当前位置:编程学习 > php >>

利用PHP编程防范XSS跨站脚本攻击

国内不少论坛都存在跨站脚本漏洞,国外(也很)多这样(的)例子,甚至Google(也)出现过,不过在12月初时修正了。(编者注:关于跨站脚本漏洞攻击,读者可参阅《详解XSS跨站脚本攻击》)。跨站攻击(很)容易(就)可以构造,而且非常隐蔽,不易被查觉(通常盗取信息后马上跳转回原页面)。

  如何攻击,在此不作说明((也)不要问我),主要谈谈如何防范。首先,跨站脚本攻击都(是)由于对用户(的)输入没有进行严格(的)过滤造成(的),所以我们必须在所有数据进入我们(的)网站和数据库之前把可能(的)危险拦截。针对非法(的)HTML代码包括单双引号等,可以使用htmlentities() 。

<?php
$str = "A quote is <b>bold</b>";
// Outputs: A quote is <b>bold</b>
echo htmlentities($str);
// Outputs: A 'quote' is <b>bold</b>
echo htmlentities($str, ENT_QUOTES);
?>

 

  这样可以使非法(的)脚本失效。

  但(是)要注意一点,htmlentities()默认编码为 ISO-8859-1,如果你(的)非法脚本编码为其它,那么可能无法过滤掉,同时浏览器却可以识别和执行。这个问题我先找几个站点测试后再说。

  这里提供一个过滤非法脚本(的)函数:

function RemoveXSS($val) {
 // remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are allowed
 // this prevents some character re-spacing such as <javascript>
 // note that you have to handle splits with
,
, and    later since they *are* allowed in some inputs
 $val = preg_replace(/([x00-x08][x0b-x0c][x0e-x20])/, , $val);
 // straight replacements, the user should never need these since theyre normal characters
 // this prevents like <IMG SRC=@avascript:a&
_#X6Cert('XSS')>
 $search = abcdefghijklmnopqrstuvwxyz;
 $search .= ABCDEFGHIJKLMNOPQRSTUVWXYZ;
 $search .= 1234567890!@#$%^&*();
 $search .= ~`";:?+/={}[]-_|;
 for ($i = 0; $i < strlen($search); $i++) {
// ;? matches the ;, which is optional
// 0{0,7} matches any padded zeros, which are optional and go up to 8 chars
// @ @ search for the hex values
$val = preg_replace(/(&#[x|X]0{0,8}.dechex(ord($search[$i])).;?)/i, $search[$i], $val); // with a ;
// @ @ 0{0,7} matches 0 zero to seven times
$val = preg_replace(/(�{0,8}.ord($search[$i]).;?)/, $search[$i], $val); // with a ;
 }
 // now the only remaining whitespace attacks are   ,
, and
 $ra1 = Array(javascript, vbscript, expression, applet, meta, xml, blink, link, style, script, embed, object, iframe, frame, frameset, ilayer, layer, bgsound, title, base);
$ra2 = Array(onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload);
 $ra = array_merge($ra1, $ra2);
 $found = true; // keep replacing as long as the previous round replaced something
 while ($found == true) {
$val_before = $val;
for ($i = 0; $i < sizeof($ra); $i++) {
 $pattern = /;
 for ($j = 0; $j < strlen($ra[$i]); $j++) {
if ($j > 0) {
 $pattern .= (;
 $pattern .= (&#[x|X]0{0,8}([9][a][b]);?)?;
 $pattern .= |(�{0,8}([9][10][13]);?)?;
 $pattern .= )?;
}
 $pattern .= $ra[$i][$j];
}
$pattern .= /i;
$replacement = substr($ra[$i], 0, 2).<x>.substr($ra[$i], 2); // add in <> to nerf the tag
$val = preg_replace($pattern, $replacement, $val); // filter out the hex tags
if ($val_before == $val) {
 // no replacements were made, so exit the loop
 $found = false;
}
 }
}
}
 

补充:Web开发 , php ,
CopyRight © 2022 站长资源库 编程知识问答 zzzyk.com All Rights Reserved
部分文章来自网络,