XSS我警告 - 真正的XSS问题? [英] XSS Me Warnings - real XSS issues?
问题描述
我一直在使用免费的Firefox扩展 XSS Me 从安全指南针到测试XSS问题。但是,使用我了解的安全筛选,XSS我仍然报警。这些准确的警告或伪造?
使用下面的代码作为一个测试用例:
< form method =postaction =>
< input type =textname =paramvalue =<?php echo htmlentities($ _ POST ['param'])?>>
< input type =submit>
< / form>
<?php echo htmlentities($ _ POST ['param'])?>
我手动运行一些nasties,但是没有一个在浏览器中执行,并且使用 Charles调试代理我可以看到响应按预期进行了编码。
但是,XSS Me会报告一些警告,就好像它可以在HTML源代码中看到未编码的字符串:
& lt; IMG SRC =& quot; jav ascript:document.vulnerable = true;& quot;& gt; - 是否有一个漏洞我没有修复?
- 这些流氓警告信息是什么?
- 如果是这样,是另一个Firefox扩展(Firebug?)与XSS Me冲突吗?
我在Security Compass工作,是Exploit Me工具的首席开发人员。
你说得对,XSS Me正在报告一个警告,因为这些攻击字符串似乎(对于XSS Me)已经从服务器完全未编码返回。即使Firefox的解析器和JavaScript引擎不支持,另一个解析器/ JavaScript引擎(如IE 6/7/8,Safari或Chrome)也可能执行此代码。
XSS Me提交了两个请求:
- FireFox的JavaScript引擎,我们称之为错误
- 第二个请求是我们通过简单地在HTML响应页面中查找攻击字符串来检测利用。
ul> -
使用包嗅探软件(即Wireshark http://www.wireshark.org/)来检测攻击字符串而不是Charles。有时,代理有修改或改变请求的方法。在Firefox中,你可以去工具 - >插件并禁用除XSS Me之外的所有扩展吗?这样,你可以确定没有其他的扩展是在它到达XSS Me之前改变响应(或请求)。
Firefox看看是否有未经编码的字符串
您收到的警告是由第二个请求引起的。
如果您可以执行以下操作,我可以帮助您找到此问题的根本原因:
如果您想给我发一封电子邮件(tom @ securitycompass。 com)与这些结果我很乐意帮助解决这个问题。如果这是XSS Me中的一个错误(我当然希望不会),那么我可以修补它,并获得新的构建。
谢谢,
Tom
I've been using the free Firefox extension XSS Me from Security Compass to test for XSS problems. However, using what I understand to be safe filtering, XSS me still reports warnings. Are these accurate warnings or spurious?
Using the code below as a testcase:
<form method="post" action="">
<input type="text" name="param" value="<?php echo htmlentities($_POST['param'])?>">
<input type="submit">
</form>
<?php echo htmlentities($_POST['param'])?>
I run some nasties by hand but none of them are executed in the browser, and using Charles debugging proxy I can see that the response is encoded as expected.
However, XSS Me reports a number of warnings, as if it can see the unencoded string in the HTML source: alt text http://img696.imageshack.us/img696/8850/xss.png
Looking in Charles at the same time, I can see the strings are encoded and should be safe e.g. <IMG SRC="jav ascript:document.vulnerable=true;">
- Is there a vulnerability I haven't fixed?
- Are these rogue warning messages?
- And if so, is another Firefox extension (Firebug?) conflicting with XSS Me?
I work at Security Compass and am the lead developer for the Exploit Me tools.
You're right that XSS Me is reporting a warning because these attack strings seem (to XSS Me) to have come back from the server completely unencoded. Another parser/JavaScript engine (like IE 6/7/8, Safari, or Chrome) might execute this code even though Firefox's parser and JavaScript engine don't.
XSS Me submits two requests:
- One request where we detect exploitation using FireFox's JavaScript engine, which we call "errors"
- A second request where we detect exploitation by simply grepping for the attack string in the HTML response page
The warning you're getting is caused by this second request.
I can help you get to the root cause of this issue if you can do the following:
Use packet sniffing software (i.e. Wireshark http://www.wireshark.org/) to detect the attack string rather than Charles. Sometimes proxies have a way of modifying or otherwise altering requests
In Firefox, can you go to tools->addons and disable all the extensions except XSS Me? That way you can be sure no other extension is changing the response (or request) before it gets to XSS Me.
View the source of the response page in Firefox to see if the unencoded string appears
If you'd like to send me an email (tom@securitycompass.com) with those results I'd be happy to help figure this out. If it's a bug in XSS Me (which I certainly hope not) then I can patch it and get a new build out.
Thanks,
Tom
这篇关于XSS我警告 - 真正的XSS问题?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
