我试图在某些网站上测试安全级别的XSS漏洞,但我无法弄清楚为什么在下一页中注入的脚本无法执行。基本上,我在输入表单中插入一些值,服务器回复此响应
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" conent="IE-edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>NECSTFeedback</title>
<link href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-1q8mTJOASx8j1Au+a5WDVnPi2lkFfwwEAa8hDDdjZlpLegxhjVME1fgjWPGmkzs7" crossorigin="anonymous">
<link href="/static/css.css" rel="stylesheet">
</head>
<body>
<div class="container">
<div class="header clearfix">
<h3 class="text-muted">The NECSTFeedback</h3>
</div>
<h1>Report</h1>
<p><b>Subject: </b>sk</p>
<p><b>Sender: </b>as</p>
<div class="rpt-content">
<p><b>Message: </b></p>
<!-- This is my script -->
<script> alert('Hi')</script>
</div>
<p><b>Attachment: </b><a href="/attachment/58224c5bd967459c925a88eb21799384"></a></p>
</div>
</body>
</html>
我怀疑它是因为CSP标题,但我不太确定。顺便说一句,这是一个标题列表。
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 25 May 2016 19:18:31 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Content-Security-Policy: default-src 'self'; style-src 'self' https://maxcdn.bootstrapcdn.com/bootstrap/; font-src 'self' https://maxcdn.bootstrapcdn.com/bootstrap/
答案 0 :(得分:2)
确实是的。我怀疑它是因为CSP标题,但我不太确定。
Content-Security-Policy: default-src 'self'; style-src 'self' https://maxcdn.bootstrapcdn.com/bootstrap/; font-src 'self' https://maxcdn.bootstrapcdn.com/bootstrap/
内容安全政策规范says here:
如果&#39;不安全 - 内联&#39;不在allowed script sources [...]列表中:
只要用户代理从<script>
element [...]执行内联脚本,用户代理就不能执行脚本[...]。
标题中的self
确实禁止内联脚本。