Michael
Cross-Site-Scripting也称跨站脚本攻击,缩写通常为XSS.
或者先到这里补充下知识:http://en.wikipedia.org/wiki/Cross-site_scripting
由于工作需要最近在研究一些常用的攻击方式和漏洞,用以预防和修复.如果你还没有听过说这些,可能你需要先阅读下以下的内容以帮助你快速进入状态。
XSS主要可分为三种,Reflected、Persistent、DOM等三种.通常危害较大,也Web应用中存在很多潜在的可以运用XSS的方法。以下是摘自网络的一些描述和解释,希望你能耐心看完并思考、最好还能动手就更好了。
1.Cross-Site Scripting: Reflected
Abstract:
Sending unvalidated data to a web browser can result in the browser executing malicious code.
Explanation:
Cross-site scripting (XSS) vulnerabilities occur when:
1. Data enters a web application through an untrusted source. In the case of Reflected XSS, the untrusted source is typically a web request, while in the case of Persisted (also known as Stored) XSS it is typically a database or other back-end datastore.
2. The data is included in dynamic content that is sent to a web user without being validated for malicious code.The malicious content sent to the web browser often takes the form of a segment of JavaScript, but may also include HTML,Flash or any other type of code that the browser may execute. The variety of attacks based on XSS is almost limitless, but they commonly include transmitting private data like cookies or other session information to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user’s machine under the guise of the vulnerable site.
示例代码:
<% String id = request.getParameter(“id”); %>
<%=id %>
Reflected XSS 受害的方式:
黑客或者恶意的攻击者,可以通过发送包含恶意脚本的url连接邮件。使用一些社会工程的方式让受害者相信这些链接并点击。既而,脚本会在受害者的浏览器中运行并进行恶意的动作。可能是跳转到挂木马的网站、可能是盗取你的重要cookie的信息并默默发送到攻击者指定的服务器、可能是毁坏受害者的电脑……
2.Cross-Site Scripting: Persistent
Abstract:
Sending unvalidated data to a web browser can result in the browser executing malicious code.
Explanation:
Cross-site scripting (XSS) vulnerabilities occur when:
1. Data enters a web application through an untrusted source. In the case of Persistent (also known as Stored) XSS, the untrusted source is typically a database or other back-end datastore, while in the case of Reflected XSS it is typically a web request.
2. The data is included in dynamic content that is sent to a web user without being validated for malicious code. The malicious content sent to the web browser often takes the form of a segment of JavaScript, but may also include HTML,Flash or any other type of code that the browser may execute. The variety of attacks based on XSS is almost limitless, but they commonly include transmitting private data like cookies or other session information to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user’s machine under the guise of the vulnerable site.
示例代码:
<%
while(rs.next()) {
String str = rs.getString(“content”);
%>
<%=str %>
<% } %>
Persistent XSS 受害的方式:
恶意脚本等被提交进入受害者方式的服务器数据库中,当受害者访问数据库中相应的数据并在浏览器中显示时,从数据库中取出的内容(恶意脚本)被浏览器解析成脚本而被执行,在受害者的电脑上执行。既而,脚本会在受害者的浏览器中运行并进行恶意的动作。可能是跳转到挂木马的网站、可能是盗取你的重要cookie的信息并默默发送到攻击者指定的服务器、可能是毁坏受害者的电脑……
3. Cross-Site Scripting: DOM
Abstract:
Sending unvalidated data to a web browseer can result in the browser executing malicious code.
Explanation:
Cross-site scripting (XSS) vulnerabilities occur when:
1. Data enters a web application through an untrusted source. In the case of DOM-based XSS, data is read from a URL parameter or other value within the browser and written back into the page with client-side code. In the case of Reflected XSS, the untrusted source is typically a web request, while in the case of Persisted (also known as Stored) XSS it is typically a database or other back-end datastore.
2. The data is included in dynamic content that is sent to a web user without being validated for malicious code. In the case of
DOM Based XSS, malicious code gets executed as part of DOM (Document Object Model) creation, whenever the victim’s browser parses the HTML page.The malicious content sent to the web browser often takes the form of a segment of JavaScript, but may also include HTML,Flash or any other type of code that the browser may execute. The variety of attacks based on XSS is almost limitless, but they
commonly include transmitting private data like cookies or other session information to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user’s machine under the guise of the vulnerable site.
示例代码:
<SCRIPT>
var pos=document.URL.indexOf(“eid=”)+4;
document.write(document.URL.substring(pos,document.URL.length));
</SCRIPT>
DOM XSS 受害的方式:
服务器端的代码中直接使用DOM对象,将从request请求中获取的内容动态的写到页面中。但是如果request请求的参数是攻击者恶意构造的脚本,那么恶意脚本也会被浏览器解析成脚本被执行。既而,脚本会在受害者的浏览器中运行并进行恶意的动作。可能是跳转到挂木马的网站、可能是盗取你的重要cookie的信息并默默发送到攻击者指定的服务器、可能是毁坏受害者的电脑……
XSS常用解决办法:
1.Contextual output encoding/escaping of string input,Safely validating untrusted HTML input:
对输入和输出的内容进行验证、转译或者重新编码等。(另外Struts 1.x和Struts 2的标签都会对input和output进行encoding和escaping,所以Struts是个不错的选择).
2.Disabling scripts:在浏览器中使JavaScript失效(通过修改浏览器设置,但是如果在禁用掉javascript也是不太好的方式)
3.Cookie security:让登录的session的cookie与指定的ip绑定
4.其他
XSS推荐相关链接:
Knowledge1 https://www.owasp.org/index.php/XSS
Knowledge3:http://www.iseclab.org/papers/xss_prevention.pdf
Solution1:Decode the input or output string(use tld Tag Library Descriptor)or Add a filter
http://www.ibm.com/developerworks/tivoli/library/s-csscript/
Solution2:http://today.java.net/article/2005/09/19/handling-java-web-application-input-part-2
Character entity references in HTML
Struts Tag Explain1:
1.Bean tag
http://struts.apache.org/1.x/struts-taglib/tlddoc/bean/tld-summary.html
http://struts.apache.org/1.x/struts-taglib/tlddoc/bean/parameter.html
If no request parameter with the specified name can be located, and no default value is specified, a request time exception will be thrown.
2.Logic tag
http://struts.apache.org/1.x/struts-taglib/tlddoc/logic/tld-summary.html
http://struts.apache.org/1.x/struts-taglib/tlddoc/logic/present.html
But considering the network limitation, we can also download the tld files and put them into our project . so that the struts tag can work
如有不足敬请谅解,另外如果你有其他角度和想法欢迎交流 ^_^
——-EOF——