逃避<和>是否足以阻止XSS攻击？

Question

I'm sure that the answer to this question is No, but I can't seem to find a way that simply transforming < and > to < and > doesn't completely block reflected and persistent XSS.

I'm not talking about CSRF.

If this doesn't block XSS, can you provide an example of how to bypass this defence?

Answer 1

Not all XSS attacks include < or > at all, depending on where the data is being inserted.

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#Why_Can.27t_I_Just_HTML_Entity_Encode_Untrusted_Data.3F

Answer 2

When using an untrusted string in an attribute (quoted with " ) you need to escape " as &quot .

Otherwise you could easily inject javascript. For example, <a href="{{str}}"> with str being, for example, " onmouseover='something-evil'" .

Answer 3

No. Here are a couple of examples where escaping < , > , ' , " and & is not enough:

Example 1:

<a href="{{myUrl}}">

XSS Attack:

myUrl = "javascript:alert(1)"

Example 2:

<script>var page = {{myVar}};</script>

XSS Attack:

myVar = "1;alert(1)"

See https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet for ways of preventing these attacks.

Answer 4

No, it's not sufficient. Remember that XSS isn't just about untrusted data in HTML, you'll also find it in JavaScript and CSS. Think about a situation such as "var myVar = [input];" There are all sorts of malicious things you can do with that [input] value without going anywhere near angle brackets. There's many more examples over in the XSS cheat sheet: http://ha.ckers.org/xss.html

You've mentioned ASP.NET in the tag; what you want to be looking at is the [AntiXSS library][1] . Grab this and use the appropriate output encoding:

Encoder.CssEncode()
Encoder.HtmlEncode()
Encoder.HtmlAttributeEncode()
Encoder.JavaScriptEncode()

etc. etc. There's absolutely no reason to try and do your own character substitution in .NET.