XSS之xssprotect(转)
2016-03-28 16:19
483 查看
参考资料
1 跨网站脚本 http://zh.wikipedia.org/wiki/XSS
2 http://code.google.com/p/xssprotect/
一 跨网站脚本介绍
跨网站脚本(Cross-site
scripting,通常简称为XSS或跨站脚本或跨站脚本攻击)是一种网站应用程序的安全漏洞攻击,是代码注入的一种。它允许恶意用户将代码注入到网页
上,其他用户在观看网页时就会受到影响。这类攻击通常包含了HTML以及用户端脚本语言。
XSS攻击通常指的是通过利用网页开发时留下的漏洞,通过巧妙的方法注入恶意指令代码到网页,使用户加载并执行攻击者恶意制造的网页程序。这些恶
意网页程序通常是JavaScript,但实际上也可以包括Java, VBScript, ActiveX, Flash
或者甚至是普通的HTML。攻击成功后,攻击者可能得到包括但不限于更高的权限(如执行一些操作)、私密网页内容、会话和cookie等各种内容。
二 常用的XSS攻击手段和目的
盗用 cookie ,获取敏感信息。
利用植入 Flash ,通过 crossdomain 权限设置进一步获取更高权限;或者利用Java等得到类似的操作。
利用 iframe、frame、XMLHttpRequest或上述Flash等方式,以(被攻击)用户的身份执行一些管理动作,或执行一些一般的如发微博、加好友、发私信等操作。
利用可被攻击的域受到其他域信任的特点,以受信任来源的身份请求一些平时不允许的操作,如进行不当的投票活动。
在访问量极大的一些页面上的XSS可以攻击一些小型网站,实现DDoS攻击的效果。
三 漏洞的防御和利用
避免XSS的方法之一主要是将用户所提供的内容进行过滤,许多语言都有提供对HTML的过滤:
PHP的htmlentities()或是htmlspecialchars()。
Python的cgi.escape()。
ASP的Server.HTMLEncode()。
ASP.NET的Server.HtmlEncode()或功能更强的Microsoft Anti-Cross Site Scripting Library
Java的xssprotect(Open Source Library)。
Node.js的node-validator。
四 xssprotect
在Eclipse中通过svn检出项目源地址:http://xssprotect.googlecode.com/svn/trunk/如下图
通用使用方式:http://code.google.com/p/xssprotect/wiki/HowTouse
Java代码
package com.xss.example;
import java.io.IOException;
import java.io.StringReader;
import java.io.StringWriter;
import com.blogspot.radialmind.html.HTMLParser;
import com.blogspot.radialmind.html.HandlingException;
import com.blogspot.radialmind.xss.XSSFilter;
public class XSSTest {
public static void main(String[] args) {
String html = "<html><head> <title> New Document </title> " +
"<script type='text/javascript'> alert('dddd'); </script> " +
"</head> <body>" +
"222 <iframe src='www.google.com'/> 1111" +
"<embed ></embed>" +
"<link>ddd</link>" +
"</body></html>";
String v = protectAgainstXSS(html);
System.out.println(v);
}
public static String protectAgainstXSS( String html ) {
StringReader reader = new StringReader( html );
StringWriter writer = new StringWriter();
String text = null;
try {
// Parse incoming string from the "html" variable
HTMLParser.process( reader, writer, new XSSFilter(), true );
// Return the parsed and cleaned up string
text = writer.toString();
} catch (HandlingException e) {
// Handle the error here in accordance with your coding policies...
}finally{
try {
writer.close();
reader.close();
} catch (IOException e) {
e.printStackTrace();
}
}
return text;
}
}
在它的源代码中有二个类需要关注下:
BaseTestCase.java
Java代码
public abstract class BaseTestCase extends TestCase {
protected void testExecute( String html, String result ) {
StringReader reader = new StringReader( html );
StringWriter writer = new StringWriter();
try {
HTMLParser.process( reader, writer, new XSSFilter(), true );
String buffer = new String( writer.toString() );
System.out.println( buffer );
assertEquals( result, buffer );
} catch (HandlingException e) {
e.printStackTrace();
fail( e.getMessage() );
}
}
}
XSSFilter.java
Java代码
/**
* Copyright 2008 Gerard Toonstra
*
* As an exception, this particular file
* in the project is public domain to allow totally
* free derivations of this code.
*
*/
package com.blogspot.radialmind.xss;
import java.util.HashSet;
import java.util.Set;
import com.blogspot.radialmind.html.IHTMLFilter;
/**
* Implementation of a relatively simple XSS filter. This implementation removes
* dangerous tags and attributes from tags. It does not verify the validity of
* URL's (that may contain links to JavaScript for example). It does not remove all
* event handlers that may still contain XSS vulnerabilities.
*
* Embedded objects are removed because those may contain XSS vulnerabilities in
* their own scripting language (ActionScript for Flash for example).
*
* Feel free to derive your own implementation from this file.
*
* @author gt
*
*/
public class XSSFilter implements IHTMLFilter {
private static final Set<String> FORBIDDEN_TAGS = new HashSet<String>();
// The tags to be removed. Case insensitive of course.
static {
FORBIDDEN_TAGS.add( "script" );
FORBIDDEN_TAGS.add( "embed" );
FORBIDDEN_TAGS.add( "object" );
FORBIDDEN_TAGS.add( "layer" );
FORBIDDEN_TAGS.add( "style" );
FORBIDDEN_TAGS.add( "meta" );
FORBIDDEN_TAGS.add( "iframe" );
FORBIDDEN_TAGS.add( "frame" );
FORBIDDEN_TAGS.add( "link" );
FORBIDDEN_TAGS.add( "import" );
FORBIDDEN_TAGS.add( "xml" );
}
/**
* This function is called to determine if an attribute should be filtered or not.
*
* @param tagName The name of the tag the attribute belongs to
* @param attrName The name of the attribute to be filtered
* @param attrValue The value of the attribute
*/
public boolean filterAttribute(String tagName, String attrName, String attrValue) {
if ( attrName.toLowerCase().startsWith( "on" )) {
return true;
}
return isScriptedAttributeValue( attrValue );
}
/**
* This method is called to determine if a tag should be filtered
*
* @param tagName The name of the tag that was parsed
*/
public boolean filterTag(String tagName) {
if ( FORBIDDEN_TAGS.contains( tagName )) {
return true;
}
return false;
}
/**
* This method is called to modify attribute values, if required
*
* @param tagName The name of the tag the attribute belongs to
* @param attrName The name of the attribute within the tag
* @param attrValue The value of the attribute
*/
public String modifyAttributeValue(String tagName, String attrName, String attrValue) {
return attrValue;
}
/**
* This method is called to be able to modify the text of a node.
*
* @param tagName The name of the tag where the text is part of.
* @param text The value of the text within the tagnode (within <tag>...</tag>)
*/
public String modifyNodeText(String tagName, String text) {
return text;
}
/**
* Private method that determines if an attribute value is scripted
* (potentially loaded with an XSS attack vector).
*
* @param attrValue The value of the attribute
* @return "true" if the attribute is scripted. "false" if not.
*/
private boolean isScriptedAttributeValue( String attrValue ) {
attrValue = decode( attrValue );
attrValue = attrValue.trim().toLowerCase();
if ( attrValue.contains( "javascript:" )) {
return true;
}
if ( attrValue.contains( "mocha:" )) {
return true;
}
if ( attrValue.contains( "eval" )) {
return true;
}
if ( attrValue.contains( "vbscript:" )) {
return true;
}
if ( attrValue.contains( "livescript:" )) {
return true;
}
if ( attrValue.contains( "expression(" )) {
return true;
}
if ( attrValue.contains( "url(" )) {
return true;
}
if ( attrValue.contains( "&{" )) {
return true;
}
if ( attrValue.contains( "&#" )) {
return true;
}
return false;
}
/**
* Private method to remove control characters from the value
*
* @param value The value being modified
* @return The value free from control characters
*/
private String decode( String value ) {
value = value.replace("\u0000", "" );
value = value.replace("\u0001", "" );
value = value.replace("\u0002", "" );
value = value.replace("\u0003", "" );
value = value.replace("\u0004", "" );
value = value.replace("\u0005", "" );
value = value.replace("\u0006", "" );
value = value.replace("\u0007", "" );
value = value.replace("\u0008", "" );
value = value.replace("\u0009", "" );
value = value.replace("\n", "" );
value = value.replace("\u000B", "" );
value = value.replace("\u000C", "" );
value = value.replace("\r", "" );
value = value.replace("\u000E", "" );
value = value.replace("\u000F", "" );
value = value.replace("\u0010", "" );
value = value.replace("\u0011", "" );
value = value.replace("\u0012", "" );
value = value.replace("\u0013", "" );
value = value.replace("\u0014", "" );
value = value.replace("\u0015", "" );
value = value.replace("\u0016", "" );
value = value.replace("\u0017", "" );
value = value.replace("\u0018", "" );
value = value.replace("\u0019", "" );
value = value.replace("\u001A", "" );
value = value.replace("\u001B", "" );
value = value.replace("\u001C", "" );
value = value.replace("\u001D", "" );
value = value.replace("\u001E", "" );
value = value.replace("\u001F", "" );
return value;
}
}
通过这个过滤就知道它要做什么了
上传包吧,方便
大小: 79.9 KB
xssProtect-0.1.jar (39.8 KB)
下载次数: 1113
antlr-3.0.jar (533.7 KB)
下载次数: 745
转自:链接
1 跨网站脚本 http://zh.wikipedia.org/wiki/XSS
2 http://code.google.com/p/xssprotect/
一 跨网站脚本介绍
跨网站脚本(Cross-site
scripting,通常简称为XSS或跨站脚本或跨站脚本攻击)是一种网站应用程序的安全漏洞攻击,是代码注入的一种。它允许恶意用户将代码注入到网页
上,其他用户在观看网页时就会受到影响。这类攻击通常包含了HTML以及用户端脚本语言。
XSS攻击通常指的是通过利用网页开发时留下的漏洞,通过巧妙的方法注入恶意指令代码到网页,使用户加载并执行攻击者恶意制造的网页程序。这些恶
意网页程序通常是JavaScript,但实际上也可以包括Java, VBScript, ActiveX, Flash
或者甚至是普通的HTML。攻击成功后,攻击者可能得到包括但不限于更高的权限(如执行一些操作)、私密网页内容、会话和cookie等各种内容。
二 常用的XSS攻击手段和目的
盗用 cookie ,获取敏感信息。
利用植入 Flash ,通过 crossdomain 权限设置进一步获取更高权限;或者利用Java等得到类似的操作。
利用 iframe、frame、XMLHttpRequest或上述Flash等方式,以(被攻击)用户的身份执行一些管理动作,或执行一些一般的如发微博、加好友、发私信等操作。
利用可被攻击的域受到其他域信任的特点,以受信任来源的身份请求一些平时不允许的操作,如进行不当的投票活动。
在访问量极大的一些页面上的XSS可以攻击一些小型网站,实现DDoS攻击的效果。
三 漏洞的防御和利用
避免XSS的方法之一主要是将用户所提供的内容进行过滤,许多语言都有提供对HTML的过滤:
PHP的htmlentities()或是htmlspecialchars()。
Python的cgi.escape()。
ASP的Server.HTMLEncode()。
ASP.NET的Server.HtmlEncode()或功能更强的Microsoft Anti-Cross Site Scripting Library
Java的xssprotect(Open Source Library)。
Node.js的node-validator。
四 xssprotect
在Eclipse中通过svn检出项目源地址:http://xssprotect.googlecode.com/svn/trunk/如下图
通用使用方式:http://code.google.com/p/xssprotect/wiki/HowTouse
Java代码
package com.xss.example;
import java.io.IOException;
import java.io.StringReader;
import java.io.StringWriter;
import com.blogspot.radialmind.html.HTMLParser;
import com.blogspot.radialmind.html.HandlingException;
import com.blogspot.radialmind.xss.XSSFilter;
public class XSSTest {
public static void main(String[] args) {
String html = "<html><head> <title> New Document </title> " +
"<script type='text/javascript'> alert('dddd'); </script> " +
"</head> <body>" +
"222 <iframe src='www.google.com'/> 1111" +
"<embed ></embed>" +
"<link>ddd</link>" +
"</body></html>";
String v = protectAgainstXSS(html);
System.out.println(v);
}
public static String protectAgainstXSS( String html ) {
StringReader reader = new StringReader( html );
StringWriter writer = new StringWriter();
String text = null;
try {
// Parse incoming string from the "html" variable
HTMLParser.process( reader, writer, new XSSFilter(), true );
// Return the parsed and cleaned up string
text = writer.toString();
} catch (HandlingException e) {
// Handle the error here in accordance with your coding policies...
}finally{
try {
writer.close();
reader.close();
} catch (IOException e) {
e.printStackTrace();
}
}
return text;
}
}
在它的源代码中有二个类需要关注下:
BaseTestCase.java
Java代码
public abstract class BaseTestCase extends TestCase {
protected void testExecute( String html, String result ) {
StringReader reader = new StringReader( html );
StringWriter writer = new StringWriter();
try {
HTMLParser.process( reader, writer, new XSSFilter(), true );
String buffer = new String( writer.toString() );
System.out.println( buffer );
assertEquals( result, buffer );
} catch (HandlingException e) {
e.printStackTrace();
fail( e.getMessage() );
}
}
}
XSSFilter.java
Java代码
/**
* Copyright 2008 Gerard Toonstra
*
* As an exception, this particular file
* in the project is public domain to allow totally
* free derivations of this code.
*
*/
package com.blogspot.radialmind.xss;
import java.util.HashSet;
import java.util.Set;
import com.blogspot.radialmind.html.IHTMLFilter;
/**
* Implementation of a relatively simple XSS filter. This implementation removes
* dangerous tags and attributes from tags. It does not verify the validity of
* URL's (that may contain links to JavaScript for example). It does not remove all
* event handlers that may still contain XSS vulnerabilities.
*
* Embedded objects are removed because those may contain XSS vulnerabilities in
* their own scripting language (ActionScript for Flash for example).
*
* Feel free to derive your own implementation from this file.
*
* @author gt
*
*/
public class XSSFilter implements IHTMLFilter {
private static final Set<String> FORBIDDEN_TAGS = new HashSet<String>();
// The tags to be removed. Case insensitive of course.
static {
FORBIDDEN_TAGS.add( "script" );
FORBIDDEN_TAGS.add( "embed" );
FORBIDDEN_TAGS.add( "object" );
FORBIDDEN_TAGS.add( "layer" );
FORBIDDEN_TAGS.add( "style" );
FORBIDDEN_TAGS.add( "meta" );
FORBIDDEN_TAGS.add( "iframe" );
FORBIDDEN_TAGS.add( "frame" );
FORBIDDEN_TAGS.add( "link" );
FORBIDDEN_TAGS.add( "import" );
FORBIDDEN_TAGS.add( "xml" );
}
/**
* This function is called to determine if an attribute should be filtered or not.
*
* @param tagName The name of the tag the attribute belongs to
* @param attrName The name of the attribute to be filtered
* @param attrValue The value of the attribute
*/
public boolean filterAttribute(String tagName, String attrName, String attrValue) {
if ( attrName.toLowerCase().startsWith( "on" )) {
return true;
}
return isScriptedAttributeValue( attrValue );
}
/**
* This method is called to determine if a tag should be filtered
*
* @param tagName The name of the tag that was parsed
*/
public boolean filterTag(String tagName) {
if ( FORBIDDEN_TAGS.contains( tagName )) {
return true;
}
return false;
}
/**
* This method is called to modify attribute values, if required
*
* @param tagName The name of the tag the attribute belongs to
* @param attrName The name of the attribute within the tag
* @param attrValue The value of the attribute
*/
public String modifyAttributeValue(String tagName, String attrName, String attrValue) {
return attrValue;
}
/**
* This method is called to be able to modify the text of a node.
*
* @param tagName The name of the tag where the text is part of.
* @param text The value of the text within the tagnode (within <tag>...</tag>)
*/
public String modifyNodeText(String tagName, String text) {
return text;
}
/**
* Private method that determines if an attribute value is scripted
* (potentially loaded with an XSS attack vector).
*
* @param attrValue The value of the attribute
* @return "true" if the attribute is scripted. "false" if not.
*/
private boolean isScriptedAttributeValue( String attrValue ) {
attrValue = decode( attrValue );
attrValue = attrValue.trim().toLowerCase();
if ( attrValue.contains( "javascript:" )) {
return true;
}
if ( attrValue.contains( "mocha:" )) {
return true;
}
if ( attrValue.contains( "eval" )) {
return true;
}
if ( attrValue.contains( "vbscript:" )) {
return true;
}
if ( attrValue.contains( "livescript:" )) {
return true;
}
if ( attrValue.contains( "expression(" )) {
return true;
}
if ( attrValue.contains( "url(" )) {
return true;
}
if ( attrValue.contains( "&{" )) {
return true;
}
if ( attrValue.contains( "&#" )) {
return true;
}
return false;
}
/**
* Private method to remove control characters from the value
*
* @param value The value being modified
* @return The value free from control characters
*/
private String decode( String value ) {
value = value.replace("\u0000", "" );
value = value.replace("\u0001", "" );
value = value.replace("\u0002", "" );
value = value.replace("\u0003", "" );
value = value.replace("\u0004", "" );
value = value.replace("\u0005", "" );
value = value.replace("\u0006", "" );
value = value.replace("\u0007", "" );
value = value.replace("\u0008", "" );
value = value.replace("\u0009", "" );
value = value.replace("\n", "" );
value = value.replace("\u000B", "" );
value = value.replace("\u000C", "" );
value = value.replace("\r", "" );
value = value.replace("\u000E", "" );
value = value.replace("\u000F", "" );
value = value.replace("\u0010", "" );
value = value.replace("\u0011", "" );
value = value.replace("\u0012", "" );
value = value.replace("\u0013", "" );
value = value.replace("\u0014", "" );
value = value.replace("\u0015", "" );
value = value.replace("\u0016", "" );
value = value.replace("\u0017", "" );
value = value.replace("\u0018", "" );
value = value.replace("\u0019", "" );
value = value.replace("\u001A", "" );
value = value.replace("\u001B", "" );
value = value.replace("\u001C", "" );
value = value.replace("\u001D", "" );
value = value.replace("\u001E", "" );
value = value.replace("\u001F", "" );
return value;
}
}
通过这个过滤就知道它要做什么了
上传包吧,方便
大小: 79.9 KB
xssProtect-0.1.jar (39.8 KB)
下载次数: 1113
antlr-3.0.jar (533.7 KB)
下载次数: 745
转自:链接
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- java中对象的转型
- android native ndk崩溃定位
- 滚动的标题栏_JS特效源码
- 大括弧之战 代码风格
- mxnet代码剖析之--mshadow篇
- opencv直方图
- LeetCode 36 Valid Sudoku My Submissions Question
- matlab基于遗传算法的最大熵值法的双阈值图像分割
- Java多线程中Sleep与Wait的区别
- 数据加载后刷新UI界面
- mac端如何快速搭建一个web服务器
- 标题栏打字效果_JS特效源码
- Silktest试用笔记
- linux常用命令
- git-am 和 format-patch 的使用
- Cocos骨骼动画
- Cocos动画
- sql约束
- android Retrifit2.0+OKHttp文件上传
- iOS json解析的几种方法 NSJSONSerialization,JSONKit,SBJson ,TouchJson