搭建简易XSS实验环境

1. 0. DOM Based XSS

1.1. 概念

• XSS

  Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

  跨网站脚本攻击(XSS)是一种注入式攻击，将恶意脚本注入到原本良性和可信的网站中。XSS 攻击是指攻击者利用网络应用程序向不同的终端用户发送恶意代码，通常以浏览器端脚本的形式进行攻击。允许这些攻击成功的漏洞相当普遍，而且在网络应用程序未经验证或编码而在其生成的输出中使用用户输入的任何地方都会发生。

• DOM：文档对象模型（Document Object Model，简称DOM）

• DOM Based XSS

  DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.

  基于DOM的XSS（或在某些文本中被称为 “0型XSS”）是一种XSS攻击，在这种攻击中，攻击的有效载荷是由于修改了受害者浏览器中的DOM “环境”，使客户端代码以 “意外 “的方式运行。也就是说，页面本身（即HTTP响应）并没有改变，但页面中包含的客户端代码由于在DOM环境中发生了恶意修改而以不同的方式执行。

1.2. 实现

• 构建有DOM XSS漏洞的网页代码

  <!DOCTYPE html>
  <html>
  <body>
      <script>
      function displayTxt(){
          var c=document.getElementById("xss").value;
          document.write("你输入的内容是："+c);
      }
      </script>
      <input type="text" name="txt" id='xss' />
      <input type="button" value="show"  onclick="displayTxt();" />
  </body>
  </html>
  
  <!-- <script>alert(document.URL);</script> -->

  • 如果在写之前没有调用document.open, 浏览器会自动调用open。每次写完关闭之后重新调用该函数，会导致页面被重写

• 打开网页，在表单中键入<script>alert(document.URL);</script>，提交表单。网页会弹窗显示网页的URL地址，证明该页面存在XSS漏洞

  

1.3. 填补漏洞

• 由于对用户输入的信息中的未进行过滤，导致恶意代码得以被执行

• 因此只需要对用户输入信息进行转义即可

  var c=encodeURI(document.getElementById("xss").value);

• 再次提交先前的恶意代码，结果显示了被转义后的内容

  

2. 1. Stored XSS

2.1. 概念

• Stored XSS

  Stored XSS occurs when a web application gathers input from a user which might be malicious, and then stores that input in a data store for later use. The input that is stored is not correctly filtered. As a consequence, the malicious data will appear to be part of the web site and run within the user’s browser under the privileges of the web application. Since this vulnerability typically involves at least two requests to the application, this may also called second-order XSS.

  存储型XSS是指网络应用程序从用户处收集可能是恶意的输入，然后将这些输入存储在数据存储中供日后使用。被存储的输入没有经过正确的过滤。因此，恶意数据会被视为网站的一部分，并在用户的浏览器中以网络应用的权限运行。由于这个漏洞通常会涉及到至少两次对应用程序的请求，因此也可以称为第二类XSS

• Flask

  • Flask configures Jinja2 to automatically escape all values unless explicitly told otherwise. This should rule out all XSS problems caused in templates, but there are still other places where you have to be careful
  • There is one class of XSS issues that Jinja’s escaping does not protect against. The a tag’s href attribute can contain a javascript: URI, which the browser will execute when clicked if not secured properly

2.2. 实现

• 构建有Stored XSS漏洞的网页代码

  • xss_flask,py核心部分

    @app.route('/')
    def index():
        return render_template("xss_idx.html")
    
    
    @app.route('/uploadurl', methods=['POST', 'GET'])
    def uploadurl():
        if request.method == 'POST':
            if 'web' in request.form.keys():
                name = request.form['web']
            if 'url' in request.form.keys():
                url = request.form['url']
            return render_template("xss_show_url.html", name=name, url=url)
        return render_template("xss_idx.html")

  • xss_idx.html核心部分

    <form method=POST enctype=multipart/form-data action="{{ url_for('uploadurl') }}">
                <label>输入网站名称</label>
                <input type="text" name="web"><br>
                <label>输入网站地址</label>
                <input type="text" name="url"><br>
                <input type=submit onclick="alert('成功')" name="submit" value="提交">
    </form>

  • xss_show_url.html核心部分

    <div class="container" align="center">
        <a href="{{url}}" target="_blank">你喜欢的网页是：{{name}}</a>
    
    </div>

• 在网站地址表单输入恶意代码并提交

  

• 刚刚输入的信息被存储在展示页面

  

• 点击，触发恶意代码

  

• Remark：哔哩哔哩仅为测试用例，与本人兴趣倾向无关；

3. 改进

• 对输入进行检测

  • 在xss_flask.py中添加

    @app.route('/showurl/<string:_url>')
    def showurl(_url):
        if not (_url.startswith('http://') or _url.startswith('https://')):  
            _url="https://"+_url
            '''
            对特殊符号过滤&转义
            '''
        return redirect(_url)

  • 修改xss_show_url

    <a href="{{url_for('showurl',_url=url)}}" target="_blank">你喜欢的网页是：{{name}}</a>

  • 事实上只通过强制加上http前缀，就修正了刚刚的问题；并且当今浏览器，也已大多自动屏蔽了形如http://local.abc.com/?r=abc/index&param=<script>alert(1)</script>的反射型XSS

3.1. 常见问题解决

• 如果想通过href或重定向redirect到输入网址，需要提供带http前缀的完整地址；否则Flask会自动默认补到当前前缀后(e.g. localhost:5000/www.bilibili.com)

4. 2. 自动化测试

4.1. 环境

• Chromium Edge+selenium+WebDriver

4.2. 实现

• 针对👆上面的Stored XSS例子

  from selenium import webdriver
  from selenium.webdriver.common.keys import Keys
  
  driver = webdriver.Edge()
  driver.get('localhost:5000') # flask_url
  e1 = driver.find_element_by_name('web')
  e2 = driver.find_element_by_name('url')
  e3=driver.find_element_by_name('submit')
  
  e1.send_keys("bilibili")
  e2.send_keys("javascript:alert('notsafe');")
  e3.send_keys("",Keys.ARROW_DOWN)

• 结果

  • 页面弹出并快速的键入信息并关闭。相当于已将恶意代码存储到了服务器。

5. 参考资料

Cross-site Scripting (XSS) - OWASP

Testing for Stored Cross site scripting (OTG-INPVAL-002) - OWASP

Security Considerations — Flask Documentation

前端XSS相关整理 - -渔人码头- - 博客园

Selenium with Python中文翻译文档 — Selenium-Python中文文档