在此示例中,可能基于DOM的XSS吗?
[英]DOM based XSS is possible in this example?
问题描述
I've been reading a bundle of documents about DOM based XSS but I still can't figure it out. 
我一直在阅读一堆有关基于DOM的XSS的文档,但是我仍然无法弄清楚。 Let's take a look at my example. 让我们看一下我的例子。
var html = `
<a class="url" href="${untrustedURL}">
<img src="${untrustedSource}">
</a>
<span class="name" data-value="${untrustedValue}">${untrustedText}</span>
`;
document.querySelector('#user').innerHTML = html;
How can an attacker exploit the vulnerabilities of this code? 攻击者如何利用此代码的漏洞? And what are the solutions? 有什么解决方案?
3 个解决方案
解决方案1
3
Through the url and through the image's source, an untrusted value would be, for instance: 通过url和图像来源,例如,不受信任的值将是:
javascript:evilStuff()
In the case of the link, the code will run when the user clicks it, and in the case of the image's source, it'll run when the browser attempts to load the image. 在链接的情况下,代码将在用户单击时运行,在图像的源代码的情况下,将在浏览器尝试加载图像时运行。 Note that the image src's technique only applies to older browsers, modern ones will ignore it. 请注意,image src的技术仅适用于较旧的浏览器,现代的浏览器将忽略它。 Another issue I see with the link, is that, for instance, you could get a link that directs you to a phishing site! 我在链接中看到的另一个问题是,例如,您可以获得一个将您定向到网络钓鱼站点的链接!
The data-value attribute is made vulnerable only if you use that value somewhere else in your code, and in a way that could be harmful, otherwise, I don't see the danger in there. 仅当您在代码中的其他地方使用该值时,该data-value属性才变得容易受攻击,并且可能以有害的方式出现,否则,我看不到其中存在危险。
And as for the contents of the span, pretty much anything can be inserted in there if you don't escape HTML characters. 至于范围的内容,如果不转义HTML字符,几乎可以在其中插入任何内容。 Script tags, iframes, images, etc... Note that this is true for all unsafe values you insert anywhere. 脚本代码,iframe,图像等。请注意,对于在任何地方插入的所有不安全值,都是如此。
A malicious person can insert any HTML anywhere where you don't escape HTML entities. 恶意人员可以在您无法逃脱HTML实体的任何地方插入任何HTML。
The solutions, I think, are always to escape/strip tags and certain values. 我认为解决方案始终是转义/剥离标签和某些值。 For instance, to prevent an user from inserting a dangerous url in a dynamic href, you can apply a regex that removes the word javascript: from the start of a string, or check for non-valid urls (different domain, unusual characters, malformed url, etc). 例如,为防止用户在动态href中插入危险的网址,您可以应用正则表达式,从字符串开头删除javascript:一词,或检查无效的网址(不同的域,不寻常的字符,格式错误的网址)网址等)。
解决方案2
3 已采纳 2015-05-19 06:41:12
While I agree with the vulnerabilities raised in @Alfonso's answer, the situation is actually worse: All of your untrusted variables are vulnerable to an XSS attack here. 尽管我同意@Alfonso的回答中提出的漏洞,但情况实际上更糟:您所有不受信任的变量都容易受到XSS攻击的攻击。
For example, 例如,
say untrustedURL contained the following text 说untrustedURL包含以下文本
"><img src="http://example.com" onerror=alert(/xss/) data-x="
this would cause the following to be rendered: 这将导致呈现以下内容:
<a class="url" href=""><img src="http://example.com" onerror="alert(/xss/)" data-x="">
which will cause the JavaScript alert to show instantly: 这将导致JavaScript警报立即显示:
As your code is all in a JavaScript context already, you need to follow Rule #1 of the OWASP XSS cheat sheet and HTML encode the data. 由于您的代码已经全部在JavaScript上下文中,因此您需要遵循OWASP XSS备忘单的规则#1,并对数据进行HTML编码。 A simple conversion of the following characters is sufficient: 以下字符的简单转换就足够了:
& --> &
< --> <
> --> >
" --> "
' --> ' ' not recommended because its not in the HTML spec (See: section 24.4.1) ' is in the XML and XHTML specs.
/ --> / forward slash is included as it helps end an HTML entity
Note that OWASP recommend Rule #2 for HTML attribute values, however if you are quoting all attributes then the above will be enough. 请注意,OWASP建议将规则#2用于HTML属性值,但是如果引用所有属性,则以上内容就足够了。 Rule #2 works everywhere, including unquoted, so if you have a mixture Rule #2 will be simpler. 规则2适用于所有地方,包括不带引号的内容,因此,如果您有混用,规则2将更简单。
I've read your comment regarding that you say you should encode Javascript after escaping HTML entities . 我读过您的评论 ,说您应该encode Javascript after escaping HTML entities 。
Yes, this applies to where the value is initially from (say from the server side), but you should do this encoding in the language that your server side code uses, not JavaScript. 是的,这适用于值最初来自何处(例如,来自服务器端),但是您应该使用服务器端代码使用的语言(而不是JavaScript)进行此编码。 Also, do the JavaScript escaping first to get the server side variable into JavaScript, then later use HTML escaping in JavaScript ready for insertion into the DOM. 另外,请先执行JavaScript转义以将服务器端变量转换为JavaScript,然后再使用JavaScript中的HTML转义以准备插入DOM。
eg JavaScript escaping in ASP.NET C#: 例如,在ASP.NET C#中转义JavaScript:
<script>
var untrustedURL = "<%=HttpUtility.JavaScriptEncodeString(usersUrl)%>";
</script>
See my answer here for greater detail on this . 有关此的更多详细信息,请参见此处的答案 。
Then you need to HTML encode using a function: 然后,您需要使用函数对HTML进行编码:
function escapeHTML (unsafe_str) {
return unsafe_str
.replace(/&/g, '&')
.replace(/</g, '<')
.replace(/>/g, '>')
.replace(/\"/g, '"')
.replace(/\'/g, ''')
.replace(/\//g, '/')
}
So your code could just be 所以你的代码可能就是
<script>
var untrustedURL = escapeHTML("<%=HttpUtility.JavaScriptEncodeString(usersUrl)%>");
</script>
untrustedURL and untrustedSource untrustedURL和untrustedSource
Note that these are special cases where validation should take place as well. 请注意,在特殊情况下,也应进行验证。 You should do this on the server side and make sure that they either start with http:// , https:// or // ( protocol relative URL ). 您应该在服务器端执行此操作,并确保它们以http:// , https://或// ( 协议相对URL )开头。 A whitelisting approach ensures that the user cannot enter a javascript: scheme URL and will also protect against different schemes from being entered that may be unique to the user's browser, operating system, device, configuration, etc. Only allowing HTTP is much safer. 白名单方法可确保用户无法输入javascript:方案URL,并且还可以防止输入可能对于用户的浏览器,操作系统,设备,配置等而言唯一的不同方案。仅允许HTTP安全得多。
解决方案3
0 2015-05-18 11:11:19
Assuming that ${untrustedText} is not HTML-escaped, try setting it to, say: 假设${untrustedText}未转义为HTML,请尝试将其设置为:
<div style="position:fixed;left:0;right:0;top:0;bottom:0;"
onmousemove="this.style.display='none';alert('XSS');"></div>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.