一个反射型XSS例子的解析
- - CSDN博客推荐文章我们在访问一个网页的时候,在URL后面加上参数,服务器根据请求的参数值构造不同的HTML返回. 如http://localhost:8080/prjWebSec/xss/reflectedXSS.jsp?param=value. 上例中的value可能出现在返回的HTML(可能是JS,HTML某元素的内容或者属性)中,.
下面来看一个简单的例子:
utilits.js: function writeToDom(str){ document.writeln(str); } function writelnToDom(str){ document.writeln(str + "<br>"); } reflectedXSS.jsp: <%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" %> <%@ page import="org.apache.commons.lang.StringEscapeUtils"%> <%@ page import="java.net.URLDecoder,java.net.URLEncoder"%> <%@ page import="org.owasp.esapi.ESAPI"%> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>test XSS</title> <script type="text/javascript" src="../js/utilits.js"></script> </head> <% String param = request.getParameter("param"); System.out.println("original " + param); %> <script> var scriptVar='<%=param%>'; writelnToDom("original: " + scriptVar); </script> <body> </body> </html>当用户通过URL http://localhost:8080/prjWebSec/xss/reflectedXSS.jsp?param=value访问的时候,
<% String param = request.getParameter("param"); System.out.println("original " + param); String secparam = StringEscapeUtils.escapeJavaScript(request.getParameter("param")); System.out.println("StringEscapeUtils " + secparam); String owaspparam = ESAPI.encoder().encodeForJavaScript(request.getParameter("param")); System.out.println("OWASP " + owaspparam); out.write("server side output ------------------------------------------------------- "); out.write("<br>original: " + param); out.write("<br>StringEscapeUtils: " + secparam); out.write("<br>OWASP: " + owaspparam); %> <script> writelnToDom("<br> client side output---------------------------------------------"); var scriptVar='<%=param%>'; writelnToDom("original: " + scriptVar); var secVar='<%=secparam%>'; writelnToDom('StringEscapeUtils:' + secVar); var owaspparam='<%=owaspparam%>'; writelnToDom("OWASP: " + owaspparam); </script>以这个URL来测试
system.out的输出为: original value中文';alert('x')//<> StringEscapeUtils value\u4E2D\u6587\';alert(\'x\')//<> OWASP value\u4E2D\u6587\x27\x3Balert\x28\x27x\x27\x29\x2F\x2F\x3C\x3E浏览器会alert一次,同时输出下面的内容
server side output ------------------------------------------------------- original: value中文';alert('x')//<> StringEscapeUtils: value\u4E2D\u6587\';alert(\'x\')//<> OWASP: value\u4E2D\u6587\x27\x3Balert\x28\x27x\x27\x29\x2F\x2F\x3C\x3E client side output--------------------------------------------- original: value中文 StringEscapeUtils:value中文';alert('x')//<> OWASP: value中文';alert('x')//<>StringEscapeUtils.escapeJavaScript会对单引号'和双引号"前面加上转意符(\),对宽字节字符
<% String doubleSecparam = StringEscapeUtils.escapeJavaScript( StringEscapeUtils.escapeHtml(request.getParameter("param"))); String doubleOwasp = ESAPI.encoder().encodeForJavaScript( ESAPI.encoder().encodeForHTML(request.getParameter("param"))); %> <script> var doubleScriptVar='<%=doubleSecparam%>'; writelnToDom("doubleSecparam StringEscapeUtils: " + doubleScriptVar); var doubleOwasp='<%=doubleOwasp%>'; writelnToDom("Double OWASP: " + doubleOwasp); </script>
查看浏览器的源码,我们发现html元素会被编码成html entity
var doubleScriptVar='1中文\';alert(\'x\')//<img src=@ onError="javascript:alert(\'error\')">'; var doubleOwasp='1\x26\x23x4e2d\x3B\x26\x23x6587\x3B\x26\x23x27\x3B\x26\x23x3b\x3Balert\x26 \x23x28\x3B\x26\x23x27\x3Bx\x26\x23x27\x3B\x26\x23x29\x3B\x26\x23x2f\x3B\x26\x23x2f\x3B \x26lt\x3Bimg\x20src\x26\x23x3d\x3B\x26\x23x40\x3B\x20onError\x26\x23x3d\x3B \x26quot\x3Bjavascript\x26\x23x3a\x3Balert\x26\x23x28\x3B\x26\x23x27\x3Berror \x26\x23x27\x3B\x26\x23x29\x3B\x26quot\x3B\x26gt\x3B';当然,现实过程中,很少有网站有如此明显的xss漏洞.这里只是给大家示范了一下反射型xss的原理,现实中的漏洞虽然五花八门,但是本质是不变的.
帮我写一个能提取pentesterlab xss漏洞分析
- - JavaScript - Web前端 - ITeye博客pentesterlab简介. pentesterlab官方定义自己是一个简单又十分有效学习渗透测试的演练平台. pentesterlab环境搭建. 官方提供了一个基于debian6的镜像,官网下载镜像,使用vmware建立一个虚拟机,启动即可. ps:官方文档建议做一个host绑定,方便后面使用.