xss攻击分为两类:
一、反射型 非持久 常在搜索栏中
以ok3w新闻发布系统为例
在网页 全站搜索 栏中搜索<script>alert("xss")</script>或者xss("xss")打不开,
<div class=tit><SPAN class=tt><a href="./">网站首页</a> >> 搜索“xss<"xss">”</SPAN></div>
说明被过滤掉(书中未过滤掉)
查看search.asp文件
<%
Set Page = New TurnPage
ClassID=""
Keyword = Left(Trim(Request.QueryString("q")),50)
q = OutStr(CmdSafeLikeSqlStr(Keyword))
%>
其中Keyword为输入的查询词,通过CmdSafeLikeSqlStr函数进行过滤。查看function.asp
Function CmdSafeLikeSqlStr(Str)
Str = Replace(Str,"'","''")
Str = Replace(Str,"[","[[]")
Str = Replace(Str,"%","[%]")
Str = Replace(Str,"_","[_]")
CmdSafeLikeSqlStr = Str
End Function
并没有过滤掉<>的部分,能够将<>过滤掉的在OutStr部分
Function OutStr(Str)
strer=Str
if strer="" or isnull(strer) then
OutStr="":exit function
end if
strer=replace(strer,"<","<")//将<>过滤掉
strer=replace(strer,">",">")
strer=replace(strer,CHR(13) & Chr(10),"<br>") '»»ÐÐ
strer=replace(strer,CHR(32)," ") '¿Õ¸ñ
strer=replace(strer,CHR(9)," ") 'table
strer=replace(strer,CHR(39),"'") 'µ¥ÒýºÅ
strer=replace(strer,CHR(34),""") 'Ë«ÒýºÅ
OutStr = strer
End Function
书中的例子之所以存在xss漏洞,没有被过滤掉,是因为其CmdSafeLikeSqlStr函数外没有套OutStr
二、存储型
在网页的留言板处留言内容输入<script>alert("xss")</script>