没有HTML标签的XSS [英] XSS without HTML tags
问题描述
如果我的输入不允许<和>字符?
It is possible to do a XSS attack if my input does not allow < and > characters?
Example: I enter <script>alert('this');</script> text
但是如果我删除<并且>脚本不是文本:
But it if I delete < and > the script is not text:
I enter script alert('this'); script text
推荐答案
是的,仍然有可能.
例如假设您的网站将用户输入内容注入以下位置
e.g. Say your site injects user input into the following location
<img src="http://example.com/img.jpg" alt="USER-INPUT" />
如果 USER-INPUT
是"ONLOAD =" alert('xss')
,它将呈现
<img src="http://example.com/img.jpg" alt="" ONLOAD="alert('xss')" />
不需要尖括号.
还请查看 OWASP XSS实验性最小编码规则.
对于HTML正文:
HTML实体编码<&
HTML Entity encode < &
在元标记中指定字符集,以避免使用UTF7 XSS
specify charset in metatag to avoid UTF7 XSS
对于XHTML正文:
HTML实体编码<&>
HTML Entity encode < & >
将输入限制为字符集 http://www.w3.org/TR/2008/REC-xml-20081126/#charsets
因此,在体内,您仅需编码(或删除)通常建议用来防止XSS的一部分字符即可.但是,您不能在属性内执行此操作-完整的 XSS(跨站点脚本))预防速查表建议采取以下措施,但没有其他选择:
So within the body you can get away with only encoding (or removing) a subset of the characters usually recommended to prevent XSS. However, you cannot do this within attributes - the full XSS (Cross Site Scripting) Prevention Cheat Sheet recommends the following, and they do not have a minimal alternative:
除字母数字字符外,请以HTML实体
& #xHH;
格式转义所有字符,包括空格.(HH =十六进制值)
Except for alphanumeric characters, escape all characters with the HTML Entity
&#xHH;
format, including spaces. (HH = Hex Value)
尽管主要涵盖了三种指定属性值的方式:
The is mainly though to cover the three types of ways of specifying the attribute value:
- 未引用
- 单引号
- 双引号
以这种方式进行编码将在所有三种情况下防止XSS在属性值中出现.
Encoding in such a way will prevent XSS in attribute values in all three cases.
还请注意, UTF-7 攻击不需要尖括号字符.但是,除非将字符集明确设置为UTF-7,否则这种类型的攻击在现代浏览器中是不可能的
Also be wary that UTF-7 attacks do not need angle bracket characters. However, unless the charset is explicitly set to UTF-7, this type of attack isn't possible in modern browsers.
+ADw-script+AD4-alert(document.location)+ADw-/script+AD4-
还请注意允许使用 href
之类的URL的属性,并确保任何用户输入都是有效的Web URL.强烈建议使用允许列表方法(例如,如果协议不是HTTPS则拒绝)使用信誉良好的库来验证URL.尝试阻止 javascript:
之类的序列是不够的.
Also beware of attributes that allow URLs like href
and ensure any user input is a valid web URL. Using a reputable library to validate the URL is highly recommended using an allow-list approach (e.g. if protocol not HTTPS then reject). Attempting to block sequences like javascript:
is not sufficient.
这篇关于没有HTML标签的XSS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!