使用CSP防止自动点击链接XSS攻击 [英] Prevent auto clicked link XSS attack using CSP
问题描述
虽然使用CSP的目的略有不同(沙盒),但我意识到一个非常简单的自动点击链接似乎绕过了相对严格的CSP。我所描述的内容如下:
Whilst using CSP for a slightly different purpose (sandboxing) I realized that a very simple auto clicked link seems to bypass even relatively strict CSP. What I am describing is the following:
内容安全政策:
default-src 'none'; script-src 'unsafe-inline';
身体:
<a href="http://www.google.com">test</a>
<script>
document.querySelector("a").click();
</script>
显然,在真正的攻击中你会将cookie信息包含在 href 字段首先可能将其包装在隐藏的自嵌入iframe中,或者让域重定向到您来自的位置(可能使用其他url参数,从而创建一种绕过的XMLHttpRequest connect-src ),但是这个基本的例子确实显示了问题。
Obviously in a real attack you would include the cookie information into the href field first and probably wrap this in a hidden self-embedding iframe or make the domain redirect you back to where you came from (potentially with additional url parameters thus creating a sort of XMLHttpRequest bypassing connect-src), but this basic example does show the problem.
有没有办法用CSP来防止这种情况(仍然允许执行Javascript)?
Is there any way to prevent this with CSP (which still does allow the execution of Javascript)?
显然,使用其他一些导航方法也可以完成同样的事情。我之所以特别询问这种方法的原因实际上与我的次要目标有关,而不是XSS漏洞。无论哪种方式,都可以使用任何和所有真正的解决方案。
The same thing can obviously be done with some other navigation methods as well. The reason why I was asking specifically about this method actually has more to with my secondary goals than XSS exploits. Either way, open to any and all real solutions.
因为所有的困惑如何即使没有 script-src:'unsafe-inline',这仍然适用。想象一下名为的文件
Because of all the confusion how this could still be applicable even without script-src: 'unsafe-inline'. Imagine the following file named api.ext
print URLParameters.method
[...]
然后可以调用此文件,如 api.ext?method =< script src ='api.ext?method = alert(test)//'>< / script><! - (除了你会需要额外的URL编码和东西,这只是为了得到重点)。找到像这样的漏洞是很难的,它们很少见,但似乎存在像 connect-src 这样的东西,以防止信息泄露,即使在这些情况下也是如此。
This file could then be called like api.ext?method=<script src='api.ext?method=alert("test")//'></script><!-- (except you would need additional URL encoding and stuff, this is just to get the point across). Finding exploits like this is hard and they are quite rare, but things like connect-src seem to exist to prevent leakage of information even in those cases.
推荐答案
这不太可能是令人满意的方法 - 显然它不是基于CSP - 但如果你真的有它可能是你唯一的选择防止这种攻击。在使用这样的东西之前,请确保没有办法禁用内联脚本(应该涵盖大多数攻击)。此外,您应该将您的反馈发送到带有[CSP2]主题的public-webappsec@w3.org邮件列表。
This is unlikely going to be a satisfying approach - and obviously it isn't based on CSP - but it might be your only option if you really have to prevent such attacks. Before using anything like this, make sure that there is really no way to disable inline scripts (which should cover most attacks). Moreover, you should send your feedback to the public-webappsec@w3.org mailing list with a [CSP2] subject.
这里我的(不完整的)想法:
Here my (incomplete) idea:
function guardMethods(clazz, methodNames, urlGetter, allowFilter, reportViolation) {
var prototype = clazz.prototype;
methodNames.forEach(function (methodName) {
var originalMethod = prototype[methodName];
if (originalMethod) {
Object.defineProperty(prototype, methodName, {
value: function () {
var url = urlGetter.apply(this, arguments) || '';
if (allowFilter(url)) {
return originalMethod.apply(this, arguments);
} else {
reportViolation(url);
}
}
});
}
})
}
function allowFilter(url) {
// todo: implement
}
function reportViolation(url) {
console.error('Redirection prevented:', url);
}
guardMethods(HTMLAnchorElement, ['click', 'dispatchEvent', 'fireEvent'], function () {return this.href}, allowFilter, reportViolation);
您必须为location,location.href,window.open和其他函数实现类似的保护/允许重定向到其他页面的属性/事件。如果你只想念一个,那么你仍然很脆弱。 CSP本身可以涵盖表单,XHR和大多数其他资源。据我所知,原型hack在某些旧版浏览器中不起作用。
You would have to implement similar guards for location, location.href, window.open and other functions/properties/events which allow to redirect to other pages. If you miss just one, then you are still vulnerable. Forms, XHR and most other resources can be covered with CSP itself. As far as I know, the prototype hack does not work in some older browsers.
再一次,我不建议使用它。您在某些浏览器中出错或者无法添加可能用于重定向的新API的可能性太大。
Once more, I do not recommend to use this. The chance that you make a mistake or that it does not work in some browsers or that a new API will be added which can be leveraged for redirects is just too high.
这篇关于使用CSP防止自动点击链接XSS攻击的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
