对于DOM XSS是否是错误的肯定
[英]Is it a false postive for DOM XSS
问题描述
I used the IBM AppScan to scan my website. 
我使用IBM AppScan扫描我的网站。 And one of the vulnerability is found called "DOM XSS". 发现该漏洞之一称为“ DOM XSS”。 After investigation, I am suspect that it may be a false positive. 经过调查,我怀疑这可能是假阳性。 Do anyone know is it possible to inject on it basic on my following code? 有谁知道可以根据我的以下代码对其进行注入吗?
2 个解决方案
解决方案1
0 已采纳 2015-08-11 10:00:48
It just seems like a subdomain parsing routine that sets document.domain to this value for inter-origin communication . 好像是一个子域解析例程,该例程将document.domain设置为此值以进行域间通信 。
eg if the current URL is http://www.example.com/ then document.domain is set to example.com . 例如,如果当前URL为http://www.example.com/则document.domain设置为example.com 。
This appears to be a false positive because even though untrusted input is being used to set the domain in order to loosen Same Origin Policy restrictions, setting document.domain is only valid for a subdomain of the current domain, therefore it would be very hard to manipulate this into something malicious. 这似乎是一个误报,因为即使使用了不受信任的输入来设置域以放宽同源策略限制,但设置document.domain仅对当前域的子域有效,因此很难将其操纵为恶意软件。
That is, if example.edu set thier document.domain to example.com then the browser would not accept this because the domain itself does not match and the browser will not allow anything to be set to a top level domain in the case of com is attempted. 也就是说,如果example.edu将其document.domain设置为example.com则浏览器将不会接受此设置,因为域本身不匹配,并且在com的情况下,浏览器将不允许将任何内容设置为顶级域被尝试。
Parsing the href isn't the best way to do this - there are other properties available in the location object such as .hostname . 解析href并不是执行此操作的最佳方法- 位置对象中还有其他可用属性,例如.hostname 。 If there was a flaw in the parsing routine, it may be possible to trick the code by submitting a hostname somewhere else in the URL: 如果解析例程中存在缺陷,则可以通过在URL的其他位置提交主机名来欺骗代码:
http://www.example.com?injectedHostname=http://www.example.org
Having said that, I can't see how your current function implementation could be abused. 话虽如此,我看不到如何滥用当前的函数实现。
解决方案2
0 2015-08-11 10:08:36
This isn't a traditional HTML/script injection into the DOM, so it's not what people typically call “DOM XSS”, but AppScan has detected it because data is going from an untrusted source (the document URL) to a dangerous sink (the security-sensitive document.domain property), and that is in general a risky thing to do. 这不是将传统的HTML / script注入DOM,因此也不是人们通常所说的“ DOM XSS”,但是AppScan已检测到它,因为数据是从不受信任的来源(文档URL)流向危险的接收者(安全敏感的document.domain属性),通常这样做是冒险的。
If an attacker can influence document.domain there is indeed the possibility of allowing cross-origin scripting, though it would have to be from a neighbour domain (because document.domain can't be set to eg. a TLD) so that would limit the damage a bit. 如果攻击者可以影响document.domain ,则确实有可能允许跨域脚本编写,尽管它必须来自邻居域(因为document.domain不能设置为例如TLD),这样会限制一点点的伤害。
If you must set document.domain automatically from the browser address, then in order to do it securely you should (a) read location.hostname directly instead of trying to split apart location.href , and (b) ensure that the application is deployed such that it only responds to its real hostname. 如果必须从浏览器地址自动设置document.domain ,则为了安全地进行设置,您应该(a)直接读取location.hostname而不是尝试将location.href分开,并且(b)确保已部署应用程序这样它只能响应其真实主机名。 If an attacker points their own DNS to your server's IP address, the application should not come up. 如果攻击者将自己的DNS指向您服务器的IP地址,则该应用程序不应启动。 Once you've done that, you'll still have to ignore the warning. 完成此操作后,您仍然必须忽略该警告。
It would be a much better approach if possible to set document.domain to a specific static value that doesn't come from input (eg take it from configuration). 如果可能的话,将document.domain设置为不是来自输入的特定静态值(例如,从配置中获取)的更好的方法。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.