防止ajax中的XSS rsargs []

时间:2014-03-26 06:53:26

标签: php ajax xss

我有一个php ajax网站,发现ajax库中存在XSS的可能性。请在下面找到请求和回复。 rsargs []参数可以采用任何脚本或值,因此容易受到攻击。 到目前为止尝试: html编码 - 没有用,因为它修剪了我的内容

在下面的示例中,应用程序将在Windows目录中提供文件。

请求:

POST /Weblogin.php HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: https://xxx.xx.xx.xx/Code/weblogin.php
Accept: application/json, text/javascript, */*
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0;                     SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: 172.25.152.91
Content-Length: 144
Connection: Keep-Alive
Cache-Control: no-cache
        rs=GetWaitTime&rst=&rsrnd=1395815006191&rsobj=&rsargs[]=37091&rsargs[]=42lqd7b000&rsargs[]=../../../../../../../../../../windows/setupact.log%00

Repsonse:

HTTP/1.0 200 OK
Date: Wed, 26 Mar 2014 06:39:30 GMT
Server: Apache/2.2.12 (Win32) DAV/2 mod_ssl/2.2.12 OpenSSL/0.9.8k mod_autoindex_color PHP/5.3.0
X-Powered-By: PHP/5.3.0
Connection: close
Content-Type: text/html

dispci.dll:  ============BEGIN DisplayClassInstaller============
dispci.dll:  ============BEGIN OnSelectBestCompatDrv============
dispci.dll:  ============END OnSelectBestCompatDrv==============
dispci.dll:  DisplayClassInstaller: Returning 0xe000020e for DIF 0x17 and device PCI\VEN_1002&DEV_515E&SUBSYS_01E61028&REV_02\4&1FC3087&0&28F0
dispci.dll:  ============END DisplayClassInstaller==============
dispci.dll:  ============BEGIN DisplayClassInstaller============
dispci.dll:  ============BEGIN OnDestroyPrivateData============
dispci.dll:  ============END OnDestroyPrivateData==============
<br />
<b>Fatal error</b>:  Call to undefined function get_wait_time() in <b>C:\xampp\htdocs\Code\functions\Parent Functions\GetWaitTime.php</b> on line <b>11</b><br />

1 个答案:

答案 0 :(得分:1)

这不是XSS漏洞,而是Path Traversal。您似乎正在使用其中一个参数来构造文件路径,然后读取该文件。您应该验证文件路径构造中使用的用户输入,而不是html编码。您可以咨询OWASP Guide以保护您的申请。