Warning: file_get_contents(/data/phpspider/zhask/data//catemap/1/list/4.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Security 防止跨站点脚本攻击?_Security_Xss_Cross Site - Fatal编程技术网
Fatal编程技术网
  • security/
  • Security 防止跨站点脚本攻击?

Security 防止跨站点脚本攻击?

security

Security 防止跨站点脚本攻击?,security,xss,cross-site,Security,Xss,Cross Site,我们最近建立了一个网站(http://www.doverjewelry.com/)通过hikashop,域具有godaddy网站保护,因此它可以扫描网站并警告漏洞。扫描当前报告网站易受跨站点脚本攻击。这将显示扫描输出: Using the GET HTTP method, Site Scanner found that : + The following resources may be vulnerable to XSS (on parameters names) : /bands-and-s

我们最近建立了一个网站(http://www.doverjewelry.com/)通过hikashop,域具有godaddy网站保护,因此它可以扫描网站并警告漏洞。扫描当前报告网站易受跨站点脚本攻击。这将显示扫描输出:

Using the GET HTTP method, Site Scanner found that :
+ The following resources may be vulnerable to XSS (on parameters names) :
/bands-and-settings/category/371-all-ring-settings/limit_hikashop_catego
ry_information_module_223_371-0/limitstart_hikashop_category_information
_module_223_371-0/filter_order_hikashop_category_information_module_223_
371-a.ordering/filter_order_Dir_hikashop_category_information_module_223
_371-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-atom?<<<<<<<<<<foo"bar'
314>>>>>=1
-------- request --------
GET /bands-and-settings/category/371-all-ring-settings/limit_hikashop_category_information_module_223_371-0/limitstart_hikashop_category_information_module_223_371-0/filter_order_hikashop_category_information_module_223_371-a.ordering/filter_order_Dir_hikashop_category_information_module_223_371-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-atom?<<<<<<<<<<foo"bar'314>>>>>=1 HTTP/1.1\r
Host: www.doverjewelry.com\r
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1\r
Accept-Language: en\r
Connection: Close\r
Cookie: 7eedc822c6dd39ecf3c8ab00003d56f9=764a229107bda6b48c2863965f50ca03\r
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; MSIE 6.0; Site Scanner Bot; +http://www.websiteprotection.com) Firefox/2.0.0.3\r
Pragma: no-cache\r
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
------------------------
-------- output --------

[...] bd44a6ec-1/type-atom?<<<<<<<<<<foo"bar'314>>>>>=1" method="post" name="ad [...]
<div class="hikashop_products_pagination hikashop_products_paginat [...]
------------------------
/engagement-rings/category/366-antique-engagement-rings/limit_hikashop_c
ategory_information_module_222_366-25/limitstart_hikashop_category_infor
mation_module_222_366-0/filter_order_hikashop_category_information_modul
e_222_366-a.ordering/filter_order_Dir_hikashop_category_information_modu
le_222_366-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-atom?<<<<<<<<<<fo
o"bar'314>>>>>=1
-------- request --------
GET /engagement-rings/category/366-antique-engagement-rings/limit_hikashop_category_information_module_222_366-25/limitstart_hikashop_category_information_module_222_366-0/filter_order_hikashop_category_information_module_222_366-a.ordering/filter_order_Dir_hikashop_category_information_module_222_366-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-atom?<<<<<<<<<<foo"bar'314>>>>>=1 HTTP/1.1\r
Host: www.doverjewelry.com\r
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1\r
Accept-Language: en\r
Connection: Close\r
Cookie: 7eedc822c6dd39ecf3c8ab00003d56f9=764a229107bda6b48c2863965f50ca03\r
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; MSIE 6.0; Site Scanner Bot; +http://www.websiteprotection.com) Firefox/2.0.0.3\r
Pragma: no-cache\r
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
------------------------
-------- output --------

[...] bd44a6ec-1/type-atom?<<<<<<<<<<foo"bar'314>>>>>=1" method="post" name="ad [...]
<div class="hikashop_products_pagination hikashop_products_paginat [...]
------------------------
/engagement-rings/category/366-antique-engagement-rings/limit_hikashop_c
ategory_information_module_222_366-25/limitstart_hikashop_category_infor
mation_module_222_366-0/filter_order_hikashop_category_information_modul
e_222_366-a.ordering/filter_order_Dir_hikashop_category_information_modu
le_222_366-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-rss?<<<<<<<<<<foo
"bar'314>>>>>=1
-------- request --------
GET /engagement-rings/category/366-antique-engagement-rings/limit_hikashop_category_information_module_222_366-25/limitstart_hikashop_category_information_module_222_366-0/filter_order_hikashop_category_information_module_222_366-a.ordering/filter_order_Dir_hikashop_category_information_module_222_366-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-rss?<<<<<<<<<<foo"bar'314>>>>>=1 HTTP/1.1\r
Host: www.doverjewelry.com\r
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1\r
Accept-Language: en\r
Connection: Close\r
Cookie: 7eedc822c6dd39ecf3c8ab00003d56f9=764a229107bda6b48c2863965f50ca03\r
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; MSIE 6.0; Site Scanner Bot; +http://www.websiteprotection.com) Firefox/2.0.0.3\r
Pragma: no-cache\r
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
------------------------
-------- output --------

[...] abd44a6ec-1/type-rss?<<<<<<<<<<foo"bar'314>>>>>=1" method="post" name="ad [...]
<div class="hikashop_products_pagination hikashop_products_paginat [...]
------------------------
/engagement-rings/category/50-estate-engagement-rings/limit_hikashop_cat
egory_information_module_222_50-0/limitstart_hikashop_category_informati
on_module_222_50-0/filter_order_hikashop_category_information_module_222
_50-a.ordering/filter_order_Dir_hikashop_category_information_module_222
_50-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-atom?<<<<<<<<<<foo"bar'3
14>>>>>=1

使用GET HTTP方法,站点扫描程序发现:
+以下资源可能易受XSS攻击(在参数名称上):
/乐队和设置/类别/371全环设置/限制\u hikashop\u catego
ry_信息_模块_223_371-0/limitstart_hikashop_类别信息
_模块\ U 223 \ U 371-0/过滤器\订单\ hikashop \类别\信息\模块\ U 223_
371-a.排序/筛选\订单\目录\ hikashop \类别\信息\模块\ 223
_371-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type atom?>>>=1“method=“post”name=“ad[…]
>>>>=1 HTTP/1.1\r\n
主持人:www.doverjewelry.com\r\n
接受字符集:iso-8859-1,utf-8;q=0.9,*;q=0.1\r\n
接受语言:en\r\n
连接:关闭\r\n
Cookie:7eedc822c6dd39ecf3c8ab00003d56f9=764a229107bda6b48c2863965f50ca03\r\n
用户代理:Mozilla/5.0(兼容;MSIE 7.0;MSIE 6.0;站点扫描程序Bot+http://www.websiteprotection.com)Firefox/2.0.0.3\r\n
Pragma:没有缓存\r\n
接受:image/gif、image/x-xbitmap、image/jpeg、image/pjpeg、image/png、*/*
------------------------
--------输出--------
[…]bd44a6ec-1/type atom?=1“method=“post”name=“ad[…]

根据扫描仪的输出,他认为当他发出带有附加参数的请求时:


<<<<<<<<<<foo"bar'314>>>>>=1



看来,附加的param althogh逃走了。。。因此,严格来说,它不容易出现XSS。如果您想了解更多访问信息,可以使用其他vuln扫描仪/代理来确认此问题:ZAP、WebScarab、w3af
 在将来,您应该避免修改库代码,而是重写可以重写的函数。

<<<<<<<<<<foo"bar'314>>>>>=1



type-atom?<<<<<<<<<<foo"bar'314>>>>>=1



%3C%3C%3C%3C%3C%3C%3C%3C%3C%3Cfoo%22bar'204%3E%3E%3E%3E%3E