XSS攻击和样式属性 [英] XSS attacks and style attributes

问题描述

已知的风格属性XSS攻击类似：

 < DIV STYLE =width：expression '））;> 
  

或

 < DIV STYLE =background-image：url（javascript：alert（'XSS'））> 
  

所有示例我看过使用表达式或url功能 - 基本上是需要（和）的函数。

下面的过滤样式标签的方法，我将使用以下（大约）语法检查它们：

  identifier：[a- Z _] [a-zA-Z0-9 \-] * 
 number：[0-9] + 
 string：'[a-zA-Z_0-9] *'
 value ：identifier |数字| string | number +（em | px）| number +％
 entry：identifier：value（\ s value）* 
 style：（entry;）* 
  

所以基本上，我允许ASCII属性与数值或非常有限的字符串值（基本上为字体名称）不允许使用任何看起来像调用。

问题是这够好吗？是否有任何攻击可能会做这样的事情：

 < DIV STYLE =this-is-js-property：alert 'XSS';> 
  

并成功？

这种测试的XSS漏洞？

清楚

风格属性，因为许多工具，如TinyMCE使用它们，过滤无害的
风格属性会显着损害功能。

所以我更喜欢通常的情况下，可以使用@import，url，expression等。还要确保基本的css语法正确。

答案
$ b

由于点击提示漏洞，它不安全。

解决方案

示例：

 < a href =http://example.com/attack.htmlstyle =display：block; z-index：100000; opacity：0.5; position：fixed; top： 0; width：1000000px; height：100000px; background-color：red;> < / a> 
  

找到：http://www.bioinformatics.org/phplabware/forum/viewtopic.php?id=164

所以 - 经验法则使用非常严格的白名单或不允许样式属性。

There are known Style Attribute XSS attacks like:

<DIV STYLE="width: expression(alert('XSS'));">

Or

<DIV STYLE="background-image: url(javascript:alert('XSS'))">

All the examples I've seen use either expression or url functionality - basically something function like that require "(" and ")".

I'm thinking of following method of filtering style tags, I would check them using following (approximately) grammar:

identifier: [a-zA-Z_][a-zA-Z0-9\-]*
number: [0-9]+
string: '[a-zA-Z_0-9 ]*'
value : identifier | number | string | number + "(em|px)" | number +"%"
entry: identifier ":" value (\s value )*
style: (entry ;)*

So basically I allow ASCII properties with numeric values or very limited string values (basically for font names) not allowing using anything that looks like call.

The question is this good enough? Are there any attacks that may do something like that:

<DIV STYLE="this-is-js-property: alert 'XSS';">

And succeed?

Can anybody think of XSS vulnerability of such test?

To Make it clear

I need style attributes as many tools like TinyMCE use them and filtering harmless style attributes off would significantly hurt the functionality.

So I prefer pass common cases removing all things that may use @import, url, expression etc. And also make sure that basic css syntax is ok.

Answer

No it is not safe due to click-jacking vulnerability.

解决方案

This does not work due to click-jacking vulnerability.

Example:

<a href="http://example.com/attack.html" style="display: block; z-index: 100000; opacity: 0.5; position: fixed; top: 0px; left: 0; width: 1000000px; height: 100000px; background-color: red;"> </a> 

Found at: http://www.bioinformatics.org/phplabware/forum/viewtopic.php?id=164

The code would be perfectly validated but it may cause serious damage.

So - rule of thumb use very strict white list or do not allow style attributes.

这篇关于XSS攻击和样式属性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！