堆栈内存溢出
  简体   繁体   English

如何防范编码 URL XSS 攻击

[英]How to protect against Encoded URL XSS Attack

 原文  2020-03-08 11:05:16       javascript/ php/ html/ security/ xss

问题描述

I got following 2 questions as:我有以下两个问题:

1) How to protect from this kind of XSS Attacks? 1) 如何防范此类 XSS 攻击?

https://www.example.com/index.php?&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041 https://www.example.com/index.php?&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&# 0000039&#0000088&#0000083&#0000083&#0000039&#0000041

If suppose for some reason, the query parameter is embedded in an image load event then it would be like this如果假设出于某种原因,查询参数嵌入在图像加载事件中,那么它会是这样的

<img src=x onload="&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041">

//And browser treats as
<img src=x onload="javascript:alert('XSS')">

I am already using PHP's htmlspecialchars() and Filtar_var() with URL Sanitization, but this kind of encoded XSS will easily get pass through these functions我已经在使用 PHP 的htmlspecialchars()Filtar_var()和 URL Filtar_var() ,但是这种编码的 XSS 很容易通过这些函数

How can we defend such Encoded XSS or neutralize any such attack?我们如何防御此类编码型 XSS 或中和任何此类攻击?

2) Is it necessary for an XSS attack to get embedded in HTML Page, Javascript or CSS etc in order to get triggered? 2) XSS 攻击是否需要嵌入 HTML 页面、Javascript 或 CSS 等中才能触发? or there can be a way where XSS does not need to be embedded?或者可以有一种不需要嵌入 XSS 的方法?

1 个解决方案

解决方案1
 1  2020-03-08 15:40:25

htmlspecialchars is a perfectly good defence against XSS when you are inserting user input into an HTML document.当您将用户输入插入 HTML 文档时, htmlspecialchars是对 XSS 的完美防御。

It stops any HTML syntax in the user input from breaking out of where you intend for it to go and being treated as JavaScript.它阻止用户输入中的任何 HTML 语法超出您的预期目标并被视为 JavaScript。

Your problem has nothing to do with the fact the attack is encoded.您的问题与攻击已编码的事实无关。 The problem is that are are putting user input somewhere that JavaScript is expected (and onload attribute) so it is already being treated as JavaScript .问题是将用户输入放在预期 JavaScript(和onload属性)的地方,因此它已经被视为 JavaScript

json_encode is the usual solution here (and then htmlspecialchars because the JavaScript is inside an HTML attribute). json_encode是这里的常用解决方案(然后是htmlspecialchars因为 JavaScript 在 HTML 属性中)。

However, that only works when you are taking user input and putting it into a script to be used as data.但是,这仅在您获取用户输入并将其放入脚本以用作数据时才有效。 Here it seems that you are taking user input and just treating the whole thing as a JavaScript function.在这里,您似乎正在接受用户输入并将整个内容视为 JavaScript 函数。

If you do that then you are going to be vulnerable to XSS.如果你这样做,那么你将容易受到 XSS 的攻击。 You can mitigate it to some degree by implementing defenses against CSRF, but you almost certainly shouldn't be doing this in the first place.您可以通过实施针对 CSRF 的防御在一定程度上缓解它,但您几乎肯定不应该首先这样做。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何防范此类攻击? - How to protect against this type of attack? 用猫鼬防御XSS攻击 - Defending against XSS attack with mongoose XSS攻击以修改URL - XSS Attack for Modifying the URL 如何在脚本标签内使用 html 编码的 xss 攻击向量触发 xss? - How to trigger xss with html encoded xss attack vector inside script tags? 这种XSS攻击如何起作用? - How is this XSS attack working? Addslashes安全,以防止数组中的xss? - Addslashes safe to protect against xss in array? 允许使用Javascript-防范XSS吗? (独特的情况) - Allow Javascript - protect against XSS? (unique scenario) 数据不使用 .text() jQuery 显示以防止 XSS - Data not displaying with .text() jQuery to protect against XSS 防止javascript中的xss攻击造成url - prevent url from xss attack in javascript 来自网址的XSS攻击获取变量 - XSS attack from url get variable
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM