防止跨站点脚本攻击? [英] Protect from cross-site scripting attacks?
本文介绍了防止跨站点脚本攻击?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我们最近与 hikashop 建立了一个网站 (http://www.doverjewelry.com/),该域具有 Godaddy 网站保护,因此它会扫描网站并针对漏洞发出警告.扫描当前报告该网站容易受到跨站点脚本攻击.这是扫描输出:
使用 GET HTTP 方法,Site Scanner 发现:+ 以下资源可能容易受到 XSS 攻击(在参数名称上):/bands-and-settings/category/371-all-ring-settings/limit_hikashop_category_information_module_223_371-0/limitstart_hikashop_category_information_module_223_371-0/filter_order_hikashop_category_information_module_223_371-a.ordering/filter_order_Dir_hikashop_category_information_module_223_371-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-atom?314>>>>>=1- - - - 要求 - - - -GET/bands-and-settings/category/371-all-ring-settings/limit_hikashop_category_information_module_223_371-0/limitstart_hikashop_category_information_module_223_371-0/filter_order_hikashop_category_information_module_223_371-a.ordering/filter_order_Dir_hikashop_category_information_module_223_371-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-atom?<<<<<<<<<<foo"bar'314>>>>=1 HTTP/1.1\r主机:www.doverjewelry.com\r接受字符集:iso-8859-1,utf-8;q=0.9,*;q=0.1\r接受语言: en\r连接: 关闭\r曲奇:7eedc822c6dd39ecf3c8ab00003d56f9=764a229107bda6b48c2863965f50ca03\r用户代理:Mozilla/5.0(兼容;MSIE 7.0;MSIE 6.0;Site Scanner Bot;+http://www.websiteprotection.com)Firefox/2.0.0.3\r编译指示:无缓存\r接受:图像/gif、图像/x-xbitmap、图像/jpeg、图像/pjpeg、图像/png、*/*------------------------- - - - 输出 - - - -[...] bd44a6ec-1/type-atom?<<<<<<<<foo"bar'314>>>>=1"方法=帖子"名称=广告[...]<div class="hikashop_products_pagination hikashop_products_paginat [...]------------------------/订婚戒指/类别/366-古董订婚戒指/limit_hikashop_category_information_module_222_366-25/limitstart_hikashop_category_information_module_222_366-0/filter_order_hikashop_category_information_module_222_366-a.ordering/filter_order_Dir_hikashop_category_information_module_222_366-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-atom?<<<<<<<<<foo"bar'314>>>>=1- - - - 要求 - - - -GET/engagement-rings/category/366-antique-engagement-rings/limit_hikashop_category_information_module_222_366-25/limitstart_hikashop_category_information_module_222_366-0/filter_order_hikashop_category_information_module_222_366-a.ordering/filter_order_Dir_hikashop_category_information_module_222_366-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-atom?<<<<<<<<<<foo"bar'314>>>>=1 HTTP/1.1\r主机:www.doverjewelry.com\r接受字符集:iso-8859-1,utf-8;q=0.9,*;q=0.1\r接受语言: en\r连接: 关闭\r曲奇:7eedc822c6dd39ecf3c8ab00003d56f9=764a229107bda6b48c2863965f50ca03\r用户代理:Mozilla/5.0(兼容;MSIE 7.0;MSIE 6.0;Site Scanner Bot;+http://www.websiteprotection.com)Firefox/2.0.0.3\r编译指示:无缓存\r接受:图像/gif、图像/x-xbitmap、图像/jpeg、图像/pjpeg、图像/png、*/*------------------------- - - - 输出 - - - -[...] bd44a6ec-1/type-atom?<<<<<<<<foo"bar'314>>>>=1"方法=帖子"名称=广告[...]<div class="hikashop_products_pagination hikashop_products_paginat [...]------------------------/订婚戒指/类别/366-古董订婚戒指/limit_hikashop_category_information_module_222_366-25/limitstart_hikashop_category_information_module_222_366-0/filter_order_hikashop_category_information_module_222_366-a.ordering/filter_order_Dir_hikashop_category_information_module_222_366-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-rss?<<<<<<<<<foobar'314>>>>>=1- - - - 要求 - - - -GET/engagement-rings/category/366-antique-engagement-rings/limit_hikashop_category_information_module_222_366-25/limitstart_hikashop_category_information_module_222_366-0/filter_order_hikashop_category_information_module_222_366-a.ordering/filter_order_Dir_hikashop_category_information_module_222_366-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-rss?<<<<<<<<<<foo"bar'314>>>>=1 HTTP/1.1\r主机:www.doverjewelry.com\r接受字符集:iso-8859-1,utf-8;q=0.9,*;q=0.1\r接受语言: en\r连接: 关闭\r曲奇:7eedc822c6dd39ecf3c8ab00003d56f9=764a229107bda6b48c2863965f50ca03\r用户代理:Mozilla/5.0(兼容;MSIE 7.0;MSIE 6.0;Site Scanner Bot;+http://www.websiteprotection.com)Firefox/2.0.0.3\r编译指示:无缓存\r接受:图像/gif、图像/x-xbitmap、图像/jpeg、图像/pjpeg、图像/png、*/*------------------------- - - - 输出 - - - -[...] abd44a6ec-1/type-rss?<<<<<<<<foo"bar'314>>>>=1"方法=帖子"名称=广告[...]<div class="hikashop_products_pagination hikashop_products_paginat [...]------------------------/engagement-rings/category/50-estate-engagement-rings/limit_hikashop_category_information_module_222_50-0/limitstart_hikashop_category_information_module_222_50-0/filter_order_hikashop_category_information_module_222_50-a.ordering/filter_order_Dir_hikashop_category_information_module_222_50-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-atom?<<<<<<<<<foo"bar'314>>>>>=1我们认为它是指产品页面底部的分页表.这是其中一个产品页面的表单代码:
<form action="http://www.doverjewelry.com/engagement-rings/category/50-estate-engagement-rings?filter_order_hikashop_category_information_module_222_50=%3C%3C%3C%3C%3C%3C%3C%3C%3C%3Cfoo%22bar'204%3E%3E%3E%3E%3E" method="post" name="adminForm_hikashop_category_information_module_222_50_bottom"><div class="hikashop_products_pagination hikashop_products_pagination_bottom"><div class="list-footer"><div class="limit">Display #<select id="limit_hikashop_category_information_module_222_50" name="limit_hikashop_category_information_module_222_50" class="inputbox" size="1" onchange="this.form.submit()"><option value="20" selected="selected">20</option><option value="5">5</option><option value="10">10</option><option value="15">15</option><option value="20" selected="selected">20</option><option value="25">25</option><option value="30">30</option><option value="50">50</option><option value="100">100</option><option value="0">all</option></选择></div><span class="pagenav_start_chevron"><<</span><span class="pagenav pagenav_text">开始</span><span class="pagenav_previous_chevron"><</span><span class="pagenav pagenav_text">上一页</span><span class="pagenav">1</span><a class="pagenav" title="2" onclick="javascript: document.adminForm_hikashop_category_information_module_222_50_bottom.limitstart_hikashop_category_information_module_222_50.value=20; document.adminForm_hikashop_category_information_module_222_50<agt;/agt;/a<a class="pagenav" title="3" onclick="javascript: document.adminForm_hikashop_category_information_module_222_50_bottom.limitstart_hikashop_category_information_module_222_50.value=40; document.adminForm_hikashop_category_information_module_222_50<agt;a>/a<a class="pagenav" title="Next" onclick="javascript: document.adminForm_hikashop_category_information_module_222_50_bottom.limitstart_hikashop_category_information_module_222_50.value=20; document.adminForm_hikashop_category_information_module_222_50<agt;a>aclass="pagenav_next_chevron">></span><a class="pagenav" title="End" onclick="javascript: document.adminForm_hikashop_category_information_module_222_50_bottom.limitstart_hikashop_category_information_module_222_50.value=40; document.adminForm_hikashop_category_information_module_222_50<agt;a>aclass="pagenav_end_chevron">>></span><div class="counter">第 1 页,共 3 页</div><input type="hidden" name="limitstart_hikashop_category_information_module_222_50" value="0"><span class="hikashop_results_counter">结果 1-20 个,共 48 个/span
<input type="hidden" name="filter_order_hikashop_category_information_module_222_50" value="a.ordering"><input type="hidden" name="filter_order_Dir_hikashop_category_information_module_222_50" value="ASC"><input type="hidden" name="18aa959f74c6262cdb2863f0ffaff82e" value="1"></表单>
我们已经与 hikashop 的人讨论过这个问题,他们说我们需要更新到他们的最新版本(我们的版本比最新版本低一个),但我们对代码做了一些主要的修改,以包括一些客户请求,所以我们不想丢失这些更改(也许将来我们会更新到最新版本,但现在我们只想知道是否有快速解决方案).
表单真的容易受到跨站点脚本攻击吗?我们可以做些什么来保护它或让 Godaddy 站点扫描程序停止显示此警告消息?
解决方案
从扫描仪的输出他认为当他发出带有附加参数的请求时:
<<<<<<<<<<foo"bar'314>>>>=1这个参数打印了我们可以在输出中看到的内容:
type-atom?<<<<<<<<<<<<<>>>=1 这可能意味着您的页面容易出现 XSS,但其中许多扫描器会忘记编码……同样的问题例如使用 w3af 扫描 LifeRay.但是您的 html 代码打印:
%3C%3C%3C%3C%3C%3C%3C%3C%3C%3Cfoo%22bar'204%3E%3E%3E%3E%3E所以似乎附加的参数 althogh 被转义了......所以它不会严格地倾向于 XSS.如果您想了解更多信息,请访问 XSS - Cheat Sheet,您可以使用其他一些漏洞扫描程序/代理来确认这个问题:ZAP、WebScarab、w3af.
We recently set up a website (http://www.doverjewelry.com/) with hikashop, the domain has godaddy website protection so it scans the website and warns against vulnerabilities. The scan is currently reporting the the website is vulnerable to cross-site scripting attacks. This the scan output:
Using the GET HTTP method, Site Scanner found that :
+ The following resources may be vulnerable to XSS (on parameters names) :
/bands-and-settings/category/371-all-ring-settings/limit_hikashop_catego
ry_information_module_223_371-0/limitstart_hikashop_category_information
_module_223_371-0/filter_order_hikashop_category_information_module_223_
371-a.ordering/filter_order_Dir_hikashop_category_information_module_223
_371-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-atom?<<<<<<<<<<foo"bar'
314>>>>>=1
-------- request --------
GET /bands-and-settings/category/371-all-ring-settings/limit_hikashop_category_information_module_223_371-0/limitstart_hikashop_category_information_module_223_371-0/filter_order_hikashop_category_information_module_223_371-a.ordering/filter_order_Dir_hikashop_category_information_module_223_371-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-atom?<<<<<<<<<<foo"bar'314>>>>>=1 HTTP/1.1\r
Host: www.doverjewelry.com\r
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1\r
Accept-Language: en\r
Connection: Close\r
Cookie: 7eedc822c6dd39ecf3c8ab00003d56f9=764a229107bda6b48c2863965f50ca03\r
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; MSIE 6.0; Site Scanner Bot; +http://www.websiteprotection.com) Firefox/2.0.0.3\r
Pragma: no-cache\r
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
------------------------
-------- output --------
[...] bd44a6ec-1/type-atom?<<<<<<<<<<foo"bar'314>>>>>=1" method="post" name="ad [...]
<div class="hikashop_products_pagination hikashop_products_paginat [...]
------------------------
/engagement-rings/category/366-antique-engagement-rings/limit_hikashop_c
ategory_information_module_222_366-25/limitstart_hikashop_category_infor
mation_module_222_366-0/filter_order_hikashop_category_information_modul
e_222_366-a.ordering/filter_order_Dir_hikashop_category_information_modu
le_222_366-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-atom?<<<<<<<<<<fo
o"bar'314>>>>>=1
-------- request --------
GET /engagement-rings/category/366-antique-engagement-rings/limit_hikashop_category_information_module_222_366-25/limitstart_hikashop_category_information_module_222_366-0/filter_order_hikashop_category_information_module_222_366-a.ordering/filter_order_Dir_hikashop_category_information_module_222_366-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-atom?<<<<<<<<<<foo"bar'314>>>>>=1 HTTP/1.1\r
Host: www.doverjewelry.com\r
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1\r
Accept-Language: en\r
Connection: Close\r
Cookie: 7eedc822c6dd39ecf3c8ab00003d56f9=764a229107bda6b48c2863965f50ca03\r
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; MSIE 6.0; Site Scanner Bot; +http://www.websiteprotection.com) Firefox/2.0.0.3\r
Pragma: no-cache\r
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
------------------------
-------- output --------
[...] bd44a6ec-1/type-atom?<<<<<<<<<<foo"bar'314>>>>>=1" method="post" name="ad [...]
<div class="hikashop_products_pagination hikashop_products_paginat [...]
------------------------
/engagement-rings/category/366-antique-engagement-rings/limit_hikashop_c
ategory_information_module_222_366-25/limitstart_hikashop_category_infor
mation_module_222_366-0/filter_order_hikashop_category_information_modul
e_222_366-a.ordering/filter_order_Dir_hikashop_category_information_modu
le_222_366-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-rss?<<<<<<<<<<foo
"bar'314>>>>>=1
-------- request --------
GET /engagement-rings/category/366-antique-engagement-rings/limit_hikashop_category_information_module_222_366-25/limitstart_hikashop_category_information_module_222_366-0/filter_order_hikashop_category_information_module_222_366-a.ordering/filter_order_Dir_hikashop_category_information_module_222_366-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-rss?<<<<<<<<<<foo"bar'314>>>>>=1 HTTP/1.1\r
Host: www.doverjewelry.com\r
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1\r
Accept-Language: en\r
Connection: Close\r
Cookie: 7eedc822c6dd39ecf3c8ab00003d56f9=764a229107bda6b48c2863965f50ca03\r
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; MSIE 6.0; Site Scanner Bot; +http://www.websiteprotection.com) Firefox/2.0.0.3\r
Pragma: no-cache\r
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
------------------------
-------- output --------
[...] abd44a6ec-1/type-rss?<<<<<<<<<<foo"bar'314>>>>>=1" method="post" name="ad [...]
<div class="hikashop_products_pagination hikashop_products_paginat [...]
------------------------
/engagement-rings/category/50-estate-engagement-rings/limit_hikashop_cat
egory_information_module_222_50-0/limitstart_hikashop_category_informati
on_module_222_50-0/filter_order_hikashop_category_information_module_222
_50-a.ordering/filter_order_Dir_hikashop_category_information_module_222
_50-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-atom?<<<<<<<<<<foo"bar'3
14>>>>>=1
We think it is refering to the pagination form at the bottom of the product pages. Here is the form code for one of the product pages:
<form action="http://www.doverjewelry.com/engagement-rings/category/50-estate-engagement-rings?filter_order_hikashop_category_information_module_222_50=%3C%3C%3C%3C%3C%3C%3C%3C%3C%3Cfoo%22bar'204%3E%3E%3E%3E%3E" method="post" name="adminForm_hikashop_category_information_module_222_50_bottom">
<div class="hikashop_products_pagination hikashop_products_pagination_bottom">
<div class="list-footer">
<div class="limit">Display #<select id="limit_hikashop_category_information_module_222_50" name="limit_hikashop_category_information_module_222_50" class="inputbox" size="1" onchange="this.form.submit()">
<option value="20" selected="selected">20</option>
<option value="5">5</option>
<option value="10">10</option>
<option value="15">15</option>
<option value="20" selected="selected">20</option>
<option value="25">25</option>
<option value="30">30</option>
<option value="50">50</option>
<option value="100">100</option>
<option value="0">all</option>
</select>
</div><span class="pagenav_start_chevron"><< </span><span class="pagenav pagenav_text">Start</span><span class="pagenav_previous_chevron"> < </span><span class="pagenav pagenav_text">Prev</span> <span class="pagenav">1</span> <a class="pagenav" title="2" onclick="javascript: document.adminForm_hikashop_category_information_module_222_50_bottom.limitstart_hikashop_category_information_module_222_50.value=20; document.adminForm_hikashop_category_information_module_222_50_bottom.submit();return false;">2</a> <a class="pagenav" title="3" onclick="javascript: document.adminForm_hikashop_category_information_module_222_50_bottom.limitstart_hikashop_category_information_module_222_50.value=40; document.adminForm_hikashop_category_information_module_222_50_bottom.submit();return false;">3</a> <a class="pagenav" title="Next" onclick="javascript: document.adminForm_hikashop_category_information_module_222_50_bottom.limitstart_hikashop_category_information_module_222_50.value=20; document.adminForm_hikashop_category_information_module_222_50_bottom.submit();return false;">Next</a><span class="pagenav_next_chevron"> ></span> <a class="pagenav" title="End" onclick="javascript: document.adminForm_hikashop_category_information_module_222_50_bottom.limitstart_hikashop_category_information_module_222_50.value=40; document.adminForm_hikashop_category_information_module_222_50_bottom.submit();return false;">End</a><span class="pagenav_end_chevron"> >></span>
<div class="counter">Page 1 of 3</div>
<input type="hidden" name="limitstart_hikashop_category_information_module_222_50" value="0">
</div>
<span class="hikashop_results_counter">
Results 1 - 20 of 48</span>
</div>
<input type="hidden" name="filter_order_hikashop_category_information_module_222_50" value="a.ordering">
<input type="hidden" name="filter_order_Dir_hikashop_category_information_module_222_50" value="ASC">
<input type="hidden" name="18aa959f74c6262cdb2863f0ffaff82e" value="1">
</form>
We have talked to the hikashop people about this and they say we need to update to their most recent version (our version is just one below the latest one) but we have made some major mods to the code to include some of the clients requests so we do not want to lose those changes (maybe in the future we will update to the latest version, but for now we just want to know if there is a quick fix for this).
Is the form really vulnerable to cross-site scripting attacks? what can we do to protect it or make godaddy site scanner stop showing this warning message?
解决方案
From the output of scanner he thinks that when he issued a request with additional parameter:
<<<<<<<<<<foo"bar'314>>>>>=1
and this param got printed what we can see in output:
type-atom?<<<<<<<<<<foo"bar'314>>>>>=1
that could mean that your page is prone to XSS, but many of those scanners forgets encodings... the same issue is for example with scannig LifeRay with w3af. But your html code prints:
%3C%3C%3C%3C%3C%3C%3C%3C%3C%3Cfoo%22bar'204%3E%3E%3E%3E%3E
So it seems that the param althogh appended, is escaped... so it is not strictly prone to XSS. If you want to know more visit XSS - Cheat Sheet, and you can use some other vuln scanners/proxies to confirm this issue: ZAP, WebScarab, w3af.
这篇关于防止跨站点脚本攻击?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
