没有HTML标签的XSS [英] XSS without HTML tags

问题描述

如果我的输入不允许<和>字符?

It is possible to do a XSS attack if my input does not allow < and > characters?

Example: I enter <script>alert('this');</script> text

但是如果我删除<并且>脚本不是文本:

But it if I delete < and > the script is not text:

I enter script alert('this'); script text

推荐答案

是的，仍然有可能.

例如假设您的网站将用户输入内容注入以下位置

e.g. Say your site injects user input into the following location

<img src="http://example.com/img.jpg" alt="USER-INPUT" />

如果 USER-INPUT 是"ONLOAD =" alert('xss')，它将呈现

<img src="http://example.com/img.jpg" alt="" ONLOAD="alert('xss')" />

不需要尖括号.

还请查看 OWASP XSS实验性最小编码规则.

对于HTML正文:

HTML实体编码<&

HTML Entity encode < &

在元标记中指定字符集，以避免使用UTF7 XSS

specify charset in metatag to avoid UTF7 XSS

对于XHTML正文:

HTML实体编码<&>

HTML Entity encode < & >

将输入限制为字符集 http://www.w3.org/TR/2008/REC-xml-20081126/#charsets

因此，在体内，您仅需编码(或删除)通常建议用来防止XSS的一部分字符即可.但是，您不能在属性内执行此操作-完整的 XSS(跨站点脚本))预防速查表建议采取以下措施，但没有其他选择:

So within the body you can get away with only encoding (or removing) a subset of the characters usually recommended to prevent XSS. However, you cannot do this within attributes - the full XSS (Cross Site Scripting) Prevention Cheat Sheet recommends the following, and they do not have a minimal alternative:

除字母数字字符外，请以HTML实体& #xHH; 格式转义所有字符，包括空格.(HH =十六进制值)

Except for alphanumeric characters, escape all characters with the HTML Entity &#xHH; format, including spaces. (HH = Hex Value)

尽管主要涵盖了三种指定属性值的方式:

The is mainly though to cover the three types of ways of specifying the attribute value:

• 未引用
• 单引号
• 双引号

以这种方式进行编码将在所有三种情况下防止XSS在属性值中出现.

Encoding in such a way will prevent XSS in attribute values in all three cases.

还请注意， UTF-7 攻击不需要尖括号字符.但是，除非将字符集明确设置为UTF-7，否则这种类型的攻击在现代浏览器中是不可能的

Also be wary that UTF-7 attacks do not need angle bracket characters. However, unless the charset is explicitly set to UTF-7, this type of attack isn't possible in modern browsers.

+ADw-script+AD4-alert(document.location)+ADw-/script+AD4-

还请注意允许使用 href 之类的URL的属性，并确保任何用户输入都是有效的Web URL.强烈建议使用允许列表方法(例如，如果协议不是HTTPS则拒绝)使用信誉良好的库来验证URL.尝试阻止 javascript:之类的序列是不够的.

Also beware of attributes that allow URLs like href and ensure any user input is a valid web URL. Using a reputable library to validate the URL is highly recommended using an allow-list approach (e.g. if protocol not HTTPS then reject). Attempting to block sequences like javascript: is not sufficient.

这篇关于没有HTML标签的XSS的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！