XSS-是否只能使用JavaScript?
[英]XSS - is it only possible by using JavaScript?
问题描述
I understand there are lots of questions concerning Cross-Site Scripting on the SO and tried to read the most voted ones. 
我了解SO上有很多有关跨站点脚本的问题,并试图阅读投票最多的问题。 Having read some webpages too I'm still unsure about all possibilities that this attack type can use. 也已经阅读了一些网页,我仍然不确定这种攻击类型可以使用的所有可能性。 I don't ask how to sanitianize input, rather what one can expect. 我不问如何使输入饱和,而是可以期望什么。
In most examples given on SO and other pages there are two methods, where the simplest (eg. this one on PHPMaster ) seams to be inserting some <script> code used for stealing cookies etc. 在SO和其他页面上给出的大多数示例中,有两种方法,其中最简单的方法(例如,PHPMaster上的该方法 )是插入一些用于窃取cookie的<script>代码。
The other presented here by user Baba is to insert full <form> code structure, however it seems it should not work until user submits a form, however some JavaScript event like ... onmouseover='form.submit()'... might be used. Baba用户在此处提出的另一个方法是插入完整的<form>代码结构,但是,似乎在用户提交表单之前它不起作用,但是某些JavaScript事件,例如... onmouseover='form.submit()'...可能会被使用。
All network examples I've been able to check are only methods based on using some JavaScript code. 我已经检查过的所有网络示例仅是基于使用某些JavaScript代码的方法。
Is it possible to use other methods, say -- somehow -- changing the HTML, or even the server-side script? 是否可以使用其他方法(例如-以某种方式)更改HTML甚至服务器端脚本?
I know one can obtaining this by SQL injection or just hacking on the server, but I mean only by manipulating (wrong handled) GET, POST requests -- or perhaps some other? 我知道可以通过SQL注入或仅通过对服务器进行黑客攻击来获取此信息,但是我的意思是仅通过操纵(处理不当)GET,POST请求-或其他一些方法?
3 个解决方案
解决方案1
1 2013-05-17 14:49:04
XSS is about javascript. XSS与javascript有关。
However to inject your malicious javascript code you have to use a vulnerability of the pages code which might be on the server or client side. 但是,要注入您的恶意javascript代码,您必须使用页面代码的漏洞,该漏洞可能在服务器或客户端。
You can use CSP (content security policy) to prevent XSS in modern browses. 您可以使用CSP(内容安全策略)来阻止现代浏览器中的XSS。
There is also a list of XSS tricks in the XSS Cheat Sheet . XSS备忘单中还列出了XSS技巧。 However most of those tricks won't work for modern browsers. 但是,这些技巧大多数都不适用于现代浏览器。
Webkit won't execute javascript if it is also part of the request. 如果Webkit也是请求的一部分,则不会执行javascript。 For example demo.php?x=<script>alert("xss")</script> won't display an alert box even if it the script tag gets injected into the dom. 例如demo.php?x=<script>alert("xss")</script>即使将script标签注入dom也不会显示警报框。 Instead the following error is thrown: "Refused to execute a JavaScript script. Source code of script found within request." 而是引发以下错误:“拒绝执行JavaScript脚本。在请求中找到脚本的源代码。”
解决方案2
1 已采纳 2013-05-17 15:19:23
I know one can obtaining this by SQL injection or just hacking on the server, but I mean only by manipulating (wrong handled) GET, POST requests -- or perhaps some other?
GET parameters and POST bodies are the primary vector for attacking a web application via HTTP requests, but there are others. GET参数和POST正文是通过HTTP请求攻击Web应用程序的主要媒介,但还有其他一些媒介。 If you aren't careful about file uploads, then I might be able to upload a Trojan . 如果您不小心上传文件,那么我也许可以上传Trojan 。 If you naively host uploaded files in the same domain as your website, then I can upload JS or HTML and have it run with same-origin privileges . 如果您天真地将上传的文件托管在与您的网站相同的域中,那么我可以上传JS或HTML并使其具有相同的起源特权 。 Request headers are also inputs that an attacker might manipulate, but I don't know of successful attacks that abuse them. 请求标头也是攻击者可能操纵的输入,但我不知道滥用它们的成功攻击。
Code-injection is a class of attacks that includes XSS, SQL Injection, Shell injection, etc. 代码注入是一类攻击,包括XSS,SQL注入,Shell注入等。
Any time a GET or POST parameter that is controlled by an attacker is turned into code or a programming language symbol, you risk a code-injection vulnerability. 每当将由攻击者控制的GET或POST参数转换为代码或编程语言符号时,您都将面临代码注入漏洞的风险。
If a GET or POST parameter is naively interpolated into a string of SQL, then you risk SQL injection. 如果将GET或POST参数天真地插入到SQL字符串中,则可能会冒用SQL注入的风险。
If a GET or POST parameter (or header like the filename in a file upload) is passed to a shell, then you risk shell injection and file inclusion . 如果将GET或POST参数(或标头(如文件上传中的文件名))传递给Shell,则可能会面临注入Shell和包含文件的风险。
If your application uses your server-side language's equivalent of eval with an untrusted parameter, then you risk server-side script injection. 如果您的应用程序使用与服务器端语言等效的eval和不受信任的参数,那么您可能会面临服务器端脚本注入的风险。
You need to be suspicious of all your inputs, treat them as plain text strings, and when composing a string in another language, convert the plain text string into a substring in that target language by escaping . 您需要对所有输入都保持怀疑,将其视为纯文本字符串,然后在用另一种语言编写字符串时,请通过转义将纯文本字符串转换为该目标语言的子字符串。 Filtering can provide defense in depth here. 过滤可以在这里提供深入的防御。
XSS - is it only possible by using JavaScript?
No. VBScript can be injected in IE. 不可以。VBScript可以注入IE中。 Javascript can be injected indirectly via URLs and via CSS. 可以通过URL和CSS间接注入Javascript。 Injected images can leak secrets hidden in the referrer URL. 注入的图像可能会泄漏隐藏在引荐来源网址中的机密。 Injected meta tags or iframes can redirect to a phishing version of your site. 注入的元标记或iframe可以重定向到您网站的网络钓鱼版本。
Systems that are vulnerable to HTTP response header splitting can be subverted by HTML & scripts injected into response headers like redirect URLs or Set-Cookie directives. 易受HTTP响应标头拆分影响的系统可以通过注入响应标头(例如重定向URL或Set-Cookie指令)中的HTML和脚本来破坏。
HTML embeds so many languages that you need to be very careful about including snippets of HTML from untrusted sources. HTML嵌入了许多种语言,因此在包含不可信来源的HTML片段时需要非常小心。 Use a white-listing sanitizer if you must include foreign HTML in your site. 如果必须在网站中包含外部HTML,请使用白名单消毒剂 。
解决方案3
1 2013-05-17 18:08:56
Cross-Site Scripting is not just about inserting JavaScript code into a web page. 跨站点脚本编写不仅是将JavaScript代码插入网页中。 It is rather a general term for any injection of code that gets interpreted by the browser in the context of the vulnerable web page, see CWE-79 : 对于易受攻击的网页上下文中浏览器解释的任何代码注入,它都是一个通用术语,请参阅CWE-79 :
During page generation, the application does not prevent the data from containing content that is executable by a web browser, such as JavaScript, HTML tags, HTML attributes, mouse events, Flash, ActiveX, etc.
An attacker could, for example, inject his own login form into an existing login page that redirects the credentials to his site. 例如,攻击者可以将自己的登录表单注入到现有登录页面中,该登录页面将凭据重定向到他的站点。 This would also be called XSS. 这也称为XSS。
However, it is often easier and more promising to inject JavaScript as it can do both control the document and the victims browser. 但是,注入JavaScript通常更容易,也更有希望,因为它可以控制文档和受害浏览器。 With JavaScript an attacker can read cookies and thus steal a victim's session cookie to hijack the victim's session. 使用JavaScript,攻击者可以读取cookie,从而窃取受害者的会话cookie来劫持受害者的会话。 In certain cases, an attacker would even be able to execute arbitrary commands on the victim's machine. 在某些情况下,攻击者甚至可以在受害者的计算机上执行任意命令。
The attack vector for XSS are diverse but they all have in common that they are possible due to some improperly handled input. XSS的攻击媒介是多种多样的,但它们的共同点是,由于某些处理不当的输入,它们是可能的。 This can be either by parameters provided via GET or POST but also by any other information contained in the HTTP request, eg cookies or any other HTTP header fields. 这既可以通过GET或POST提供的参数,也可以通过HTTP请求中包含的任何其他信息(例如cookie或任何其他HTTP标头字段)来实现。 Some use a single injection point, others are split up to multiple injection points; 有些使用单个注入点,另一些则分成多个注入点。 some are direct, some are indirect; 有些是直接的,有些是间接的; some are triggered automatically, some require certain events; 有些是自动触发的,有些则需要某些事件; etc. 等等
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.