XSS攻击绕过value属性中的htmlspecialchars()函数 [英] XSS attack to bypass htmlspecialchars() function in value attribute
问题描述
假设我们有这种形式,并且用户可能会在下面插入恶意代码
Let's say we have this form, and the possible part for a user to inject malicious code is this below
...
<input type=text name=username value=
<?php echo htmlspecialchars($_POST['username']); ?>>
...
我们不能简单地放置标签或javascript:alert();调用,因为值将被解释为字符串,并且htmlspecialchars过滤出<,>,',,所以我们不能用引号将值括起来.
We can't simply put a tag, or a javascript:alert(); call, because value will be interpreted as a string, and htmlspecialchars filters out the <,>,',", so We can't close off the value with quotations.
我们可以使用String.fromCode(.....)来解决引号,但是我仍然无法弹出一个简单的警告框.
We can use String.fromCode(.....) to get around the quotes, but I still unable to get a simple alert box to pop up.
有什么想法吗?
推荐答案
此外,值得一提的是,允许人们向您的页面(而不是数据源)中注入HTML或JavaScript本身并没有固有的安全风险.已经存在浏览器扩展,可以让您修改网页上的DOM和脚本,但是由于它只是客户端,因此只有它们才知道.
Also, it's important to mention that allowing people to inject HTML or JavaScript into your page (and not your datasource) carries no inherent security risk itself. There already exist browser extensions that allow you to modify the DOM and scripts on web pages, but since it's only client-side, they're the only ones that will know.
XSS成为问题的地方是当人们a)使用它绕过客户端验证或输入过滤,或者b)人们使用它来操纵输入字段(例如,更改ACL中的OPTION标记的值以授予权限)时他们不应该拥有的权限).防止这些攻击的唯一方法是对服务器端的输入进行清理和验证,而不是对客户端验证进行补充或补充.
Where XSS becomes a problem is when people a) use it to bypass client-side validation or input filtering or b) when people use it to manipulate input fields (for example, changing the values of OPTION tags in an ACL to grant them permissions they shouldn't have). The ONLY way to prevent against these attacks is to sanitize and validate input on the server-side instead of, or in addition to, client-side validation.
要清理输入中的HTML,除非希望允许某些标签,否则htmlspecialchars完全足够,在这种情况下,您可以使用HTMLPurifier之类的库.如果要将用户输入放在HREF,ONCLICK或任何允许编写脚本的属性中,那么您只是在自找麻烦.
For sanitizing HTML out of input, htmlspecialchars is perfectly adequate unless you WANT to allow certain tags, in which case you can use a library like HTMLPurifier. If you're placing user input in HREF, ONCLICK, or any attribute that allows scripting, you're just asking for trouble.
查看您的代码,好像您没有引用属性!那真是愚蠢.如果有人将用户名设置为:
Looking at your code, it looks like you aren't quoting your attributes! That's pretty silly. If someone put their username as:
john onclick="alert('hacking your megabits!1')"
然后您的脚本将解析为:
Then your script would parse as:
<input type=text name=username value=john onclick="alert('hacking your megabits!1')">
始终在属性周围使用引号.即使它们不是用户输入的,这也是一个很好的习惯.
ALWAYS use quotes around attributes. Even if they aren't user-inputted, it's a good habit to get into.
<input type="text" name="username" value="<?php echo htmlspecialchars($_POST['username']); ?>">
这篇关于XSS攻击绕过value属性中的htmlspecialchars()函数的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
