
The code would be perfectly validated but it may cause serious damage.
该代码将被完美验证,但可能会造成严重损坏。
So - rule of thumb use very strict white list or do not allow style attributes.
所以 - 经验法则使用非常严格的白名单或不允许样式属性。
回答by Shervin Asgari
There is an open foundation out there called OWASPthat helps you with this.
有一个名为OWASP的开放基金会可以帮助您解决这个问题。
To answer your question Are there any attacks....; Yes!
回答你的问题Are there any attacks....;是的!
There are tons of documentation there, and there are libraries you can use to correctly escape all XSS code.
那里有大量的文档,并且可以使用一些库来正确转义所有 XSS 代码。
Read the XSS prevention sheet.
阅读XSS 预防表。
回答by aaaaaaaaaaaa
Security rule #1: If you are the least in doubt, presume there is a hole.
安全规则#1:如果你最不怀疑,假设有一个漏洞。
What are you trying to achieve? What functionality would cause CSS from an untrusted source?
你想达到什么目的?哪些功能会导致来自不受信任来源的 CSS?
回答by James Drinkard
Yes, you can use XSS attacks with Style attributes .
是的,您可以使用带有样式属性的 XSS 攻击。
These styles were injected as we didn't have them declared in our tags in a particular jsp page but got through when audited by our security group:
这些样式被注入,因为我们没有在特定 jsp 页面的标签中声明它们,但在我们的安全组审核时通过了:
<img src="<path here>" style=x:ex/**/pression
(alert(54163)) ".gif"
I'm thinking of using an HTTP filter to stop it here, but I'm still looking into it.
我正在考虑使用 HTTP 过滤器来阻止它,但我仍在研究它。
We also didn't have our hidden input fields proteccted either and this got through as well:
我们也没有保护我们的隐藏输入字段,这也通过了:
<input type="hidden" name="<variable name here>" value="<value here>" style=x:ex/**/pression(alert
(54163)) "">
With a tool like Burpsuite, you can modify requests on the fly to inject XSS into tags like this. However, with the ESAPI API's from OWASP, you can add protection. We weren't using JSTL tags as it was old legacy code, so that was the best short term solution.
使用 Burpsuite 之类的工具,您可以动态修改请求以将 XSS 注入到这样的标签中。但是,使用来自 OWASP 的 ESAPI API,您可以添加保护。我们没有使用 JSTL 标签,因为它是旧的遗留代码,所以这是最好的短期解决方案。
For the hidden input I used;
对于我使用的隐藏输入;
<input type="hidden" name="id" value="<%=ESAPI.encoder().encodeForHTMLAttribute(id)%>"
You can also use XSS with the js onload event in an img tag:
您还可以在 img 标签中使用XSS 和 js onload 事件:
