当前位置：网站首页>[XSS bypass - protection strategy] understand the protection strategy and better bypass

Now? Web The application layer has many strategies to deal with XSS harm
eg：
Specific tag filtering 、 Event filtering 、 Sensitive keyword filtering ……
Browsers will also be right XSS Limit the exploitation of vulnerabilities （XSS Auditor、CSP etc. ）

Two 、 Specific tag filtering

2.1、 shortcoming ：
Filter out danger labels （ Such as script、iframe etc. ） It will result in the inability to execute the script
2.2、 present situation ：
Any kind of label , Whether legal or not , Can be constructed XSS Code
< label οnclick="alert(/xss/)"> Come on, me </ label >
2.3、 utilize ：
Property value ： The output point is HTML The attribute of the tag or in Javascript In the code , Simply close 、 Splice properties or Javascript The code can execute XSS Code
HTML：<video><source οnerrοr="alert(/xss/)">

3、 ... and 、 Event filtering

3.1、 brief introduction ：
Generally, many will be filtered out HTML Tag's event properties , You need to traverse all available event attributes , Test for omissions （ test ：Burp Or write a script Fuzz）
3.2、 Common event properties ：
onafterprint、oninput、onscroll、onbeforeprint 、oninvalid 、onabort、onbeforeunload 、onreset 、oncanplay、onerror、 onselect 、oncanplaythrough、onhaschange、 onsubmit、 ondurationchange、onload 、onkeydown 、onemptied、onmessage 、onkeypress、 onended、onoffline、 onkeyup、 onerror、ononline 、onclick、 onloadeddata、onpagehide、 ondblclick、 onloadedmetadata、onpageshow 、ondrag、 onloadstart、onpopstate、 ondragend、 onpause、onredo、 ondragenter、 onplay、onresize 、ondragleave 、onplaying、onstorage 、ondragover 、onprogress、onundo、 ondragstart 、onratechange、onunload、 ondrop、 onreadystatechange、onblur 、onmousedown、 onseeked、onchange 、onmousemove 、onseeking、oncontextmenu 、onmouseout、 onstalled、onfocus、 onmouseover 、onsuspend、onformchange 、onmouseup 、ontimeupdate、onforminput、onmousewheel、 onvolumechange
3.3、 Label of non event attribute
effect ： Can be used to execute JavaScript Code
eg：JavaScript Fake protocol
<a href="javascript:alert(/xss/)"> Come on, me </a>

Four 、 Sensitive keywords （ character ） Filter

（1） Filter “.”
（2） Filter “()”
（3） Filter space
……

5、 ... and 、XSS Auditor

5.1、 summary ：
Responsible for scanning the source code of the website , Looking for something like cross site scripting （XSS） Attack mode , This attack may attempt to run malicious code in the user's browser . By checking the input , Determine whether the content appears in the output . If meet XSS Auditor The filter conditions of , Will directly prevent script execution . Make reflective XSS The role of loopholes is gradually weakened .

6、 ... and 、 Content security policy （CSP）

6.1、 summary ：
Content security policy （CSP） It is the most important Web One of the security protection mechanisms , Content security policy (CSP) It's an extra layer of security , Used to detect and weaken certain types of attacks , Including cross site scripts (XSS) And data injection attacks .
To alleviate potential cross site scripting problems , The browser's extender system introduces a content security policy （CSP）, Will make the extender more secure by default , Developers can create and enforce rules , Manage the content that the website allows to load . Developers can use this tool to lock their applications in a variety of ways , Reduce content injection vulnerabilities （ Such as cross site scripting ） The risk of , And reduce the permission of its application execution
The content security policy uses the whitelist mechanism to manage the resources to be loaded or executed by the website . In the web page , Such a strategy is through HTTP Header information or meta Label to define .
Although this strategy can prevent attackers from loading malicious code across domains from external websites , however CSP It does not prevent data leakage . At present, many security researchers have proposed a variety of technologies to bypass content security policies , And use this technology to extract the required data from the target website .