I have had issues with XSS. Specifically I had an individual inject JS alert showing that the my input had vulnerabilities. I have done research on XSS and found examples but for some reason I can't get them to work.
我遇到过XSS问题。具体来说,我有个人注入JS警报,显示我的输入有漏洞。我已经对XSS进行过研究并找到了例子,但由于某些原因我不能让它们起作用。
Can I get example(s) of XSS that I can throw into my input and when I output it back to the user see some sort of change like an alert to know it's vulnerable?
我可以获得XSS的示例,我可以将其输入到我的输入中,当我将其输出回用户时,会看到某种变化,例如警报,知道它易受攻击吗?
I'm using PHP and I am going to implement htmlspecialchars() but I first am trying to reproduce these vulnerabilities.
我正在使用PHP,我将实现htmlspecialchars(),但我首先尝试重现这些漏洞。
Thanks!
谢谢!
4 个解决方案
#1
14
You can use this firefox addon:
你可以使用这个firefox插件:
- XSS Me
- XSS我
XSS-Me is the Exploit-Me tool used to test for reflected Cross-Site Scripting (XSS). It does NOT currently test for stored XSS.
XSS-Me是Exploit-Me工具,用于测试反射的跨站点脚本(XSS)。它目前不测试存储的XSS。
The tool works by submitting your HTML forms and substituting the form value with strings that are representative of an XSS attack. If the resulting HTML page sets a specific JavaScript value (document.vulnerable=true) then the tool marks the page as vulnerable to the given XSS string. The tool does not attempting to compromise the security of the given system. It looks for possible entry points for an attack against the system. There is no port scanning, packet sniffing, password hacking or firewall attacks done by the tool.
该工具通过提交HTML表单并使用代表XSS攻击的字符串替换表单值来工作。如果生成的HTML页面设置了特定的JavaScript值(document.vulnerable = true),则该工具会将该页面标记为对给定的XSS字符串易受攻击。该工具不会试图破坏给定系统的安全性。它寻找攻击系统的可能入口点。该工具无法进行端口扫描,数据包嗅探,密码破解或防火墙攻击。
You can think of the work done by the tool as the same as the QA testers for the site manually entering all of these strings into the form fields.
您可以将该工具所做的工作与该站点的QA测试人员一样,将所有这些字符串手动输入到表单字段中。
#2
4
For example:
例如:
<script>alert("XSS")</script>
"><b>Bold</b>
'><u>Underlined</u>
#3
4
It is very good to use some of the automated tools, however you won't gain any insight or experience from those.
使用一些自动化工具非常好,但是你不会从中获得任何见解或经验。
The point of XSS attack is to execute javascript in a browser window, which is not supplied by the site. So first you must have a look in what context the user supplied data is printed on the website; it might be within <script></script> code block, it might be within <style></style> block, it might be used as an attribute of an element <input type="text" value="USER DATA" /> or for instance in a <textarea>. Depending on that you will see what syntax you will use to escape the context (or use it); for instance if you are within <script> tags, it might be sufficient to close parethesis of a function and end the line with semicolon, so the final injection will look like ); alert(555);. If the data supplied is used as an html attribute, the injection might look like " onclick="alert(1)" which will cause js execution if you click on the element (this area is rich to play with especially with html5). The point is, the context of the xss is as much important as any filtering/sanatizing functions that might be in place, and often there might be small nuances which the automated tool will not catch. As you can see above even without quotes and html tags, in a limited number of circumstance you might be able to bypass the filters and execute js.
XSS攻击的目的是在浏览器窗口中执行javascript,该窗口不是由站点提供的。首先,您必须了解用户提供的数据在网站上打印的内容;它可能在
There also needs to be considered the browser encoding, for instance you might be able to bypass filters if the target browser has utf7 encoding (and you encode your injection that way). Filter evasion is a whole another story, however the current PHP functions are pretty bulletproof, if used correctly.
还需要考虑浏览器编码,例如,如果目标浏览器具有utf7编码(并且您以这种方式对注入进行编码),则可能会绕过过滤器。过滤器规避是另一个故事,但如果正确使用,当前的PHP功能是非常防弹的。
Also here is a long enough list of XSS vectors
这里还有一个足够长的XSS向量列表
As a last thing, here is an actual example of a XSS string that was found on a site, and I guarantee you that not a single scanner would've found that (there were various filters and word blacklists, the page allowed to insert basic html formatting to customize your profile page):
最后,这是一个在网站上找到的XSS字符串的实际示例,我向您保证,没有一个扫描程序会发现(有各种过滤器和单词黑名单,允许插入基本页面)用于自定义个人资料页面的HTML格式):
<a href="Boom"><font color=a"onmouseover=alert(document.cookie);"> XSS-Try ME</span></font>
#4
1
Ad-hoc testing is OK, however I also recommend trying a web application vulnerability scanning tool to ensure you haven't missed anything.
特别测试是可以的,但我还建议您尝试使用Web应用程序漏洞扫描工具,以确保您没有遗漏任何内容。
acunetix is pretty good and has a free trial of their application:
acunetix非常好,并且可以免费试用他们的应用程序:
http://www.acunetix.com/websitesecurity/xss.htm
http://www.acunetix.com/websitesecurity/xss.htm
(Note I have no affiliation with this company, however I have used the product to test my own applications).
(注意我与该公司没有任何关系,但我已经使用该产品来测试我自己的应用程序)。
#1
14
You can use this firefox addon:
你可以使用这个firefox插件:
- XSS Me
- XSS我
XSS-Me is the Exploit-Me tool used to test for reflected Cross-Site Scripting (XSS). It does NOT currently test for stored XSS.
XSS-Me是Exploit-Me工具,用于测试反射的跨站点脚本(XSS)。它目前不测试存储的XSS。
The tool works by submitting your HTML forms and substituting the form value with strings that are representative of an XSS attack. If the resulting HTML page sets a specific JavaScript value (document.vulnerable=true) then the tool marks the page as vulnerable to the given XSS string. The tool does not attempting to compromise the security of the given system. It looks for possible entry points for an attack against the system. There is no port scanning, packet sniffing, password hacking or firewall attacks done by the tool.
该工具通过提交HTML表单并使用代表XSS攻击的字符串替换表单值来工作。如果生成的HTML页面设置了特定的JavaScript值(document.vulnerable = true),则该工具会将该页面标记为对给定的XSS字符串易受攻击。该工具不会试图破坏给定系统的安全性。它寻找攻击系统的可能入口点。该工具无法进行端口扫描,数据包嗅探,密码破解或防火墙攻击。
You can think of the work done by the tool as the same as the QA testers for the site manually entering all of these strings into the form fields.
您可以将该工具所做的工作与该站点的QA测试人员一样,将所有这些字符串手动输入到表单字段中。
#2
4
For example:
例如:
<script>alert("XSS")</script>
"><b>Bold</b>
'><u>Underlined</u>
#3
4
It is very good to use some of the automated tools, however you won't gain any insight or experience from those.
使用一些自动化工具非常好,但是你不会从中获得任何见解或经验。
The point of XSS attack is to execute javascript in a browser window, which is not supplied by the site. So first you must have a look in what context the user supplied data is printed on the website; it might be within <script></script> code block, it might be within <style></style> block, it might be used as an attribute of an element <input type="text" value="USER DATA" /> or for instance in a <textarea>. Depending on that you will see what syntax you will use to escape the context (or use it); for instance if you are within <script> tags, it might be sufficient to close parethesis of a function and end the line with semicolon, so the final injection will look like ); alert(555);. If the data supplied is used as an html attribute, the injection might look like " onclick="alert(1)" which will cause js execution if you click on the element (this area is rich to play with especially with html5). The point is, the context of the xss is as much important as any filtering/sanatizing functions that might be in place, and often there might be small nuances which the automated tool will not catch. As you can see above even without quotes and html tags, in a limited number of circumstance you might be able to bypass the filters and execute js.
XSS攻击的目的是在浏览器窗口中执行javascript,该窗口不是由站点提供的。首先,您必须了解用户提供的数据在网站上打印的内容;它可能在
There also needs to be considered the browser encoding, for instance you might be able to bypass filters if the target browser has utf7 encoding (and you encode your injection that way). Filter evasion is a whole another story, however the current PHP functions are pretty bulletproof, if used correctly.
还需要考虑浏览器编码,例如,如果目标浏览器具有utf7编码(并且您以这种方式对注入进行编码),则可能会绕过过滤器。过滤器规避是另一个故事,但如果正确使用,当前的PHP功能是非常防弹的。
Also here is a long enough list of XSS vectors
这里还有一个足够长的XSS向量列表
As a last thing, here is an actual example of a XSS string that was found on a site, and I guarantee you that not a single scanner would've found that (there were various filters and word blacklists, the page allowed to insert basic html formatting to customize your profile page):
最后,这是一个在网站上找到的XSS字符串的实际示例,我向您保证,没有一个扫描程序会发现(有各种过滤器和单词黑名单,允许插入基本页面)用于自定义个人资料页面的HTML格式):
<a href="Boom"><font color=a"onmouseover=alert(document.cookie);"> XSS-Try ME</span></font>
#4
1
Ad-hoc testing is OK, however I also recommend trying a web application vulnerability scanning tool to ensure you haven't missed anything.
特别测试是可以的,但我还建议您尝试使用Web应用程序漏洞扫描工具,以确保您没有遗漏任何内容。
acunetix is pretty good and has a free trial of their application:
acunetix非常好,并且可以免费试用他们的应用程序:
http://www.acunetix.com/websitesecurity/xss.htm
http://www.acunetix.com/websitesecurity/xss.htm
(Note I have no affiliation with this company, however I have used the product to test my own applications).
(注意我与该公司没有任何关系,但我已经使用该产品来测试我自己的应用程序)。