为什么/如何将`value="javascript:alert(1)"` 视为 OWASP ZAP 工具中的 XSS 漏洞?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/16612521/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Why/How is `value="javascript:alert(1)"` considered as a XSS vulnerability in OWASP's ZAP tool?
提问by MatthewMcGovern
The results for OWASP's ZAP has been very useful for eliminating vulnerable parts of my website.
OWASP 的 ZAP 的结果对于消除我网站的易受攻击部分非常有用。
However, I've found a lot of results that I simply cannot fix. For example, one of the get parameters it has put javascript:alert(1);in to the variable. This variable is then output by PHP in a hidden element's valueattribute. So the final HTML looks like:
但是,我发现了很多我根本无法修复的结果。例如,它已放入javascript:alert(1);变量的 get 参数之一。该变量然后由 PHP 在隐藏元素的value属性中输出。所以最终的 HTML 看起来像:
<input type="hidden" name="someName" id="someID" value="javascript:alert(1);"/>
This value is normally used to populate a drop down with JavaScript. If it's 1 it shows optional search filters, if 0 it shows nothing. So it's only used in a string comparison that fails.
此值通常用于使用 JavaScript 填充下拉列表。如果为 1,则显示可选的搜索过滤器,如果为 0,则不显示任何内容。所以它只用于失败的字符串比较。
I see no way for this to be exploited, the alert does not run like other attacks ZAP has shown me. The output is encoded so they cannot inject HTML by ending the quotes or element early with "/>like previously found attacks, as these characters become their HTML entities counterpart.
我认为没有办法利用它,警报不像 ZAP 向我展示的其他攻击那样运行。输出被编码,因此它们不能通过"/>像以前发现的攻击那样提前结束引号或元素来注入 HTML ,因为这些字符成为它们的 HTML 实体对应物。
Is this just a false positive from ZAP matching the input string in the page source, as encoding javascript:alert(1);still equals exactly the same as javascript:alert(1);?
这是否只是 ZAP 与页面源中的输入字符串匹配的误报,因为编码javascript:alert(1);仍然与javascript:alert(1);?
回答by Eda190
Yes, OWASP's ZAP tries to find vulnerabilities on your website, and it works automatically.
是的,OWASP 的 ZAP 会尝试在您的网站上查找漏洞,并且它会自动工作。
If it's sucesfull in adding ANY PART of code into your website, the website is considered vulnerable automatically.
如果成功将任何部分代码添加到您的网站,该网站将被自动视为易受攻击的。
If your website only accepts "0" or "1" as the value of hidden input, and doesn't save or prompt the value anywhere (not even to cookies), this is not a security vulnerability, and you're safe.
如果您的网站只接受“0”或“1”作为隐藏输入的值,并且没有在任何地方保存或提示该值(甚至不向cookies),这不是安全漏洞,您是安全的。
回答by Andrei Barsan
The vulnerability means that ZAP managed to insert arbitrary codeinto that input field. This means that you're most likely not validating user input somewhere in the app.
该漏洞意味着 ZAP 设法将任意代码插入到该输入字段中。这意味着您很可能没有在应用程序的某处验证用户输入。
You should be more careful about generating that input field, and ensure that the GET parameter(s) used to generate it are validate accordingly.
您应该更加小心地生成该输入字段,并确保相应地验证用于生成它的 GET 参数。
Remember, it's better to be safe, than sorry (i.e. have your app compromised).
请记住,安全总比抱歉(即您的应用程序受到威胁)要好。
回答by priomsrb
Your HTML looks safe to me. However, consider a similar case:
你的 HTML 对我来说看起来很安全。但是,请考虑类似的情况:
<a href="javascript:alert(1);">test</a>
This will produce a link that will execute JavaScript. It could be that ZAP is being extra careful so that cases like this get picked up.
这将生成一个将执行 JavaScript 的链接。可能是 ZAP 格外小心,以便发现此类案件。
For this specific case, you should whitelist what URL schemes are allowed in user provided links. For example only allow http, https, mailto, etc.
对于这种特定情况,您应该将用户提供的链接中允许的 URL 方案列入白名单。例如只允许 http、https、mailto 等。
