如何防止XSS攻击 [英] how to prevent XSS attack

问题描述

渗透测试团队告诉我，以下URL导致XSS攻击-

I was told by penetration test team that the below URL is causing XSS attack -

https://some-site.com/test/jsp/download_msg.jsp?&report_id=0&id=1369413198709cUjxb8IRCtTJcbYBHb0Qiph&id=1369413198709cUj

这是我的download_msg.jsp代码

Here is my code of download_msg.jsp

        <% String download_msg = null;
           if (session == null || session.getAttribute("user") == null) {
               download_msg = "Error message";
           } else {
               download_msg =
              (OLSUser)session.getAttribute("user")).getReportInfo().getDownloadMsg();
           } 
        %>

       <html>
        <head>
         <SCRIPT LANGUAGE='JavaScript' SRC='/Test/test.js'></SCRIPT>
           <SCRIPT LANGUAGE='JavaScript'>init('StmsReps');</SCRIPT>
             <script language="JavaScript">
            function redirect() {
             if (window.focus)
            self.focus();
         this.location = "/test/DownloadReport?<%=request.getQueryString()%>";
    }
        </script>
     <title>XSS</title>
     </head>
      <body marginwidth='0' marginheight='0' onload='javascript:redirect()'>
         <table width='90%' height='100%' align='center' border='0' cellspacing='0'
            cellpadding='0'>               
      <tr>
    <td align='center' class='header2'> <%= download_msg %></td>
   </tr>
   </table>
   </body>
   </html>

我发现jstl可以处理XSS攻击.您能否建议以下内容是否可以，还是我需要做其他事情?

I found that jstl can handle XSS attack. Can you please advice if do the below then will it be fine or do I need to do something else?

         <c:out value="<%= download_msg %>" escapeXml="true"/>

推荐答案

否.这还不够

this.location = "/test/DownloadReport?<%=request.getQueryString()%>";

攻击者可能能够发送带有查询字符串之类的链接

An attacker may be able to send a link with a query string like

?</script><script>alert(1337)//

或

?%22/alert('Pwned')

天真的用户可能会单击链接并执行嵌入的代码.

to naïve users who might click the link and execute the embedded code.

您必须应用适当的转义策略无处不在不受信任的输入被插入到模板中.

You have to apply appropriate escaping policies everywhere untrusted input is interpolated into a template.

我显然无法针对您的设置测试这些字符串，并且如果您对它们进行测试，它们可能无法正常工作，因为浏览器通常会对查询字符串进行某种标准化，但是您不应该依赖于此来保护您免受HTML元数据的攻击，查询字符串中的字符.

I can't test these strings against your setup obviously, and they may not work if you test with them since browsers often do some normalization of query strings, but you shouldn't rely on that to protect you against HTML meta-characters in query strings.

这篇关于如何防止XSS攻击的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！