XSS - 哪些HTML标签和属性可以触发Javascript事件? [英] XSS - Which HTML Tags and Attributes can trigger Javascript Events?
问题描述
我试图编写一个基于安全和轻量级的基于白名单的HTML净化器,它将使用DOMDocument。为避免不必要的复杂性,我愿意做出以下妥协:
脚本和样式标签被全部剥离
body 标记的节点
我一直在阅读关于XSS攻击和预防的很多内容,希望我不会太天真(如果我是,请让我知道!)假设如果我遵循上面提到的所有规则,我将从XSS安全。
问题是我不确定其他标记和属性(在任何[X] HTML版本和/或浏览器版本/实现中)都可以触发Javascript事件,除了默认的JavaScript e vent属性:
-
onAbort -
onBlur -
onChange -
onClick -
onDblClick -
onDragDrop -
onError -
onFocus -
onKeyDown -
onKeyPress -
onKeyUp -
onLoad -
onMouseDown -
onMouseMove -
onMouseOut -
onMouseOver -
onMouseUp -
onMove -
onReset -
onResize -
onSelect -
onSubmit -
onUnload
是否有任何其他非默认或专有事件属性可以触发Javascript(或VBS cript等...)事件或代码执行?我可以想到 href , style 和 action ,for实例:
< a href =javascript:alert(document.location);> XSS< / a> //或
< b style =width:expression(alert(document.location));> XSS< / b> //或
< form action =javascript:alert(document.location);>< input type =submit/>< / form>
我可能会删除任何样式属性在HTML标签中, action 和 href 属性带来了更大的挑战,但我认为以下代码足以使确定它们的值是相对或绝对URL,而不是一些讨厌的Javascript代码:
$ value = $ attribute->值; ((strpos($ value,':')!== false)&&(preg_match('〜^(?:( ?: s?f | ht)tps?|
) )
{
$ node-> removeAttributeNode($ attribute); $ i $,$ value)== 0)
}
所以,我的两个明显问题是:
- 我是否缺少可触发事件的标签或属性?
- 攻击向量,这些规则不包括?
大量的测试,思考和研究我已经拿出了简单)实施,这似乎不受任何我可以投入它的XSS攻击媒介的影响。
我非常感谢您提供的所有有价值的答案,谢谢。 / p>
您提及 href 和 code>作为地方 javascript:可以显示网址,但是您缺少一群中的 src 属性其他URL加载属性。
<$ c $ OWASP Java HTMLPolicyBuilder 是一个白名单HTML清理器中URL属性的定义。 c> private static final Set< String> URL_ATTRIBUTE_NAMES = ImmutableSet.of(
action,archive,background,cite,classid,codebase,data,
dsync,formaction, href,icon,longdesc,manifest,poster,
profile,src,usemap);
HTML5索引包含属性类型的摘要。它没有提及像< input type = URL value = ...> 这样的有条件的东西,但是如果你扫描有效的URL 和朋友,您应该了解HTML5添加的内容。类型%的一组 HTML 4属性 URI 也是提供信息的。
您的协议白名单与 OWASP sanitizer 之一。添加 ftp 和 sftp 看起来无害。
HTML元素和属性的安全相关模式信息的一个很好的来源是 Caja JSON白名单,由Caja JS HTML清理程序使用。
您打算如何渲染生成的DOM?如果你不小心,那么即使你去掉了所有的< script> 元素,攻击者可能会得到一个错误的渲染器来产生浏览器解释为包含的内容一个< script> 元素。请考虑不包含脚本元素的有效HTML。
< textarea><&#47; textarea><<< ;脚本>警报(1337)< /脚本>< / textarea的>
一个错误的渲染器可能输出这个内容为:
< textarea>< / textarea>< script> alert(1337)< / script>< / textarea>
包含脚本元素。
(完全披露:我写了上面提到的两个HTML消毒器的块。)
I'm trying to code a secure and lightweight white-list based HTML purifier which will use DOMDocument. In order to avoid unnecessary complexity I am willing to make the following compromises:
- HTML comments are removed
scriptandstyletags are stripped all together- only the child nodes of the
bodytag will be returned - all HTML attributes that can trigger Javascript events will either be validated or removed
I've been reading a lot about on XSS attacks and prevention and I hope I'm not being too naive (if I am, please let me know!) in assuming that if I follow all the rules I mentioned above, I will be safe from XSS.
The problem is I am not sure what other tags and attributes (in any [X]HTML version and/or browser versions/implementations) can trigger Javascript events, besides the default Javascript event attributes:
onAbortonBluronChangeonClickonDblClickonDragDroponErroronFocusonKeyDownonKeyPressonKeyUponLoadonMouseDownonMouseMoveonMouseOutonMouseOveronMouseUponMoveonResetonResizeonSelectonSubmitonUnload
Are there any other non-default or proprietary event attributes that can trigger Javascript (or VBScript, etc...) events or code execution? I can think of href, style and action, for instance:
<a href="javascript:alert(document.location);">XSS</a> // or
<b style="width: expression(alert(document.location));">XSS</b> // or
<form action="javascript:alert(document.location);"><input type="submit" /></form>
I will probably just remove any style attributes in the HTML tags, the action and href attributes pose a bigger challenge but I think the following code is enough to make sure their value is either a relative or absolute URL and not some nasty Javascript code:
$value = $attribute->value;
if ((strpos($value, ':') !== false) && (preg_match('~^(?:(?:s?f|ht)tps?|mailto):~i', $value) == 0))
{
$node->removeAttributeNode($attribute);
}
So, my two obvious questions are:
- Am I missing any tags or attributes that can trigger events?
- Is there any attack vector that is not covered by these rules?
After a lot of testing, pondering and researching I've come up with the following (rather simple) implementation which, appears to be immune to any XSS attack vector I could throw at it.
I highly appreciate all your valuable answers, thanks.
You mention href and action as places javascript: URLs can appear, but you're missing the src attribute among a bunch of other URL loading attributes.
Line 399 of the OWASP Java HTMLPolicyBuilder is the definition of URL attributes in a white-listing HTML sanitizer.
private static final Set<String> URL_ATTRIBUTE_NAMES = ImmutableSet.of( "action", "archive", "background", "cite", "classid", "codebase", "data", "dsync", "formaction", "href", "icon", "longdesc", "manifest", "poster", "profile", "src", "usemap");
The HTML5 Index contains a summary of attribute types. It doesn't mention some conditional things like <input type=URL value=...> but if you scan that list for valid URL and friends, you should get a decent idea of what HTML5 adds. The set of HTML 4 attributes with type %URI is also informative.
Your protocol whitelist looks very similar to the OWASP sanitizer one. The addition of ftp and sftp looks innocuous enough.
A good source of security related schema info for HTML element and attributes is the Caja JSON whitelists which are used by the Caja JS HTML sanitizer.
How are you planning on rendering the resulting DOM? If you're not careful, then even if you strip out all the <script> elements, an attacker might get a buggy renderer to produce content that a browser interprets as containing a <script> element. Consider the valid HTML that does not contain a script element.
<textarea></textarea><script>alert(1337)</script></textarea>
A buggy renderer might output the contents of this as:
<textarea></textarea><script>alert(1337)</script></textarea>
which does contain a script element.
(Full disclosure: I wrote chunks of both HTML sanitizers mentioned above.)
这篇关于XSS - 哪些HTML标签和属性可以触发Javascript事件?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
