哪些Xss注入(可能被xss注入的标签)

今日笑话 2022年05月29日
本文导读目录:

xss注入漏洞产生的原因?xss注入过程步骤是什么?防范xss注入的方法有哪些

对于的用户输入中出现XSS漏洞的问题,主要是由于开发人员对XSS了解不足,安全的意识不够造成的。现在让我们来普及一下XSS的一些常识,以后在开发的时候,每当有用户输入的内容时,都要加倍小心。请记住两条原则:过滤输入和转义输出。

一、什么是XSS

XSS又叫CSS (Cross Site Script) ,跨站脚本攻击。它指的是恶意攻击者往Web页面里插入恶意html代码,当用户浏览该页之时,嵌入其中Web里面的html代码会被执行,从而达到恶意的特殊目的。XSS属于被动式的攻击,因为其被动且不好利用,所以许多人常呼略其危害性。

在WEB2.0时代,强调的是互动,使得用户输入信息的机会大增,在这个情况下,我们作为开发者,在开发的时候,要提高警惕。

二、XSS攻击的主要途径

XSS攻击方法只是利用HTML的属性,作各种的尝试,找出注入的方法。现在对三种主要方式进行分析。

第一种:对普通的用户输入,页面原样内容输出。

打开http://go.ent.163.com/goproducttest/test.jsp(限公司IP),输 入:scriptalert(‘xss’)/script, JS脚本顺利执行。当攻击者找到这种方法后,就可以传播这种链接格式的链接 (http://go.ent.163.com/goproducttest/test.jsp?key=JSCODE)如:http: //go.ent.163.com/goproducttest/test.jsp?key=scriptalert(‘xss’) lt;/script,并对JSCODE做适当伪装,如:

http://go.ent.163.com/goproducttest/test.jsp?key=%3c%73%63%72%69%70 %74%3e%61%6c%65%72%74%28%27%78%73%73%27%29%3c%2f%73%63%72%69%70%74%3e,当其 它用户当点此链接的时候,JS就运行了,造成的后果会很严重,如跳去一个有木马的页面、取得登陆用户的COOKIE等。

第二种:在代码区里有用户输入的内容

原则就是,代码区中,绝对不应含有用户输入的东西。

第三种:允许用户输入HTML标签的页面。

用户可以提交一些自定义的HTML代码,这种情况是最危险的。因为,IE浏览器默认采用的是UNICODE编码,HTML编码可以用ASCII方式来写,又可以使用”/”连接16进制字符串来写,使得过滤变得异常复杂,如下面的四个例子,都可以在IE中运行。

1,直接使用JS脚本。

img src=”javascript:alert(‘xss’)” /

2,对JS脚本进行转码。

img src=”javascript:alert(‘xss’)” /

3,利用标签的触发条件插入代码并进行转码。

img onerror=”alert(‘xss’)” /

4,使用16进制来写(可以在傲游中运行)

img STYLE=”background-image: /75/72/6c/28/6a/61/76/61/73/63/72/69/70/74/3a/61/6c/65/72/74/28/27/58/53/53/27/29/29″

以上写法等于img STYLE=”background-image: url(javascript:alert(‘XSS’))”

三、XSS攻击解决办法

请记住两条原则:过滤输入和转义输出。

具体执行的方式有以下几点:

第一、在输入方面对所有用户提交内容进行可靠的输入验证,提交内容包括URL、查询关键字、http头、post数据等

第二、在输出方面,在用户输内容中使用XMP标签。标签内的内容不会解释,直接显示。

第三、严格执行字符输入字数控制。

四、在脚本执行区中,应绝无用户输入。

xss攻击类型包括那些?

从攻击代码的工作方式可以分为三个类型:

(1)持久型跨站:最直接的危害类型,跨站代码存储在服务器(数据库)。

(2)非持久型跨站:反射型跨站脚本漏洞,最普遍的类型。用户访问服务器-跨站链接-返回跨站代码。

(3)DOM跨站(DOM XSS):DOM(document object model文档对象模型),客户端脚本处理逻辑导致的安全问题。

基于DOM的XSS漏洞是指受害者端的网页脚本在修改本地页面DOM环境时未进行合理的处置,而使得攻击脚本被执行。在整个攻击过程中,服务器响应的页面并没有发生变化,引起客户端脚本执行结果差异的原因是对本地DOM的恶意篡改利用。

常用的XSS攻击手段和目的有:

1、盗用cookie,获取敏感信息。

2、利用植入Flash,通过crossdomain权限设置进一步获取更高权限;或者利用Java等得到类似的操作。

3、利用iframe、frame、XMLHttpRequest或上述Flash等方式,以用户的身份执行一些管理动作,或执行一些一般的如发微博、加好友、发私信等操作。

4、利用可被攻击的域受到其他域信任的特点,以受信任来源的身份请求一些平时不允许的操作,如进行不当的投票活动。

5、在访问量极大的一些页面上的XSS可以攻击一些小型网站,实现DDos攻击的效果。

解释什么是sql注入,xss漏洞

所谓SQL注入,就是通过把SQL命令插入到Web表单提交或输入域名或页面请求的查询字符串,最终达到欺骗服务器执行恶意的SQL命令。

而XSS漏洞,就是跨站脚本攻击,是一种在web应用中的计算机安全漏洞,它允许恶意web用户将代码植入到提供给其它用户使用的页面中。

解释什么是xss,csrf,sql注入以及如何防范

权限控制

以及SQL注入、CSRF跨站脚本攻击、XSS漏洞分别在URL参数、表单中的攻击,Session超时等,这主要是web系统的安全测试

几种极其隐蔽的XSS注入的防护

XSS注入的本质

就是: 某网页中根据用户的输入, 不期待地生成了可执行的js代码, 并且js得到了浏览器的执行. 意思是说, 发给浏览器的字符串中, 包含了一段非法的js代码, 而这段代码跟用户的输入有关.

常见的XSS注入防护, 可以通过简单的 htmlspecialchars(转义HTML特殊字符), strip_tags(清除HTML标签) 来解决, 但是, 还有一些隐蔽的XSS注入不能通过这两个方法来解决, 而且, 有时业务需要不允许清除HTML标签和特殊字符. 下面列举几种隐蔽的XSS注入方法:

IE6/7 UTF7 XSS 漏洞攻击

隐蔽指数: 5

伤害指数: 5

这个漏洞非常隐蔽, 因为它让出现漏洞的网页看起来只有英文字母(ASCII字符), 并没有非法字符, htmlspecialchars 和 strip_tags 函数对这种攻击没有作用. 不过, 这个攻击只对 IE6/IE7 起作用, 从 IE8 起微软已经修复了. 你可以把下面这段代码保存到一个文本文件中(前面不要有空格和换行), 然后用 IE6 打开试试(没有恶意代码, 只是一个演示):

+/v8 +ADw-script+AD4-alert(document.location)+ADw-/script+AD4-

最容易中招的就是 JSONP 的应用了, 解决方法是把非字母和数字下划线的字符全部过滤掉. 还有一种方法是在网页开始输出空格或者换行, 这样, UTF7-XSS 就不能起作用了.

因为只对非常老版本的 IE6/IE7 造成伤害, 对 Firefox/Chrome 没有伤害, 所以伤害指数只能给 4 颗星.

参考资料:UTF7-XSS不正确地拼接 JavaScript/JSON 代码段

隐蔽指数: 5

伤害指数: 5

Web 前端程序员经常在 PHP 代码或者某些模板语言中, 动态地生成一些 JavaScript 代码片段, 例如最常见的:

var a = '?php echo htmlspecialchars($name); ?';

不想, $name 是通过用户输入的, 当用户输入a’; alert(1); 时, 就形成了非法的JavaScript 代码, 也就是XSS 注入了.

只需要把上面的代码改成:

var a = ?php echo json_encode($name); ?;

去掉单引号, 利用 PHP 的 json_encode() 函数来生成表示字符串的字符串. 这样做是因为,

最好用 json_encode() 函数来生成所有的 JSON 串, 而不要试图自己去拼接

. 程序员总是犯这样的错误: 自己去解析 HTTP 报文, 而不是用现成的成熟的库来解析. 用 json_encode() 的好处还在于, 即使业务要求我要保留单引号时, XSS注入也可以避免.

隐蔽指数最高级, 伤害所有的通用浏览器

. 这种 XSS 注入方式具有非常重要的参考意义.

最后, 根据工作中的经验, 以及我自己和别人犯过的错, 我总结出一个定理: 没有一劳永逸的单一方法可以解决所有 XSS 注入问题.

有用的经验:输出 HTML 代码时 htmlspecialchars输出JavaScript 代码时 json_encode

输入过滤应该用于解决业务限制, 而不是用于解决 XSS 注入(与严进宽出的原则相悖, 所以本条值得讨论)讨论:上文提到的经验第3条, 是一种宽进严出的原则, 和严进宽出原则是相悖的. 其实, 我认为不应该把严进宽出作为一条伪真理, 好像除了它其它的说法都不对了似的. 宽进严出和严进宽出应该具有完全相等的地位, 根据实现的成本进行取舍.

例如, 用户的名字可以采用严进宽出原则, 不允许用户填写单引号, 大于号小于号等. 但是用户的签名呢? 难道就不能填单引号?

在xss中各种过滤的情况,在什么地方可能存在注入点

XSS注入的本质就是:某网页中根据用户的输入,不期待地生成了可执行的js代码,并且js得到了浏览器的执行.意思是说,发给浏览器的字符串中,包含了一段非法的js代码,而这段代码跟用户的输入有关.常见的XSS注入防护,可以通过简单的htmlspecialchars(转义HTML特殊字符),strip_tags(清除HTML标签)来解决,但是,还有一些隐蔽的XSS注入不能通过这两个方法来解决,而且,有时业务需要不允许清除HTML标签和特殊字符.下面列举几种隐蔽的XSS注入方法:IE6/7UTF7XSS漏洞攻击隐蔽指数:5伤害指数:5这个漏洞非常隐蔽,因为它让出现漏洞的网页看起来只有英文字母(ASCII字符),并没有非法字符,htmlspecialchars和strip_tags函数对这种攻击没有作用.不过,这个攻击只对IE6/IE7起作用,从IE8起微软已经修复了.你可以把下面这段代码保存到一个文本文件中(前面不要有空格和换行),然后用IE6打开试试(没有恶意代码,只是一个演示):+/v8+ADw-script+AD4-alert(document.location)+ADw-/script+AD4-最容易中招的就是JSONP的应用了,解决方法是把非字母和数字下划线的字符全部过滤掉.还有一种方法是在网页开始输出空格或者换行,这样,UTF7-XSS就不能起作用了.因为只对非常老版本的IE6/IE7造成伤害,对Firefox/Chrome没有伤害,所以伤害指数只能给4颗星.参考资料:UTF7-XSS不正确地拼接JavaScript/JSON代码段隐蔽指数:5伤害指数:5Web前端程序员经常在PHP代码或者某些模板语言中,动态地生成一些JavaScript代码片段,例如最常见的:vara='!--?phpechohtmlspecialchars($name);?';不想,$name是通过用户输入的,当用户输入a’;alert(1);时,就形成了非法的JavaScript代码,也就是XSS注入了.只需要把上面的代码改成:vara=

什么是sql注入 什么是xss注入

推荐你去百度一下OWASP,你基本上可以看到有关网络安全的全貌了 - SQL注入和xss注入是最常见的两种注入攻击

关键词: 哪些Xss注入
我来说两句
黑客技术 3年前 (2022-05-29) | 回复
;或者利用Java等得到类似的操作。3、利用iframe、frame、XMLHttpRequest或上述Flash等方式,以用户的身份执行一些管理动作,或执行一些一般的如发微博、加好友、发私信等操作。4、利用可被攻击的域受到其他域信任的特点,以受信任来源的身份请求一些平时不允许的操作,
黑客技术 3年前 (2022-05-29) | 回复
你可以把下面这段代码保存到一个文本文件中(前面不要有空格和换行),然后用IE6打开试试(没有恶意代码,只是一个演示):+/v8+ADw-script+AD4-alert(document.location)+ADw-/script+AD4-最容易中招的就是JSONP的应用了,解
黑客技术 3年前 (2022-05-29) | 回复
st或上述Flash等方式,以用户的身份执行一些管理动作,或执行一些一般的如发微博、加好友、发私信等操作。4、利用可被攻击的域受到其他域信任的特点,以受信任来源的身份请求一些平时不允许的操作,如进行不当的投票活动。5、在访问量极大的一些页面上的XSS可以攻击一些小型网站,实
kyrieirving 1年前 (2023-11-22) | 回复
I truly wanted to post a quick message so as to appreciate you for the splendid secrets you are giving at this website. My long internet look up has now been recognized with professional content to go over with my close friends. I would admit that most of us readers are really endowed to be in a fabulous community with very many awesome professionals with helpful strategies. I feel pretty privileged to have come across the website page and look forward to really more brilliant moments reading here. Thanks again for all the details.
jordanofficial 1年前 (2023-12-07) | 回复
I must convey my admiration for your generosity supporting all those that require assistance with this important matter. Your personal commitment to passing the message throughout turned out to be quite invaluable and has surely encouraged people much like me to realize their desired goals. Your personal helpful report can mean so much a person like me and somewhat more to my colleagues. Thanks a ton; from everyone of us.
airjordan 1年前 (2023-12-28) | 回复
I enjoy you because of your own effort on this web page. My mother delights in doing research and it's really easy to understand why. My spouse and i hear all regarding the powerful manner you offer both useful and interesting guides on the website and strongly encourage response from others on the subject matter and our own child is always learning a lot. Have fun with the remaining portion of the year. You're the one doing a very good job.
hermesbag 1年前 (2023-12-29) | 回复
Thanks so much for providing individuals with an exceptionally terrific opportunity to read critical reviews from this web site. It's usually very lovely and as well , stuffed with a great time for me and my office fellow workers to visit the blog the equivalent of 3 times in one week to read through the new items you have got. Of course, I'm just at all times pleased for the eye-popping hints you give. Some 3 facts in this article are essentially the simplest I have ever had.
offwhite 1年前 (2023-12-30) | 回复
My wife and i got quite satisfied that Jordan managed to complete his analysis via the ideas he came across from your very own web site. It is now and again perplexing just to find yourself offering concepts which often other people have been making money from. Therefore we remember we've got the blog owner to be grateful to for that. The explanations you've made, the straightforward website navigation, the friendships you can aid to engender - it's most astounding, and it is assisting our son in addition to us know that that subject is excellent, which is extremely indispensable. Many thanks for everything!
kdshoes 12个月前 (01-01) | 回复
I intended to put you the little bit of remark just to say thank you once again for your fantastic knowledge you have shared in this article. It was quite wonderfully open-handed of people like you to allow freely precisely what a number of us could have offered as an e-book to help with making some money for their own end, notably seeing that you could have tried it if you wanted. The inspiring ideas in addition worked to provide a good way to fully grasp someone else have similar eagerness like my personal own to realize a lot more pertaining to this issue. I think there are a lot more fun instances in the future for folks who scan through your blog post.
paulgeorge 12个月前 (01-03) | 回复
A lot of thanks for all your valuable efforts on this web site. My mother really loves getting into research and it is simple to grasp why. We all learn all relating to the powerful method you deliver great tips on this web site and in addition increase participation from others on the subject while our girl is always learning a whole lot. Take advantage of the rest of the new year. Your carrying out a tremendous job.
bapesta 12个月前 (01-04) | 回复
My spouse and i ended up being quite ecstatic when Edward managed to complete his web research from your ideas he was given through your weblog. It is now and again perplexing just to possibly be giving for free concepts that many others have been selling. We really discover we now have the writer to thank for this. The illustrations you have made, the easy web site navigation, the relationships your site give support to engender - it's most terrific, and it's aiding our son in addition to us do think that matter is interesting, which is pretty serious. Many thanks for the whole lot!
jordan1offwhite 12个月前 (01-05) | 回复
I enjoy you because of all your valuable efforts on this site. Debby take interest in setting aside time for investigations and it is easy to see why. Most of us notice all about the dynamic way you convey very useful information on the web blog and in addition welcome participation from people on that concern and our princess is without question starting to learn a great deal. Take pleasure in the remaining portion of the new year. You have been carrying out a powerful job.
kyrie8shoes 12个月前 (01-06) | 回复
Thank you a lot for giving everyone an extremely memorable chance to read articles and blog posts from this blog. It's always very brilliant and as well , jam-packed with a good time for me and my office peers to visit your blog not less than thrice a week to study the newest guidance you have got. And indeed, I am always satisfied with your awesome suggestions you give. Selected two areas in this post are surely the most effective we have had.
goldengooseshoessale 12个月前 (01-07) | 回复
Would you be fascinated about exchanging links?
bapeshoes 12个月前 (01-07) | 回复
I enjoy you because of your own efforts on this web site. Gloria really loves managing investigation and it's obvious why. Most of us hear all of the lively ways you convey powerful strategies on this blog and as well as recommend participation from people on this subject matter and our girl is now studying a whole lot. Have fun with the rest of the year. Your carrying out a tremendous job.
offwhitejordan 12个月前 (01-09) | 回复
I simply wished to thank you so much once more. I do not know the things I would've gone through in the absence of the opinions discussed by you relating to such theme. It actually was a terrifying circumstance in my position, however , being able to view your well-written strategy you dealt with it took me to leap for gladness. I'm happier for the work and pray you realize what a great job that you're doing educating the others via your webblog. More than likely you have never got to know all of us.
offwhitejordan1 12个月前 (01-10) | 回复
I simply wanted to compose a simple word so as to say thanks to you for all of the lovely hints you are giving out on this website. My considerable internet research has now been honored with reputable tips to talk about with my two friends. I would point out that many of us site visitors actually are rather lucky to live in a superb network with very many awesome individuals with good tactics. I feel rather happy to have discovered your entire web pages and look forward to really more enjoyable minutes reading here. Thank you again for everything.
goldengoose 12个月前 (01-13) | 回复
I'm also writing to let you be aware of what a awesome encounter my friend's princess had studying your site. She picked up such a lot of things, with the inclusion of what it's like to have a great helping mood to get many more with ease learn some specialized issues. You undoubtedly surpassed visitors' expected results. I appreciate you for churning out these powerful, healthy, revealing and easy guidance on the topic to Mary.
offwhitehoodie 12个月前 (01-14) | 回复
I am just commenting to make you understand of the wonderful encounter our daughter had studying your web site. She came to find many issues, including what it's like to possess an ideal giving style to let men and women without hassle have an understanding of various advanced subject matter. You actually exceeded her expectations. Many thanks for giving these insightful, healthy, educational and cool tips about that topic to Jane.
fearofgodessentials 11个月前 (01-15) | 回复
I precisely wished to say thanks once again. I'm not certain the things that I might have achieved without the type of opinions documented by you on such question. It previously was a frightening case in my position, however , viewing the specialised fashion you handled it took me to weep over contentment. I'm just happier for your work and then trust you are aware of a great job you're carrying out training men and women through the use of your webpage. Probably you've never met any of us.
kevindurantshoes 11个月前 (01-16) | 回复
I am also commenting to make you be aware of of the extraordinary discovery my princess had reading through your site. She came to find so many details, most notably what it's like to have an amazing giving character to have others without problems learn about specified problematic subject matter. You undoubtedly surpassed readers' desires. Thank you for showing these warm and helpful, trusted, edifying and also unique guidance on that topic to Kate.
goyard 11个月前 (01-17) | 回复
I wanted to send a brief remark to be able to thank you for those fantastic tips you are showing at this website. My time-consuming internet investigation has at the end of the day been recognized with beneficial knowledge to exchange with my contacts. I 'd tell you that many of us site visitors actually are definitely fortunate to live in a perfect site with many outstanding professionals with very helpful hints. I feel rather happy to have used the web pages and look forward to many more awesome moments reading here. Thanks a lot again for a lot of things.
goldengooserunningsneakers 11个月前 (01-18) | 回复
After examine a few of the blog posts in your web site now, and I actually like your method of blogging. I bookmarked it to my bookmark web site listing and might be checking back soon. Pls check out my website online as effectively and let me know what you think.
bapehoodies 11个月前 (01-18) | 回复
I in addition to my pals were actually checking the nice techniques found on your website and so all of the sudden I had a terrible suspicion I never expressed respect to you for those techniques. All the men became glad to read through all of them and now have seriously been taking advantage of these things. Appreciation for simply being considerably kind and for pick out this form of wonderful resources most people are really wanting to discover. My very own sincere regret for not saying thanks to you earlier.
palmangelsoutlet 11个月前 (01-19) | 回复
Thanks so much for providing individuals with an exceptionally brilliant chance to read critical reviews from here. It is usually very good and also packed with a good time for me and my office fellow workers to search your blog at minimum thrice weekly to read the fresh things you have. And indeed, I'm just usually satisfied with all the staggering strategies you give. Certain 2 areas in this article are truly the simplest I've had.
kobebyrantshoes 11个月前 (01-20) | 回复
I want to get across my passion for your kindness for folks who should have help with this one topic. Your personal commitment to getting the message throughout had become exceedingly beneficial and has continuously encouraged women just like me to reach their dreams. Your personal insightful instruction can mean much to me and still more to my office colleagues. With thanks; from each one of us.
bape 11个月前 (01-22) | 回复
I must voice my passion for your kindness supporting those individuals that really want guidance on this important issue. Your personal commitment to passing the message around came to be extremely powerful and has surely allowed women just like me to get to their targets. This warm and friendly guide indicates so much to me and extremely more to my mates. Warm regards; from everyone of us.
kyrie7 11个月前 (01-22) | 回复
I together with my guys were found to be going through the excellent tricks found on the blog and instantly developed a terrible feeling I had not expressed respect to the website owner for those tips. My boys had been absolutely warmed to learn them and already have seriously been making the most of these things. I appreciate you for really being simply helpful and for deciding upon such important guides most people are really desperate to know about. My personal sincere regret for not saying thanks to you sooner.
supreme 11个月前 (01-24) | 回复
I wish to show thanks to this writer for rescuing me from this matter. As a result of exploring throughout the the net and coming across methods which were not powerful, I believed my life was well over. Living minus the strategies to the difficulties you have fixed by way of this review is a critical case, and those which might have in a wrong way damaged my career if I had not noticed your blog. That competence and kindness in handling all the things was useful. I don't know what I would've done if I had not come upon such a point like this. I can at this moment relish my future. Thanks a lot very much for this skilled and results-oriented help. I won't hesitate to suggest your blog post to anybody who desires assistance on this issue.