简体   繁体   English

反射XSS保护-澄清吗?

[英]Reflective XSS Protection - clarification?

After reading this article by Eric Lawrence ,I saw this test page http://www.enhanceie.com/test/xss/ which simulates the usage of Reflective XSS Protection . 阅读了Eric Lawrence的这篇文章之后,我看到了这个测试页面http://www.enhanceie.com/test/xss/ ,该页面模拟了Reflective XSS Protection的用法。

Now , According to google chromium : 现在,根据谷歌铬

XSS filter checks whether a script that's about to run on a web page is also present in the request that fetched that web page . XSS筛选器检查获取该网页的请求中是否还存在要在该网页上运行的脚本 If the script is present in the request, that's a strong indication that the web server might have been tricked into reflecting the script. 如果请求中包含该脚本,则表明该Web服务器可能被欺骗以反映该脚本。

So , If I post to the server : 所以,如果我发布到服务器:

<script>alert("bang! script injection\n"+document.cookie);</script>

And the browser also sees it at the request via url: 浏览器还会通过url在请求中看到它:

http://webdbg.com/test/xss/Hello.asp?txtName=%3Cscript%3Ealert%28%22bang%21+script+injection%5Cn%22%2Bdocument.cookie%29%3B%3C%2Fscript%3E

then it shows this error ( console): 然后显示此错误(控制台):

The XSS Auditor refused to execute a script in ' http://webdbg.com/test/xss/Hello.asp?txtName=%3Cscript%3Ealert%28%22bang%21+script+injection%5Cn%22%2Bdocument.cookie%29%3B%3C%2Fscript%3E ' because its source code was found within the request. XSS审核程序拒绝在' http://webdbg.com/test/xss/Hello.asp?txtName=%3Cscript%3Ealert%28%22bang%21+script+injection%5Cn%22%2Bdocument.cookie中执行脚本%29%3B%3C%2Fscript%3E ',因为在请求中找到了其源代码。 The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header. 服务器未发送“ X-XSS-Protection”或“ Content-Security-Policy”标头,因此启用了审核器。

But fiddler does show me that the page did get the script to run : 但是提琴手确实向我展示了该页面确实可以运行脚本

在此处输入图片说明

Question : 题 :

As the solution to deal with xss is html Encode/decode , 由于处理xss的解决方案是html Encode / decode,

How/when should I combine between those 2 solutions ? 这两种解决方案之间应该如何/何时结合?

I mean I could use html encode and scripts would never run in my page , or , I could use this header... ? 我的意思是我可以使用html编码,并且脚本永远不会在我的页面中运行,或者,我可以使用此标头...?

Im confused. 我糊涂了。

But fiddler does show me that the page did get the script to run 但是提琴手确实向我展示了该页面确实可以运行脚本

No, it doesn't. 不,不是。 Fiddler shows you that the server sent the script back to the browser. Fiddler向您显示服务器已将脚本发送回浏览器。 It tells you absolutely nothing about what the browser did with the script. 它绝对不会告诉您浏览器对脚本的处理方式。

As the solution to deal with xss is html Encode/decode 作为处理xss的解决方案是html编码/解码

That is one solution (also the simplest and best if you don't need to allow users to submit any kind of HTML). 那是一种解决方案(如果您不需要允许用户提交任何类型的HTML,也是最简单,最好的解决方案)。

How/when should I combine between those 2 solutions? 这两种解决方案之间应该如何/何时结合?

You should encode any user input you get as HTML by encoding entities, and ignore anti-XSS filters that appear in some browsers because not all browsers have them so you cannot depend upon them. 您应该通过对实体进行编码来将获取的任何用户输入编码为HTML,并忽略某些浏览器中出现的反XSS过滤器,因为并非所有浏览器都具有它们,因此您不能依赖它们。

I mean I could use html encode and scripts would never run in my page 我的意思是我可以使用html编码,并且脚本永远不会在我的页面中运行

Only encode user input (because it is untrusted). 仅对用户输入进行编码(因为它是不受信任的)。 Don't encode scripts you write yourself and therefore can trust. 不要对自己编写的脚本进行编码,因此可以信任。

Encoding and Decoding is the most reliable solution for XSS vulnerabilities. 编码和解码是针对XSS漏洞的最可靠的解决方案。 Make sure you encode for the right context. 确保为正确的上下文编码。 ie if the tainted data is being inserted in to javascript then call a javascript encoder not a html encoder. 即,如果将污染数据插入到javascript中,则调用javascript编码器而不是html编码器。 ESAPI have a good library of all the encoders you need. ESAPI拥有您需要的所有编码器的良好库。

In addition some browsers are now supporting Content Security Policy settings with headers that also help in the battle against XSS. 此外,某些浏览器现在支持带有标题的内容安全策略设置,这些标题也有助于与XSS进行斗争。 Here is an article on it http://www.html5rocks.com/en/tutorials/security/content-security-policy/ 这是一篇关于此的文章http://www.html5rocks.com/en/tutorials/security/content-security-policy/

Do not rely on browser filters because you cannot be sure your users will have that feature in their browser. 不要依赖浏览器过滤器,因为您不能确定用户的浏览器将具有该功能。 Always sanitize your data. 始终清理您的数据。

Simply HTML encoding is enough to prevent XSS. 简单的HTML编码足以防止XSS。 If the user enters xss characters they will be encoded but alphanumeric characters will remain as such. 如果用户输入xss字符,则将对其进行编码,但字母数字字符将保持不变。

Other than this, you can use tag of the core jstl library in the jsp pages. 除此之外,您可以在jsp页面中使用核心jstl库的标签。

Better to give examples instead writing. 最好给出例子而不是写作。

Reflective XSS POC 反射XSS POC

<?php
/**
 * @Author Vaibs
 *
 */
$cookie_name = "user";
$cookie_value = "John Doe";
setcookie($cookie_name, $cookie_value, time() + (86400 * 30), "/"); // 86400 = 1 day
if (isset($_REQUEST['Submit'])) { //check if form was submitted
    $input = isset($_REQUEST['appid']) ? $_REQUEST['appid'] : "";//get input text
    echo "Input from client is reflected back as ->  : " . $input;
}
?>

<html>
<body>
<form>
    <input type="text" name="appid"/>
    <input type="submit" name="Submit"/>
</form>
</body>
</html>

How to avoid ? 如何避免? Answer: Simplest is to use PHP function urlencode. 答:最简单的就是使用PHP函数urlencode。

<?php
/**
 * @Author Vaibs
 *
 */
$cookie_name = "user";
$cookie_value = "John Doe";
setcookie($cookie_name, $cookie_value, time() + (86400 * 30), "/"); // 86400 = 1 day
if (isset($_REQUEST['Submit'])) { //check if form was submitted
    $input = isset($_REQUEST['appid']) ? $_REQUEST['appid'] : "";//get input text
    echo "Input from client is reflected back as ->  : " . urlencode($input);
}
?>

<html>
<body>
<form>
    <input type="text" name="appid"/>
    <input type="submit" name="Submit"/>
</form>
</body>
</html>

Difference is the use of urlencode function that is been used in the second code. 区别在于第二代码中使用的urlencode函数的使用。

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM