When we access a webpage, we add parameters after the URL. The server constructs different HTML responses based on the request parameter values. For example, http: // localhost: 8080/prjWebSec/xss/reflectedXSS. jsp? Param = value... in the preceding example, the value may appear in the returned HTML (which may be the content or attribute of a JS or HTML element). If you change the value to something that can be interpreted and executed in the browser, the reflected XSS is formed. someone may ask, How can I change the value to a malicious code that can be executed by myself? Isn't this self-defeating. but one case is that someone else may modify this value and then send this malicious URL to you, or someone else, when the URL address is opened, the special malicious code parameters are parsed and executed by HTML. this feature is non-persistent. You must click a link with a specific parameter. here is a simple example:
utilits.js: function writeToDom(str){ document.writeln(str); } function writelnToDom(str){ document.writeln(str + "<br>"); } reflectedXSS.jsp: <%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" %> <%@ page import="org.apache.commons.lang.StringEscapeUtils"%> <%@ page import="java.net.URLDecoder,java.net.URLEncoder"%> <%@ page import="org.owasp.esapi.ESAPI"%> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> When a user uses URL http: // localhost: 8080/prjWebSec/xss/reflectedXSS. jsp? When param = value is accessed, the browser outputs original: value, but if the URL is changed to http: // localhost: 8080/prjWebSec/xss/reflectedXSS. jsp? Param = value'; alert ('x') // the browser will first alert and then output original: value. view the source code of the browser and you can see: var scriptVar = 'value'; alert ('x') // '; When 'value'; alert ('x ') // var scriptVar = '<% = param %>' when returned to the browser; changed to var scriptVar = 'value'; alert ('x ')//'; this is a simple reflected XSS instance. let's take a look at how to prevent this XSS. both commons-lang and owasp esapi provide tool classes.
<% String param = request.getParameter("param"); System.out.println("original " + param); String secparam = StringEscapeUtils.escapeJavaScript(request.getParameter("param")); System.out.println("StringEscapeUtils " + secparam); String owaspparam = ESAPI.encoder().encodeForJavaScript(request.getParameter("param")); System.out.println("OWASP " + owaspparam); out.write("server side output ------------------------------------------------------- "); out.write("<br>original: " + param); out.write("<br>StringEscapeUtils: " + secparam); out.write("<br>OWASP: " + owaspparam); %> <script> writelnToDom("<br> client side output---------------------------------------------"); var scriptVar='<%=param%>'; writelnToDom("original: " + scriptVar); var secVar='<%=secparam%>'; writelnToDom('StringEscapeUtils:' + secVar); var owaspparam='<%=owaspparam%>'; writelnToDom("OWASP: " + owaspparam); </script>
Test with this URL http://localhost:8080/prjWebSec/xss/reflectedXSS.jsp?param=value Chinese '; alert ('x') // <> system. output of out is: original value '; alert ('x') // <> StringEscapeUtils value \ u4E2D \ u6587 \'; alert (\ 'x \') // <> OWASP value \ u4E2D \ u6587 \ x27 \ x3Balert \ x28 \ x27x \ x27 \ x29 \ x2F \ x2F \ x3C \ x3E the browser displays alert once, at the same time, the following content is output: server side output ------------------------------------------------------- inal: value '; alert ('x') // <> StringEscapeUtils: value \ u4E2D \ u6587 \'; alert (\ 'x \ ') // <> OWASP: value \ u4E2D \ u6 587 \ x27 \ x3Balert \ x28 \ x27x \ x27 \ x29 \ x2F \ x2F \ x3C \ x3E client side output invalid original: value Chinese StringEscapeUtils: value '; alert ('x') // <> OWASP: value Chinese'; alert ('x') // <> StringEscapeUtils. escapeJavaScript will enclose single quotation marks (') and double quotation marks (') in front of each other and encode wide byte characters in unicode format (\ u + hexadecimal ). ESAPI. encoder (). encodeForJavaScript will encode all non-numeric and non-English characters, unicode encoding for wide byte characters, and \ x + hexadecimal encoding for other characters. When the Browser executes JavaScript, it will interpret and decode it into characters, which is equivalent to automatically calling the JavaScripte unescape method. Through escapeJavaScript and encodeForJavaScript, the content output to JavaScript can be executed as JavaScript. What will happen to this URL? http://localhost:8080/prjWebSec/xss/reflectedXSS.jsp?param=1 Chinese'; alert ('x') // An alert ('x') is displayed ') and three alert ('error'), and three what is the cause? Alert ('x') is still executed because Javascript elements are not encoded. the other three alert ('error') triggers the onerror event because the html content is not encoded in html. Three img elements are inserted in the DOM and the image specified by src cannot be obtained. the solution is to make sure that the returned data is interpreted as data rather than HTML elements if you want to use the returned data as the content of an html node. StringEscapeUtils. escapeHtml and ESAPI. encoder (). encodeForHTML can help us to complete this function. The following Code ensures that it is neither used as a Javascript script nor interpreted as an HTML element.
<% String doubleSecparam = StringEscapeUtils.escapeJavaScript( StringEscapeUtils.escapeHtml(request.getParameter("param"))); String doubleOwasp = ESAPI.encoder().encodeForJavaScript( ESAPI.encoder().encodeForHTML(request.getParameter("param"))); %> <script> var doubleScriptVar='<%=doubleSecparam%>'; writelnToDom("doubleSecparam StringEscapeUtils: " + doubleScriptVar); var doubleOwasp='<%=doubleOwasp%>'; writelnToDom("Double OWASP: " + doubleOwasp); </script>
View the source code of the browser. We found that the html element will be encoded as html entity.
Var doubleScriptVar = '1 Chinese \ '; alert (\ 'x \') // '; var doubleOwasp = '1 \ x26 \ Alibaba \ x3B \ x26 \ Alibaba \ x3B \ x26 \ x23x27 \ x3B \ x26 \ x23x3b \ x3Balert \ x26 \ x23x28 \ x3B \ x26 \ x23x27 \ x3Bx \ x26 \ x23x27 \ x3B \ x26 \ x23x29 \ x3B \ x26 \ Users \ x3B \ x26 \ x23x2f \ x3B \ x26lt \ x3Bimg \ x20src \ x26 \ x23x3d \ x3B \ x26 \ export \ x3B \ x20onError \ x26 \ x23x3d \ x3B \ x26quot \ x3Bjavascript \ x26 \ x23x3a \ x3Balert \ x26 \ Users \ x3B \ x26 \ x23x27 \ x3Berror \ x26 \ drivers \ x3B \ x26 \ x23x29 \ x3B \ x26quot \ x3B \ x26gt \ x3B ';
Of course, in the real process, few websites have such obvious xss vulnerabilities. here, I just demonstrated the principles of the reflective xss. Although there are many vulnerabilities in reality, they are essentially unchanged. two useful links
Http://www.bkjia.com/Article/200807/28244.html http://lcamtuf.coredump.cx/