XSS研究4-来自外部的XSS攻击的防范

简介:

引入:

这篇文章我们来专门探讨如何防范来自外部的XSS攻击。


实践:

其实从http://supercharles888.blog.51cto.com/609344/1339921 文章中可以看出,主要的攻击手段无让攻击者机器上运行一段JS,这段js中包含一段对于document.cookie的处理,如果这个能拿到正确的值,那么就可以用获取的信息发送到攻击者的某个指定机器上,从而盗用。所以从这个思路上想解决方法就很容易了,就是通过一段机制,让植入到攻击者机器上的恶意的js代码中拿document.cookie拿不到内容。


能实现这一点么,简单查阅了下文档,发现了原来有Cookie 有个HttpOnly这么个标记,如果把它设置为true的时候,那么这个cookie只能通过http协议访问,而无法通过javascript 脚本,或者applet进行访问。我们在想,既然信息的盗用都是一段js脚本去拿到document.cookie的内容,那么如果设置Cookie为HttpOnly后,是否解决问题了呢?


为此,我们做个实验,我们让Cookie用java代码生成而不是和上文连接中的用某段js生成(这样做的目的是万一HttpOnly真起作用了,那么我们设置Cookie的这段js代码就生效了)

代码很简单,我们做了一个Servlet,然后让用户访问这个Servlet的时候,它会创建一个Cookie(现在hard-coded):为了比较,我们先做一个不设置HttpOnly的例子:

代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
package  com.charles.study;
import  java.io.IOException;
import  java.io.PrintWriter;
import  javax.servlet.ServletException;
import  javax.servlet.http.Cookie;
import  javax.servlet.http.HttpServlet;
import  javax.servlet.http.HttpServletRequest;
import  javax.servlet.http.HttpServletResponse;
/**
  * 这个Servlet用于产生一个Cookie
  * @author charles.wang
  *
  */
public  class  CookieServlet  extends  HttpServlet{
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              
     public  void  doGet(HttpServletRequest request, HttpServletResponse response)
             throws  ServletException, IOException {
         buildResponseWithCookie(response);
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   
     }
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            
     /**
      * hard-code一个Cookie信息,并且写到客户端
      * @param response
      * @throws IOException
      */
     private  void  buildResponseWithCookie(HttpServletResponse response)  throws  IOException {
         response.setContentType( "text/html;charset=utf-8" );
         PrintWriter out = response.getWriter();
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    
         Cookie cookie =  new  Cookie( "charles" , "1234567890" );
         cookie.setMaxAge( 24 * 3600 );
         cookie.setPath( "/" );
         response.addCookie(cookie);
         out.println( "Already Written Cookie to Client" );
     }
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            
     public  void  doPost(HttpServletRequest request, HttpServletResponse response)
             throws  ServletException, IOException {
         doGet(request, response);
     }
}


然后在 web.xml中定义好 servlet-mapping(略去)

然后当我们访问页面时候,打开Firebug,切换到Cookie标签:

123446332.png

可以看到,默认情况下,这个CookieHttpOnly属性是没有设置值的(下方表格第七栏)

现在,我们切换到Console标签页,然后输入document.cookie:

123640124.png

红色部分显示,这时候我们是拿得到cookie的值的,也就是说js完全可以获取cookie的内容。


现在我们把我们的代码变下,在创建cookie的地方,加一行 cookie.setHttpOnly(true);


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
/**
      * hard-code一个Cookie信息,并且写到客户端
      * @param response
      * @throws IOException
      */
     private  void  buildResponseWithCookie(HttpServletResponse response)  throws  IOException {
         response.setContentType( "text/html;charset=utf-8" );
         PrintWriter out = response.getWriter();
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            
         Cookie cookie =  new  Cookie( "charles" , "1234567890" );
         cookie.setMaxAge( 24 * 3600 );
         cookie.setPath( "/" );
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          
         //以下这行专门用于解决来自外部的XSS攻击问题
         cookie.setHttpOnly( true );
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          
         response.addCookie(cookie);
         out.println( "Already Written Cookie to Client" );
     }

其他不变,然后我们重复上面实验,我们打开这个servlet页面,打开Firebug,切换到Cookie标签

124119518.png

这时候可以发现第7列HttpOnly属性被设置了。

现在,我们切换到Console标签页,然后输入document.cookie:

124412888.png

这次我们发现,这个Cookie不再显示“charles=1234567890"了,取而代之的是,它只显示""空,这就表明,我们的HttpOnly属性起作用了。我们的恶意js无法通过document.cookie拿到任何有价值信息。


结论的延伸:

于是,从上面2个实验对比,我们发现了HttpOnly属性是解决来自外部XSS攻击的关键属性,我们不满足上面实验,我们还可以进行扩展,因为上述实验中,我们是让response直接添加了一个cookie, 然现实中的例子多数是通过会话HttpSession,然后它的scope上添加了一些机密信息,并且维护在服务器端的。然后客户端也会有一个id去引用这个对应的session,那么这个Session是否可以使用HttpOnly属性呢?答案是肯定的。

如果你使用的是servlet 3.0+的版本,那么在对应的web.xml中,可以天然的通过下面一段代码来配置HttpOnly属性:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<?xml version= "1.0"  encoding= "UTF-8" ?>
<web-app version= "3.0"  xmlns= "http://java.sun.com/xml/ns/javaee"
     xmlns:xsi= "http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation= "http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" >
     <display-name>XSSDemo</display-name>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         
     <session-config>
         <cookie-config>
             <http-only> true </http-only>
         </cookie-config>
     </session-config>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        
..

这里,注意我们的xsd是servlet 3.0的xsd,所以我们可以在<session-config>中使用 <cookie-config>子元素,然后用<http-only>true来启用这个HttpOnly特征。

我们来做个实验证明,我们修改下CookieServlet,从而当我们访问这个Servlet时候他会创建一个Session:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
public  class  CookieServlet  extends  HttpServlet{
                                                                                                                                                                                                                                                                                                                                                                                                         
     public  void  doGet(HttpServletRequest request, HttpServletResponse response)
             throws  ServletException, IOException {
         HttpSession session= request.getSession();
         session.setAttribute( "charles_session" , "9876543210" );
                                                                                                                                                                                                                                                                                                                                                                                                             
         response.setContentType( "text/html;charset=utf-8" );
         PrintWriter out = response.getWriter();
         out.println( "Session Created" );
                                                                                                                                                                                                                                                                                                                                                                                                              
     }
                                                                                                                                                                                                                                                                                                                                                                                                       
                                                                                                                                                                                                                                                                                                                                                                                                       
                                                                                                                                                                                                                                                                                                                                                                                                       
     public  void  doPost(HttpServletRequest request, HttpServletResponse response)
             throws  ServletException, IOException {
         doGet(request, response);
     }
}

然后我们访问页面:

125850183.png

显然,从第七列看出来,这个刚创建的Session Cookie ,它的HttpOnly被正确的设置了。


总结:

我们做了几个实验,大体上解决了外部XSS攻击的问题,主要是通过设置HttpOnly属性,这个属性可防止js或者applet去操作cookie,而且它不仅适用于一般的Cookie,也适用于Session Cookie. 其实它的思想很简单,既然外部XSS攻击是你把情报带出去,那么我海关就严格一条,任何纸条只要通过海关就”烧“掉(我只是打个比方) ,这样你不管如何,你都不能通过恶意代码从这个灰烬的纸条中拿到信息了。


实践上看,对于一般的Cookie,只要在它创建的时候,设置cookie.setHttpOnly(true).

对于Session Cookie,如果你的app容器支持servlet 3.0规范,那么只要配置 <cookie-config>让其启用<http-only>就可以了,如果你的app容器比较老,那么你必须通过覆写SET-COOKIE的 Http响应头来显式添加HttpOnly标志。

1
2
3
//通过覆写SET-COOKIE的 Http响应头来显式的添加HttpOnly
  String sessionid = request.getSession().getId();
  response.setHeader( "SET-COOKIE" "JSESSIONID="  + sessionid +  "; HttpOnly" );


其实,现在主流的浏览器都能很好的支持HttpOnly了,黑客们要入侵难度又加大了。





本文转自 charles_wang888 51CTO博客,原文链接:http://blog.51cto.com/supercharles888/1341060,如需转载请自行联系原作者
目录
相关文章
|
27天前
|
JavaScript 安全 前端开发
js开发:请解释什么是XSS攻击和CSRF攻击,并说明如何防范这些攻击。
XSS和CSRF是两种常见的Web安全威胁。XSS攻击通过注入恶意脚本盗取用户信息或控制账户,防范措施包括输入验证、内容编码、HTTPOnly Cookie和CSP。CSRF攻击则诱使用户执行未经授权操作,防范手段有CSRF Tokens、双重验证、Referer检查和SameSite Cookie属性。开发者应采取这些防御措施并定期进行安全审计以增强应用安全性。
19 0
|
3月前
|
存储 JSON 前端开发
【面试题】XSS攻击是什么?
【面试题】XSS攻击是什么?
|
3月前
|
存储 开发框架 安全
如何处理预防XSS漏洞攻击问题
防止XSS攻击需要从多个方面入手,包括输入验证和过滤、输出编码、设置正确的HTTP头部、使用最新的安全框架和库、定期进行安全审计和漏洞扫描以及培训和意识提升等。只有综合运用这些措施,才能有效地防止XSS攻击,保护网站和用户的安全。
|
4天前
|
安全 JavaScript Go
跨站脚本攻击(XSS)防护在Django中的应用
【4月更文挑战第15天】本文介绍了Django如何防范XSS攻击。Django模板引擎自动转义HTML以防止恶意脚本,提供`mark_safe`函数和CSRF防护。此外,建议开发者验证清理用户输入、使用内容安全策略、更新库以及遵循安全编码实践来增强防护。通过这些措施,开发者能构建更安全的Web应用。
|
1月前
|
安全 JavaScript 前端开发
Low 级别反射型 XSS 演示(附链接)
Low 级别反射型 XSS 演示(附链接)
17 0
|
1月前
|
存储 JavaScript 前端开发
DOM 型 XSS 演示(附链接)
DOM 型 XSS 演示(附链接)
63 0
|
1月前
|
存储 前端开发 JavaScript
存储型 XSS 攻击演示(附链接)
存储型 XSS 攻击演示(附链接)
64 0
|
1月前
|
存储 前端开发 JavaScript
反射型 XSS 攻击演示(附链接)
反射型 XSS 攻击演示(附链接)
101 0
|
2月前
|
存储 安全 JavaScript
HW常见攻击方式 --XSS跨站脚本攻击
HW常见攻击方式 --XSS跨站脚本攻击
26 0
|
3月前
|
安全 JavaScript 前端开发
Python 的安全性和测试:解释什么是 XSS 和 CSRF 攻击?在 Python 中如何防范这些攻击?
Python 的安全性和测试:解释什么是 XSS 和 CSRF 攻击?在 Python 中如何防范这些攻击?