手机浏览 RSS 2.0 订阅 膘叔的简单人生 , 腾讯云RDS购买 | 超便宜的Vultr , 注册 | 登陆
浏览模式: 标准 | 列表2009年03月13日的文章

淘宝QA上关于XSS的两篇文章(据说还有后续)

Submitted by gouki on 2009, March 13, 10:32 PM

不说啥了,直接上原文:
两篇文章的地址分别为:http://rdc.taobao.com/blog/qa/?p=857

http://rdc.taobao.com/blog/qa/?p=882

什么是xss漏洞

XSS又叫CSS英文缩写为Cross Site Script
中文意思为跨站脚本攻击
具体内容指的是恶意攻击者往Web页面里插入恶意html代码,当用户浏览该页之时,
嵌入其中Web里面的html代码会被执行,从而达到恶意用户的特殊目的.

xss的漏洞危害

  • 获取用户cookie
  • 修改页面信息
  • 浏览器劫持
  • 与其他漏洞结合(如:csrf漏洞)
  • 其他

xss漏洞实例演示

  • 略(在这里放貌似不太合适)

xss漏洞是如何产生的

以下Velocity模板VM中常见的代码

  • <span>$!productName</span>
  • <script>var from = ‘$!rundata.Parameters.getString(’from’)';</script>

对于第一种类型的代码我们可以输入变量为

<iframe src=http://hacker.com></iframe>

第一种类型的代码将变为

<span><iframe src=http://hacker.com></iframe></span>

对于第二种类型的代码我们可以输入变量为

‘;hackerFunction(document.cookie);’

第二种类型的代码将变为

<script>var from = ”;hackerFunction(document.cookie);”; </script>

以上两种类型的代码都轻易的被植入了恶意的脚本,也就是说产生了传说中的xss漏洞。

xss漏洞如何预防

1. 对于非富文本针对入参进行转义

可通过escapeHtml和JavaScript进行转义。

转义过后上面的代码将会变成

<span>&ltiframe&nbspsrc&equalshttp&colon&sol&solhacker&periodcom&gt&lt&soliframe&gt</span>

转义后用户输入的恶意脚本代码就不会被执行从而达到了预防和修复的目的。

2. 对于富文本入参进行过滤

略。

总结

本篇简要介绍了什么是xss漏洞,xss漏洞在代码中是如何产生的,简单介绍了如何去预防和修复xss漏洞。

黑盒手动测试

  • 有输入框的页面测试

               对于非富文本在输入框中输入特殊字符 <”tiehua ‘> 提交

               在提交后的页面查看源代码根据关键字tiehua查找源代码中的tiehua前后的<”>’是否已经被转义成

               &lt&quot&gt&apos 如果未被转义说明这个输入框存在xss漏洞的嫌疑(提交bug)。

               对于富文本输入框输入<img onerror=”alert(123)” src=http://xxx.com>提交页面

               如果页面有出现排版问题或者js错误说明这个输入框存在xss漏洞的嫌疑(提交bug)。

  • 页面链接参数的测试

             链接带参数的如:

             http://mall.taobao.com/?ad_id=&am_id=&cm_id=&pm_id=

            该链接包含了4个参数,对于这种的测试方法和输入框测试方法一样只不过把参数当成你的输入框进行

            提交。如:

            http://mall.taobao.com/?ad_id=<”tiehua’>&am_id=&cm_id=&pm_id=

           

           另:可能大家会说光这点不足以说服开发修改bug,很可惜本文旨在说明如何找到xss漏洞并不是说明

           如何利用xss漏洞,感兴趣的看情况线下交流呵呵。

黑盒工具测试

         推荐工具

  • Paros(免费)
  • Acunetix.Web.Vulnerability.Scanner (商业工具)     

白盒代码扫描测试

         在上一篇中我们讲到了xss漏洞产生的代码原因和解决方法如:

          <span>$!productName</span>

         此类的非富文本代码我们可以强制要求规范为:

         <span> $!stringEscapeUtil.escapeHtml ($!productName)</span>

         对于富文本的我们可以强制要求代码规范为通过过滤层过滤。

         根据以上的两条规则,我们可以从白盒代码上去进行静态扫描代码是否按照规范编写来预防和筛选xss漏洞。

Tags: xss, qa, taobao

PHP | 评论:0 | 阅读:22692

PHP处理中文二三例

Submitted by gouki on 2009, March 13, 10:23 PM

在网上看到一个贴子,是说利用16进制输出所有中文,例子如下:

PHP代码
  1. <?php  
  2. $begin = hexdec ( " 4e00 " ); // 16进制转化为10进制  
  3. $end = hexdec ( " 9fa5 " );  
  4. $a = '["' ;  
  5. for ( $i = $begin ; $i <= $end ; $i ++ ) {  
  6.     $a .= ' \u ' . dechex ( $i );  
  7.     if ( $i % 10 == 0 ) {  
  8.         $a .= " <br> " ; 
  9.     } 
  10. } 
  11. $a .= ' "] ' ;  
  12. print_r (json_decode( $a ));  
  13. ?>  

看到这个例子,相信也能看得出了,那两个数字是不是与网上那种正则判断中文的很象啊。

由于json_encode转换中文时会把中文全部转换成16进制,这样在输出的时候就不会因为浏览器的字符集不支持而出现问题。所以同样的,利用decode也就相当于把这些16进制转换成中文了。其实并不需要这么复杂,只要在前面加上&#后面加上;就可以输出中文了。

看到这样的代码后想起昨天一个根据.net程序改的读取中文字的拼音的程序。

PHP代码
  1. <?php  
  2.   
  3.   
  4. $strVal = array(  
  5.  -20319,-20317,-20304,-20295,-20292,-20283,-20265,-20257,-20242,-20230,-20051,-20036,    
  6.  -20032,-20026,-20002,-19990,-19986,-19982,-19976,-19805,-19784,-19775,-19774,-19763,    
  7.  -19756,-19751,-19746,-19741,-19739,-19728,-19725,-19715,-19540,-19531,-19525,-19515,    
  8.  -19500,-19484,-19479,-19467,-19289,-19288,-19281,-19275,-19270,-19263,-19261,-19249,    
  9.  -19243,-19242,-19238,-19235,-19227,-19224,-19218,-19212,-19038,-19023,-19018,-19006,    
  10.  -19003,-18996,-18977,-18961,-18952,-18783,-18774,-18773,-18763,-18756,-18741,-18735,    
  11.  -18731,-18722,-18710,-18697,-18696,-18526,-18518,-18501,-18490,-18478,-18463,-18448,    
  12.  -18447,-18446,-18239,-18237,-18231,-18220,-18211,-18201,-18184,-18183, -18181,-18012,    
  13.  -17997,-17988,-17970,-17964,-17961,-17950,-17947,-17931,-17928,-17922,-17759,-17752,    
  14.  -17733,-17730,-17721,-17703,-17701,-17697,-17692,-17683,-17676,-17496,-17487,-17482,    
  15.  -17468,-17454,-17433,-17427,-17417,-17202,-17185,-16983,-16970,-16942,-16915,-16733,    
  16.  -16708,-16706,-16689,-16664,-16657,-16647,-16474,-16470,-16465,-16459,-16452,-16448,    
  17.  -16433,-16429,-16427,-16423,-16419,-16412,-16407,-16403,-16401,-16393,-16220,-16216,    
  18.  -16212,-16205,-16202,-16187,-16180,-16171,-16169,-16158,-16155,-15959,-15958,-15944,    
  19.  -15933,-15920,-15915,-15903,-15889,-15878,-15707,-15701,-15681,-15667,-15661,-15659,    
  20.  -15652,-15640,-15631,-15625,-15454,-15448,-15436,-15435,-15419,-15416,-15408,-15394,    
  21.  -15385,-15377,-15375,-15369,-15363,-15362,-15183,-15180,-15165,-15158,-15153,-15150,    
  22.  -15149,-15144,-15143,-15141,-15140,-15139,-15128,-15121,-15119,-15117,-15110,-15109,    
  23.  -14941,-14937,-14933,-14930,-14929,-14928,-14926,-14922,-14921,-14914,-14908,-14902,    
  24.  -14894,-14889,-14882,-14873,-14871,-14857,-14678,-14674,-14670,-14668,-14663,-14654,    
  25.  -14645,-14630,-14594,-14429,-14407,-14399,-14384,-14379,-14368,-14355,-14353,-14345,    
  26.  -14170,-14159,-14151,-14149,-14145,-14140,-14137,-14135,-14125,-14123,-14122,-14112,    
  27.  -14109,-14099,-14097,-14094,-14092,-14090,-14087,-14083,-13917,-13914,-13910,-13907,    
  28.  -13906,-13905,-13896,-13894,-13878,-13870,-13859,-13847,-13831,-13658,-13611,-13601,    
  29.  -13406,-13404,-13400,-13398,-13395,-13391,-13387,-13383,-13367,-13359,-13356,-13343,    
  30.  -13340,-13329,-13326,-13318,-13147,-13138,-13120,-13107,-13096,-13095,-13091,-13076,    
  31.  -13068,-13063,-13060,-12888,-12875,-12871,-12860,-12858,-12852,-12849,-12838,-12831,    
  32.  -12829,-12812,-12802,-12607,-12597,-12594,-12585,-12556,-12359,-12346,-12320,-12300,    
  33.  -12120,-12099,-12089,-12074,-12067,-12058,-12039,-11867,-11861,-11847,-11831,-11798,    
  34.  -11781,-11604,-11589,-11536,-11358,-11340,-11339,-11324,-11303,-11097,-11077,-11067,    
  35.  -11055,-11052,-11045,-11041,-11038,-11024,-11020,-11019,-11018,-11014,-10838,-10832,    
  36.  -10815,-10800,-10790,-10780,-10764,-10587,-10544,-10533,-10519,-10331,-10329,-10328,    
  37.  -10322,-10315,-10309,-10307,-10296,-10281,-10274,-10270,-10262,-10260,-10256,-10254    
  38. );  
  39. $strPy  = array(  
  40.  "A","Ai","An","Ang","Ao","Ba","Bai","Ban","Bang","Bao","Bei","Ben",    
  41.  "Beng","Bi","Bian","Biao","Bie","Bin","Bing","Bo","Bu","Ba","Cai","Can",    
  42.  "Cang","Cao","Ce","Ceng","Cha","Chai","Chan","Chang","Chao","Che","Chen","Cheng",    
  43.  "Chi","Chong","Chou","Chu","Chuai","Chuan","Chuang","Chui","Chun","Chuo","Ci","Cong",    
  44.  "Cou","Cu","Cuan","Cui","Cun","Cuo","Da","Dai","Dan","Dang","Dao","De",    
  45.  "Deng","Di","Dian","Diao","Die","Ding","Diu","Dong","Dou","Du","Duan","Dui",    
  46.  "Dun","Duo","E","En","Er","Fa","Fan","Fang","Fei","Fen","Feng","Fo",    
  47.  "Fou","Fu","Ga","Gai","Gan","Gang","Gao","Ge","Gei","Gen","Geng","Gong",    
  48.  "Gou","Gu","Gua","Guai","Guan","Guang","Gui","Gun","Guo","Ha","Hai","Han",    
  49.  "Hang","Hao","He","Hei","Hen","Heng","Hong","Hou","Hu","Hua","Huai","Huan",    
  50.  "Huang","Hui","Hun","Huo","Ji","Jia","Jian","Jiang","Jiao","Jie","Jin","Jing",    
  51.  "Jiong","Jiu","Ju","Juan","Jue","Jun","Ka","Kai","Kan","Kang","Kao","Ke",    
  52.  "Ken","Keng","Kong","Kou","Ku","Kua","Kuai","Kuan","Kuang","Kui","Kun","Kuo",    
  53.  "La","Lai","Lan","Lang","Lao","Le","Lei","Leng","Li","Lia","Lian","Liang",    
  54.  "Liao","Lie","Lin","Ling","Liu","Long","Lou","Lu","Lv","Luan","Lue","Lun",    
  55.  "Luo","Ma","Mai","Man","Mang","Mao","Me","Mei","Men","Meng","Mi","Mian",    
  56.  "Miao","Mie","Min","Ming","Miu","Mo","Mou","Mu","Na","Nai","Nan","Nang",    
  57.  "Nao","Ne","Nei","Nen","Neng","Ni","Nian","Niang","Niao","Nie","Nin","Ning",    
  58.  "Niu","Nong","Nu","Nv","Nuan","Nue","Nuo","O","Ou","Pa","Pai","Pan",    
  59.  "Pang","Pao","Pei","Pen","Peng","Pi","Pian","Piao","Pie","Pin","Ping","Po",    
  60.  "Pu","Qi","Qia","Qian","Qiang","Qiao","Qie","Qin","Qing","Qiong","Qiu","Qu",    
  61.  "Quan","Que","Qun","Ran","Rang","Rao","Re","Ren","Reng","Ri","Rong","Rou",    
  62.  "Ru","Ruan","Rui","Run","Ruo","Sa","Sai","San","Sang","Sao","Se","Sen",    
  63.  "Seng","Sha","Shai","Shan","Shang","Shao","She","Shen","Sheng","Shi","Shou","Shu",    
  64.  "Shua","Shuai","Shuan","Shuang","Shui","Shun","Shuo","Si","Song","Sou","Su","Suan",    
  65.  "Sui","Sun","Suo","Ta","Tai","Tan","Tang","Tao","Te","Teng","Ti","Tian",    
  66.  "Tiao","Tie","Ting","Tong","Tou","Tu","Tuan","Tui","Tun","Tuo","Wa","Wai",    
  67.  "Wan","Wang","Wei","Wen","Weng","Wo","Wu","Xi","Xia","Xian","Xiang","Xiao",    
  68.  "Xie","Xin","Xing","Xiong","Xiu","Xu","Xuan","Xue","Xun","Ya","Yan","Yang",    
  69.  "Yao","Ye","Yi","Yin","Ying","Yo","Yong","You","Yu","Yuan","Yue","Yun",    
  70.  "Za""Zai","Zan","Zang","Zao","Ze","Zei","Zen","Zeng","Zha","Zhai","Zhan",    
  71.  "Zhang","Zhao","Zhe","Zhen","Zheng","Zhi","Zhong","Zhou","Zhu","Zhua","Zhuai","Zhuan",    
  72.  "Zhuang","Zhui","Zhun","Zhuo","Zi","Zong","Zou","Zu","Zuan","Zui","Zun","Zuo"    
  73. );  
  74.   
  75. function getPy ( $string )  
  76. {  
  77.     global $strVal,$strPy;  
  78.     $py = '';  
  79.     $strLen = strLen$string );  
  80.     for ( $ii = 0; $ii < $strLen$ii++ ){  
  81.         $s = ord( $string[$ii] );  
  82.         if ( $s  > 160 ){  
  83.             $ii++;  
  84.             $ss = ord( $string[$ii] );  
  85.             $_ss = $s * 256 + $ss - 65536;   
  86.             if ( $_ss == -9254 ){  
  87.                 $py .= "Zhen";  
  88.             }else{  
  89.                 foreach ( $strVal as $_k => $_v ){  
  90.                     $_index = $_v > $_ss ? ($_k-1) : ($_v == $_ss ? $_k : 0 );  
  91.                     if ( $_index ){  
  92.                         $py .= $strPy[$_index];  
  93.                         break;  
  94.                     }  
  95.                 }  
  96.             }  
  97.         }else{  
  98.             $py .= " {$string[$ii]} ";  
  99.         }  
  100.     }  
  101.     return $py;  
  102. }  
这是根据网上的例子改写而来,其实BUG不少,作业的作,是认不出的。还有GBK的字符也是认不出拼音的(好象GBK里的一些特殊字符的拼音规则和上面的数组并不一致)

不过,这些都算是我的备份吧。呵呵,同样,如果对拼音要求不高的朋友也可以拿来用用。

Tags: 中文处理

PHP | 评论:0 | 阅读:20525