2018年6月15日 星期五

[研究] OWASP WebGoat 8.0 - 05.Cross Site Scripting

[研究] OWASP WebGoat 8.0 - 05.Cross Site Scripting

2018-06-15

「Cross Site Script (XSS) 跨站腳本攻擊」主要分三種:

  • Reflected XSS Injection (反射XSS注入)
  • Stored XSS Injection (存儲的XSS注入)
  • Dom-Based XSS Injection (基於DOM的XSS注入)
























http://localhost:8080/WebGoat/CrossSiteScripting/attack5a?QTY1=1&QTY2=1&QTY3=1&QTY4=1&field1=%3Cscript%3Ealert(%27myjavascripthere%27)%3C/script%3E4128+3214+0002+1999&field2=111

{
  "lessonCompleted" : true,
  "feedback" : "Try again. We do want to see this specific javascript (in case you are trying to do something more fancy)",
  "output" : "Thank you for shopping at WebGoat. <br \\/>You're support is appreciated<hr \\/><p>We have charged credit card:<script>alert('myjavascripthere')<\\/script>4128 3214 0002 1999<br \\/>                             ------------------- <br \\/>                               $1997.96"
}












Java OWASP Encoder
https://www.owasp.org/index.php/OWASP_Java_Encoder_Project

General XSS prevention Cheat Sheet
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

DOM XSS Prevention Cheat Sheet
https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet

XSS Filter Evasion
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

Javascript Framework Specifics
https://github.com/WebGoat/WebGoat

jQuery
注意你是否使用下面格式​
$selector.html(userInputHere),
若是,你在危險中。如果要使用,應該類似
$selector.html(someEncodeHtmlMethod(userInputHere))

$selector.text(someEncodeHtmlMethod(userInputHere))

http://stackoverflow.com/questions/9735045/is-jquery-text-method-xss-safe#9735118

Backbone.js
(One character can make such a difference)
http://underscorejs.org/#template
https://nvisium.com/blog/2015/05/21/dont-break-your-backbone-xss-mitigation/

Angular
Angular has sought to escape by default, but the expression language has proven to have 'sandbox' escapes. Best to check details of the version you are using and consult starting here: https://docs.angularjs.org/guide/security

(待續)

沒有留言:

張貼留言