首页 > 代码库 > 细节决定成败,Chrome过滤XSS的功能

细节决定成败,Chrome过滤XSS的功能

偶然发现!

下面是一个非常简单的jsp页面:

<%@ page language="java" contentType="text/html; charset=ISO-8859-1"    pageEncoding="ISO-8859-1"%><!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Hello World!</title></head><body>    <%!private int accessCount = 0;%>    <H2>        Accesses to page since server reboot:        <%=++accessCount%></H2>    <%        out.println("<a href=http://www.mamicode.com/"http://www.cnblogs.com/magialmoon/\">Click to Download</a> <br />");        String name = request.getParameter("name");        if (name != null) {            out.println("Welcome " + name);        }        out.println("<script>alert(\"attacked 1\")</script>");    %></body></html>

浏览器输入:http://localhost:8080/security-web/xss.jsp?name=zjd会输出下面页面:

 

现在我们模拟一个最简单的XSS攻击,在浏览器敲入:http://localhost:8080/security-web/xss.jsp?name=<script>alert("attacked!")</script>,先试下IE(IE10):

bingo!!!

再来看看Chrome的表现吧:

正常弹出了ok,并没有被攻击。为什么呢?看下网页源码就立刻明白了:

Chrome已经对参数进行过滤了,防止XSS攻击。而且比较智能,如果下面有和攻击一样的语句也会被屏蔽,比如把上面链接中的"attacked!"换成"ok":

更贴心的是,当你从Chrome地址栏copy带有潜在xss攻击的链接时,它会自动进行转义,比如上面的链接:

http://localhost:8080/security-web/xss.jsp?name=%3Cscript%3Ealert(%22attacked!%22)%3C/script%3E

另外,一般的XSS攻击会对链接进行简单的ASCII编码,比如再浏览器输入下面的地址会篡改页面的下载地址:

http://localhost:8080/security-web/xss.jsp?name=<script>window.onload = function() {var link=document.getElementsByTagName("a");link[0].href="http://attacker-site.com/";}</script>

同样进行简单的编码后可能是这样的:

http://localhost:8080/security-web/xss.jsp?name=%3c%73%63%72%69%70%74%3e%77%69%6e%64%6f%77%2e%6f%6e%6c%6f%61%64%20%3d%20%66%75%6e%63%74%69%6f%6e%28%29%20%7b%76%61%72%20%6c%69%6e%6b%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%73%42%79%54%61%67%4e%61%6d%65%28%22%61%22%29%3b%6c%69%6e%6b%5b%30%5d%2e%68%72%65%66%3d%22%68%74%74%70%3a%2f%2f%61%74%74%61%63%6b%65%72%2d%73%69%74%65%2e%63%6f%6d%2f%22%3b%7d%3c%2f%73%63%72%69%70%74%3e

这点小伎俩同样难不倒Chrome,相比之下用IE一测试,高下立见。

 

一查原来这是webkit的功能:http://www.zhihu.com/question/20941818。

PS:知乎上还有一个说Chrome的问题挺不错http://www.zhihu.com/question/20564451,一直使用Chrome,最喜欢它简单的界面,配上Google:

 

细节决定成败,Chrome过滤XSS的功能