What makes an input vulnerable to XSS?

2020-02-01 02:45发布

问题:

I've been reading about XSS and I made a simple form with a text and submit input, but when I execute <script>alert();</script> on it, nothing happens, the server gets that string and that's all.

What do I have to do for make it vulnerable?? (then I'll learn what I shouldn't do hehe)

Cheers.

回答1:

Indeed just let the server output it so that the input string effectively get embedded in HTML source which get returned to the client.

PHP example:

<!doctype html>
<html lang="en">
    <head><title>XSS test</title></head>
    <body>
        <form><input type="text" name="xss"><input type="submit"></form>
        <p>Result: <?= $_GET['xss'] ?></p>
    </body>
</html>

JSP example:

<!doctype html>
<html lang="en">
    <head><title>XSS test</title></head>
    <body>
        <form><input type="text" name="xss"><input type="submit"></form>
        <p>Result: ${param.xss}</p>
    </body>
</html>

Alternatively you can redisplay the value in the input elements, that's also often seen:

<input type="text" name="xss" value="<?= $_GET['xss'] ?>">

resp.

<input type="text" name="xss" value="${param.xss}">

This way "weird" attack strings like "/><script>alert('xss')</script><br class=" will work because the server will render it after all as

<input type="text" name="xss" value=""/><script>alert('xss')</script><br class="">

XSS-prevention solutions are among others htmlspecialchars() and fn:escapeXml() for PHP and JSP respectively. Those will replace among others <, > and " by &lt;, &gt; and &quot; so that enduser input doesn't end up to be literally embedded in HTML source but instead just got displayed as it was entered.



回答2:

Have the server output the input back to the client.



回答3:

You should "inject" the script. So if you have a text-input, you should put in the form:

" /> <script>alert();</script>

This way you first close the attribute of the existing HTML and then inject your own code. The idea is to escape out the quotes.



回答4:

Three simple things:

  1. If you're not outputting untrusted data to the page at some point there is no opportunity for XSS
  2. All your untusted data (forms, querystrings, headers, etc) should be validated against a whitelist to ensure it's within an acceptable range
  3. All your output to the screen should be endcoded with an appropriate library (ie Anti-XSS for .NET) onto the appropriate language (HTML, CSS, JS, etc).

More info with examples in OWASP Top 10 for .NET developers part 2: Cross-Site Scripting (XSS).



回答5:

Google made a really awesome tutorial that covers XSS and other security vulnerabilities here. It can help you understand how these issues are exploited in real applications.