KRB*_*KRB 22 javascript php security xss
我遇到过XSS问题.具体来说,我有个人注入JS警报,显示我的输入有漏洞.我已经对XSS进行了研究并找到了例子,但由于某些原因我无法让它们起作用.
我可以获得XSS的示例,我可以将其输入到我的输入中,当我将其输出回用户时,会看到某种变化,例如警报,知道它易受攻击吗?
我正在使用PHP,我将实现htmlspecialchars(),但我首先尝试重现这些漏洞.
谢谢!
Sar*_*raz 14
你可以使用这个firefox插件:
XSS-Me是Exploit-Me工具,用于测试反射的跨站点脚本(XSS).它目前不测试存储的XSS.
该工具通过提交HTML表单并使用代表XSS攻击的字符串替换表单值来工作.如果生成的HTML页面设置了特定的JavaScript值(document.vulnerable = true),则该工具会将该页面标记为对给定的XSS字符串易受攻击.该工具不会试图破坏给定系统的安全性.它寻找攻击系统的可能入口点.该工具没有端口扫描,数据包嗅探,密码破解或防火墙攻击.
您可以将该工具所做的工作与该站点的QA测试人员一样,将所有这些字符串手动输入到表单字段中.
例如:
<script>alert("XSS")</script>
"><b>Bold</b>
'><u>Underlined</u>
It is very good to use some of the automated tools, however you won't gain any insight or experience from those.
The point of XSS attack is to execute javascript in a browser window, which is not supplied by the site. So first you must have a look in what context the user supplied data is printed on the website; it might be within <script></script> code block, it might be within <style></style> block, it might be used as an attribute of an element <input type="text" value="USER DATA" /> or for instance in a <textarea>. Depending on that you will see what syntax you will use to escape the context (or use it); for instance if you are within <script> tags, it might be sufficient to close parethesis of a function and end the line with semicolon, so the final injection will look like ); alert(555);. If the data supplied is used as an html attribute, the injection might look like " onclick="alert(1)" which will cause js execution if you click on the element (this area is rich to play with especially with html5).
The point is, the context of the xss is as much important as any filtering/sanatizing functions that might be in place, and often there might be small nuances which the automated tool will not catch. As you can see above even without quotes and html tags, in a limited number of circumstance you might be able to bypass the filters and execute js.
There also needs to be considered the browser encoding, for instance you might be able to bypass filters if the target browser has utf7 encoding (and you encode your injection that way). Filter evasion is a whole another story, however the current PHP functions are pretty bulletproof, if used correctly.
Also here is a long enough list of XSS vectors
最后,这是一个在站点上发现的 XSS 字符串的实际示例,我向您保证,没有一个扫描仪会发现它(有各种过滤器和单词黑名单,页面允许插入基本的html 格式以自定义您的个人资料页面):
<a href="Boom"><font color=a"onmouseover=alert(document.cookie);"> XSS-Try ME</span></font>
| 归档时间: |
|
| 查看次数: |
53906 次 |
| 最近记录: |