如何利用HTTP标头XSS漏洞？ [英] How to exploit HTTP header XSS vulnerability?

问题描述

假设一个页面只是打印HTTP'referer'标题的值而没有转义。因此该页面容易受到XSS攻击，即攻击者可以使用包含< script> alert（'xss'）;< / script> 。

Let's say that a page is just printing the value of the HTTP 'referer' header with no escaping. So the page is vulnerable to an XSS attack, i.e. an attacker can craft a GET request with a referer header containing something like <script>alert('xss');</script>.

但你怎么能用它来攻击目标？攻击者如何使目标向该特定标题发出特定请求？

But how can you actually use this to attack a target? How can the attacker make the target issue that specific request with that specific header?

推荐答案

这听起来像标准反映了XSS攻击。

在反映的XSS攻击中，攻击者需要受害者访问一些在某种程度上受攻击者控制的站点。即使这只是一个攻击者可以发布链接的论坛，希望有人会关注它。

In reflected XSS attacks, the attacker needs the victim to visit some site which in some way is under the attacker's control. Even if this is just a forum where an attacker can post a link in the hope somebody will follow it.

在使用<$ c反映XSS攻击的情况下$ c> referer 标题，然后攻击者可以将用户从论坛重定向到攻击者域名上的页面。

In the case of a reflected XSS attack with the referer header, then the attacker could redirect the user from the forum to a page on the attacker's domain.

例如

http://evil.example.com/?<script>alert(123)>

此页面依次以保留的方式重定向到以下目标页面referer 。

http://victim.example.org/vulnerable_xss_page.php

因为它在此页面上显示 referer 标题而没有正确转义， http://evil.example.com/?<script>alert（123）> 在HTML源代码中输出，执行警报。请注意，这仅适用于Internet Explorer。

Because it is showing the referer header on this page without the proper escaping, http://evil.example.com/?<script>alert(123)> gets output within the HTML source, executing the alert. Note this works in Internet Explorer only.

其他浏览器会自动对URL呈现进行编码

Other browsers will automatically encode the URL rendering

%3cscript%3ealert%28123%29%3c/script%3e

是安全的。

这篇关于如何利用HTTP标头XSS漏洞？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！