- 前言:
- 2、项目配置
- 3、编写XSS漏洞后端代码
- 3.1、反射型XSS
- 3.2、存储型XSS
- 3.3、修复后的安全代码
- 4、编写XSS漏洞前端代码
- 4.1、反射型XSS
- 4.2、存储型XSS
- 5、运行测试
- 5.1、反射型XSS漏洞测试
- 5.2、存储型XSS漏洞测试
- 5.3、修复后测试
前言:
继上一篇博客,本篇博客记录下实际搭建XSS漏洞靶场环境。
2、项目配置
前端使用vue框架,后端使用springboot框架搭建
pom.xml
<dependency>
<groupId>org.apache.tomcat.embedgroupId>
<artifactId>tomcat-embed-jasperartifactId>
<scope>providedscope>
dependency>
<dependency>
<groupId>javax.servletgroupId>
<artifactId>jstlartifactId>
dependency>
<dependency>
<groupId>org.mybatis.spring.bootgroupId>
<artifactId>mybatis-spring-boot-starterartifactId>
<version>2.2.2version>
dependency>
<dependency>
<groupId>mysqlgroupId>
<artifactId>mysql-connector-javaartifactId>
<scope>runtimescope>
dependency>
<dependency>
<groupId>org.projectlombokgroupId>
<artifactId>lombokartifactId>
<optional>trueoptional>
dependency>
<dependency>
<groupId>com.baomidougroupId>
<artifactId>mybatis-plus-boot-starterartifactId>
<version>3.5.1version>
dependency>
<dependency>
<groupId>cn.hutoolgroupId>
<artifactId>hutool-allartifactId>
<version>5.7.20version>
dependency>
<dependency>
<groupId>com.auth0groupId>
<artifactId>java-jwtartifactId>
<version>3.10.3version>
dependency>
vue:vue.config.js
// 跨域配置
module.exports = {
devServer: { //记住,别写错了devServer//设置本地默认端口 选填
port: 8080,
proxy: { //设置代理,必须填
'/api': { //设置拦截器 拦截器格式 斜杠+拦截器名字,名字可以自己定
target: 'http://localhost:9090', //代理的目标地址
changeOrigin: true, //是否设置同源,输入是的
pathRewrite: { //路径重写
'^/api': '' //选择忽略拦截器里面的内容
}
}
}
}
}
3、编写XSS漏洞后端代码
经过小组讨论,我们决定实现反射型XSS漏洞和存储型XSS漏洞两个基本漏洞的靶场,对于反射型XSS漏洞,其实现较为简单,仅需将用户从前端输入到后端的payload返回到前端渲染,不进行过滤,即可构造XSS漏洞靶场。对于存储型XSS,可以通过将用户输入的payload存储到数据库中,待其他用户访问再次取出,即可触发XSS漏洞,类似于评论的功能点易出现此类型漏洞。我们采用存储到cookie的方式来实现存储型XSS漏洞,其基本原理与存储到数据库类型相似。
3.1、反射型XSSpackage com.sducsrp.csrp.controller.BUGcontroller;
import com.sducsrp.csrp.common.Constants;
import com.sducsrp.csrp.common.Result;
import org.springframework.stereotype.Controller;
import org.springframework.util.StringUtils;
import org.springframework.web.bind.annotation.*;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletResponse;
/**
* @author lhw 2022.04.07
*/
@RestController
@RequestMapping("/xss")
public class XssController {
/**
* Vuln Code.
* ReflectXSS
* http://localhost:8080/xss/reflect?xss=
*
* @param xss unescape string
*/
@PostMapping("/reflect")
public @ResponseBody Result reflect(@RequestBody String xss) {
System.out.println(xss+":ok1");
Result res=new Result(Constants.CODE_200,null,xss);
return res;
}
3.2、存储型XSS
漏洞代码:
/**
* Vul Code.
* StoredXSS Step1
* http://localhost:8080/xss/stored/store?xss=
*
* @param xss unescape string
*/
@RequestMapping("/stored/store")
public @ResponseBody Result store(@RequestBody String xss, HttpServletResponse response) {
Cookie cookie = new Cookie("xss", xss);
response.addCookie(cookie);
Result res=new Result(Constants.CODE_200,null,"Set param into cookie,访问/stored/show验证一下");
return res;
}
验证代码:
/**
* Vul Code.
* StoredXSS Step2
* http://localhost:8080/xss/stored/show
*
* @param xss unescape string
*/
@RequestMapping("/stored/show")
public @ResponseBody Result show(@CookieValue("xss") String xss) {
System.out.println(xss);
Result res=new Result(Constants.CODE_200,null,xss);
return res;
}
3.3、修复后的安全代码
/**
* safe Code.
* http://localhost:8080/xss/safe
*/
@RequestMapping("/safe")
@ResponseBody
public static String safe(String xss) {
return encode(xss);
}
private static String encode(String origin) {
origin = StringUtils.replace(origin, "&", "&");
origin = StringUtils.replace(origin, "<", "<");
origin = StringUtils.replace(origin, ">", ">");
origin = StringUtils.replace(origin, "\"", """);
origin = StringUtils.replace(origin, "'", "'");
origin = StringUtils.replace(origin, "/", "/");
return origin;
}
4、编写XSS漏洞前端代码
前端采用vue框架
4.1、反射型XSS
反射型XSS
该页面存在反射型XSS漏洞,能否构造payload,使得页面出现d窗?
submit
微信扫一扫
支付宝扫一扫
评论列表(0条)