为什么/如何将 `value="javascript:alert(1)"` 视为 OWASP ZAP 工具中的 XSS 漏洞?
[英]Why/How is `value=“javascript:alert(1)”` considered as a XSS vulnerability in OWASP's ZAP tool?
问题描述
The results for OWASP's ZAP has been very useful for eliminating vulnerable parts of my website. 
OWASP 的 ZAP 的结果对于消除我网站的易受攻击部分非常有用。
However, I've found a lot of results that I simply cannot fix.但是,我发现了很多我根本无法修复的结果。 For example, one of the get parameters it has put javascript:alert(1);例如,它的获取参数之一是javascript:alert(1); in to the variable.到变量中。 This variable is then output by PHP in a hidden element's value attribute.这个变量然后由 PHP 在隐藏元素的value属性中输出。 So the final HTML looks like:所以最终的 HTML 看起来像:
<input type="hidden" name="someName" id="someID" value="javascript:alert(1);"/>
This value is normally used to populate a drop down with JavaScript.该值通常用于使用 JavaScript 填充下拉列表。 If it's 1 it shows optional search filters, if 0 it shows nothing.如果为 1,则显示可选的搜索过滤器,如果为 0,则不显示任何内容。 So it's only used in a string comparison that fails.所以它只用于失败的字符串比较。
I see no way for this to be exploited, the alert does not run like other attacks ZAP has shown me.我认为没有办法利用它,警报不像 ZAP 向我展示的其他攻击那样运行。 The output is encoded so they cannot inject HTML by ending the quotes or element early with "/> like previously found attacks, as these characters become their HTML entities counterpart.输出被编码,因此它们不能像以前发现的攻击一样通过用"/>提前结束引号或元素来注入 HTML,因为这些字符成为它们的 HTML 实体对应物。
Is this just a false positive from ZAP matching the input string in the page source, as encoding javascript:alert(1);这是否只是来自 ZAP 与页面源中的输入字符串匹配的误报,作为编码javascript:alert(1); still equals exactly the same as javascript:alert(1);仍然与javascript:alert(1);完全相同javascript:alert(1); ? ?
3 个解决方案
解决方案1
3 2015-03-04 08:17:33
The vulnerability means that ZAP managed to insert arbitrary code into that input field.该漏洞意味着 ZAP 设法在该输入字段中插入任意代码。 This means that you're most likely not validating user input somewhere in the app.这意味着您很可能没有在应用程序的某处验证用户输入。
You should be more careful about generating that input field, and ensure that the GET parameter(s) used to generate it are validate accordingly.您应该更加小心地生成该输入字段,并确保相应地验证用于生成它的 GET 参数。
Remember, it's better to be safe, than sorry (ie have your app compromised).请记住,安全总比抱歉(即您的应用程序受到威胁)要好。
解决方案2
2 2015-03-01 12:45:44
Yes, OWASP's ZAP tries to find vulnerabilities on your website, and it works automatically.是的,OWASP 的 ZAP 会尝试在您的网站上查找漏洞,并且它会自动工作。
If it's sucesfull in adding ANY PART of code into your website, the website is considered vulnerable automatically.如果在您的网站中添加任何部分代码成功,则该网站将被自动视为易受攻击的。
If your website only accepts "0" or "1" as the value of hidden input, and doesn't save or prompt the value anywhere (not even to cookies), this is not a security vulnerability, and you're safe.如果您的网站只接受“0”或“1”作为隐藏输入的值,并且没有在任何地方保存或提示该值(甚至不向cookies),那么这不是安全漏洞,您是安全的。
解决方案3
1 2017-03-20 05:29:07
Your HTML looks safe to me.你的 HTML 对我来说看起来很安全。 However, consider a similar case:但是,请考虑类似的情况:
<a href="javascript:alert(1);">test</a>
This will produce a link that will execute JavaScript.这将生成一个将执行 JavaScript 的链接。 It could be that ZAP is being extra careful so that cases like this get picked up.可能是 ZAP 格外小心,以便发现此类案件。
For this specific case, you should whitelist what URL schemes are allowed in user provided links.对于这种特定情况,您应该将用户提供的链接中允许的 URL 方案列入白名单。 For example only allow http, https, mailto, etc.例如只允许 http、https、mailto 等。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.