发表新帖
发表新帖

XSS attacks and style attributes

后端 未结
关注
4 1309
借酒劲吻你
借酒劲吻你 2020-12-03 00:53

There are known Style Attribute XSS attacks like:

Or



        

                      

              相关标签:
4条回答
  • 眼角桃花
    2020-12-03 01:37

    Security rule #1: If you are the least in doubt, presume there is a hole.

    What are you trying to achieve? What functionality would cause CSS from an untrusted source?

    0 讨论(0)
  • 余生分开走
    2020-12-03 01:43

    Yes, you can use XSS attacks with Style attributes .

    These styles were injected as we didn't have them declared in our tags in a particular jsp page but got through when audited by our security group:

    <img src="<path here>" style=x:ex/**/pression
(alert(54163)) ".gif"

    I'm thinking of using an HTTP filter to stop it here, but I'm still looking into it.

    We also didn't have our hidden input fields proteccted either and this got through as well:

    <input type="hidden" name="<variable name here>" value="<value here>"  style=x:ex/**/pression(alert
(54163)) "">

    With a tool like Burpsuite, you can modify requests on the fly to inject XSS into tags like this. However, with the ESAPI API's from OWASP, you can add protection. We weren't using JSTL tags as it was old legacy code, so that was the best short term solution.

    For the hidden input I used;

    <input type="hidden" name="id" value="<%=ESAPI.encoder().encodeForHTMLAttribute(id)%>"

    You can also use XSS with the js onload event in an img tag:

    0 讨论(0)
  • 囚心锁ツ
    2020-12-03 01:44

    This does not work due to click-jacking vulnerability.

    Example:

    <a href="http://example.com/attack.html" style="display: block; z-index: 100000; opacity: 0.5; position: fixed; top: 0px; left: 0; width: 1000000px; height: 100000px; background-color: red;"> </a>

    Found at: http://www.bioinformatics.org/phplabware/forum/viewtopic.php?id=164

    The code would be perfectly validated but it may cause serious damage.

    So - rule of thumb use very strict white list or do not allow style attributes.

    0 讨论(0)
  • 情书的邮戳
    2020-12-03 01:57

    There is an open foundation out there called OWASP that helps you with this.

    To answer your question Are there any attacks....; Yes!

    There are tons of documentation there, and there are libraries you can use to correctly escape all XSS code.

    Read the XSS prevention sheet.

    0 讨论(0)
 看不清?
提交回复
热议问题