XSS (跨站脚本攻击) 的原理分析,测试 && 应对措施

1

1

1

XSS (跨站脚本攻击) 的原理分析,测试

 

 

1

demo:

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

<!DOCTYPE html> <html lang="en"> <head>     <meta charset="UTF-8">     <title>Document</title> </head> <body>     <div>         <h1>XSS test using PHP!</h1>         <form action="XSS.php" method="GET">             <label for="">XSS input test!</label>             <input type="text" name="xss_input" placeholder="">             <!--  -->             <input type="submit" value="Submit">         </form>         <!--         <script>alert("XSS alert test!");</script>         <script>console.log("XSS console.log test!");</script>         <script>console.log("XSS console.log test!");<⁄script>          -->     </div> </body> </html> <?php $xss = $_GET['xss_input'];     // echo "你输入的字符为:<br><mark>".$xss."</mark>";     echo "你输入的字符为: <mark>{$xss}</mark>";  ?>

 

1 XSS test using PHP!

1 <script>console.log("XSS console.log test!");</script>

1 <script>alert("XSS alert test!");</script>

1 实体字符: &lt;script&gt;console.log("XSS console.log test!");&lt;&frasl;script&gt;

1 Chrome 测试：  version 52

1

1

 

1

1

1

1

1

1

1

1

1

1

1

1

XSS 应对措施:

1. CORS

https://fetch.spec.whatwg.org/#http-cors-protocol

https://www.w3.org/TR/cors/

Cross-Origin Resource Sharing

W3C Recommendation 16 January 2014

 

2. CSP

https://www.w3.org/TR/CSP/

Content Security Policy Level 2

W3C Candidate Recommendation, 21 July 2015

https://www.w3.org/TR/2012/CR-CSP-20121115/

Content Security Policy 1.0

W3C Candidate Recommendation 15 November 2012

 

 

 

 

 

1

1

1

1

reference links:

http://www.freebuf.com/articles/web/40520.html

https://segmentfault.com/a/1190000003852910

https://blog.wilddog.com/?p=210

 

 

 

 

 

1

1