HTML 编码会阻止各种 XSS 攻击吗? [英] Will HTML Encoding prevent all kinds of XSS attacks?
问题描述
我不担心其他类型的攻击.只是想知道HTML Encode是否可以防止各种XSS攻击.
I am not concerned about other kinds of attacks. Just want to know whether HTML Encode can prevent all kinds of XSS attacks.
即使使用 HTML 编码,有没有什么方法可以进行 XSS 攻击?
Is there some way to do an XSS attack even if HTML Encode is used?
推荐答案
没有
撇开允许某些标签的主题(并不是问题的重点),HtmlEncode 根本不涵盖所有 XSS 攻击.
Putting aside the subject of allowing some tags (not really the point of the question), HtmlEncode simply does NOT cover all XSS attacks.
例如,考虑服务器生成的客户端 javascript - 服务器动态地将 htmlencoded 值直接输出到客户端 javascript,htmlencode 将不会停止注入的脚本执行.
For instance, consider server-generated client-side javascript - the server dynamically outputs htmlencoded values directly into the client-side javascript, htmlencode will not stop injected script from executing.
接下来,考虑以下伪代码:
Next, consider the following pseudocode:
<input value=<%= HtmlEncode(somevar) %> id=textbox>
现在,如果它不是很明显,如果 somevar(当然由用户发送)设置为例如
Now, in case its not immediately obvious, if somevar (sent by the user, of course) is set for example to
a onclick=alert(document.cookie)
结果输出是
<input value=a onclick=alert(document.cookie) id=textbox>
这显然有效.显然,这可以是(几乎)任何其他脚本......而 HtmlEncode 不会有太大帮助.
which would clearly work. Obviously, this can be (almost) any other script... and HtmlEncode would not help much.
还有一些额外的向量需要考虑......包括第三种 XSS,称为基于 DOM 的 XSS(其中恶意脚本是在客户端动态生成的,例如基于 # 值).
There are a few additional vectors to be considered... including the third flavor of XSS, called DOM-based XSS (wherein the malicious script is generated dynamically on the client, e.g. based on # values).
也不要忘记 UTF-7 类型的攻击 - 攻击看起来像
Also don't forget about UTF-7 type attacks - where the attack looks like
+ADw-script+AD4-alert(document.cookie)+ADw-/script+AD4-
没有什么可编码的...
Nothing much to encode there...
当然(除了适当和限制性的白名单输入验证之外),解决方案是执行上下文敏感编码:如果您输出的上下文是 HTML,则 HtmlEncoding 很棒,或者也许您需要 JavaScriptEncoding,或 VBScriptEncoding,或 AttributeValueEncoding,或...等.
The solution, of course (in addition to proper and restrictive white-list input validation), is to perform context-sensitive encoding: HtmlEncoding is great IF you're output context IS HTML, or maybe you need JavaScriptEncoding, or VBScriptEncoding, or AttributeValueEncoding, or... etc.
如果您使用的是 MS ASP.NET,您可以使用他们的 Anti-XSS 库,它提供了所有必要的上下文编码方法.
If you're using MS ASP.NET, you can use their Anti-XSS Library, which provides all of the necessary context-encoding methods.
请注意,所有编码不应仅限于用户输入,还应存储来自数据库、文本文件等的值.
Note that all encoding should not be restricted to user input, but also stored values from the database, text files, etc.
哦,别忘了在 HTTP 标头和 META 标签中明确设置字符集,否则你仍然会有 UTF-7 漏洞...
Oh, and don't forget to explicitly set the charset, both in the HTTP header AND the META tag, otherwise you'll still have UTF-7 vulnerabilities...
一些更多信息和一个非常明确的列表(不断更新),请查看 RSnake 的备忘单:http://ha.ckers.org/xss.html
Some more information, and a pretty definitive list (constantly updated), check out RSnake's Cheat Sheet: http://ha.ckers.org/xss.html
这篇关于HTML 编码会阻止各种 XSS 攻击吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
