1
我們最近使用hikashop建立了一個網站(http://www.doverjewelry.com/),該域名擁有godaddy網站保護,因此它掃描網站並警告漏洞。該掃描目前正在報告該網站容易受到跨站點腳本攻擊。這個掃描輸出:防止跨站腳本攻擊?
Using the GET HTTP method, Site Scanner found that :
+ The following resources may be vulnerable to XSS (on parameters names) :
/bands-and-settings/category/371-all-ring-settings/limit_hikashop_catego
ry_information_module_223_371-0/limitstart_hikashop_category_information
_module_223_371-0/filter_order_hikashop_category_information_module_223_
371-a.ordering/filter_order_Dir_hikashop_category_information_module_223
_371-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-atom?<<<<<<<<<<foo"bar'
314>>>>>=1
-------- request --------
GET /bands-and-settings/category/371-all-ring-settings/limit_hikashop_category_information_module_223_371-0/limitstart_hikashop_category_information_module_223_371-0/filter_order_hikashop_category_information_module_223_371-a.ordering/filter_order_Dir_hikashop_category_information_module_223_371-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-atom?<<<<<<<<<<foo"bar'314>>>>>=1 HTTP/1.1\r
Host: www.doverjewelry.com\r
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1\r
Accept-Language: en\r
Connection: Close\r
Cookie: 7eedc822c6dd39ecf3c8ab00003d56f9=764a229107bda6b48c2863965f50ca03\r
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; MSIE 6.0; Site Scanner Bot; +http://www.websiteprotection.com) Firefox/2.0.0.3\r
Pragma: no-cache\r
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
------------------------
-------- output --------
[...] bd44a6ec-1/type-atom?<<<<<<<<<<foo"bar'314>>>>>=1" method="post" name="ad [...]
<div class="hikashop_products_pagination hikashop_products_paginat [...]
------------------------
/engagement-rings/category/366-antique-engagement-rings/limit_hikashop_c
ategory_information_module_222_366-25/limitstart_hikashop_category_infor
mation_module_222_366-0/filter_order_hikashop_category_information_modul
e_222_366-a.ordering/filter_order_Dir_hikashop_category_information_modu
le_222_366-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-atom?<<<<<<<<<<fo
o"bar'314>>>>>=1
-------- request --------
GET /engagement-rings/category/366-antique-engagement-rings/limit_hikashop_category_information_module_222_366-25/limitstart_hikashop_category_information_module_222_366-0/filter_order_hikashop_category_information_module_222_366-a.ordering/filter_order_Dir_hikashop_category_information_module_222_366-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-atom?<<<<<<<<<<foo"bar'314>>>>>=1 HTTP/1.1\r
Host: www.doverjewelry.com\r
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1\r
Accept-Language: en\r
Connection: Close\r
Cookie: 7eedc822c6dd39ecf3c8ab00003d56f9=764a229107bda6b48c2863965f50ca03\r
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; MSIE 6.0; Site Scanner Bot; +http://www.websiteprotection.com) Firefox/2.0.0.3\r
Pragma: no-cache\r
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
------------------------
-------- output --------
[...] bd44a6ec-1/type-atom?<<<<<<<<<<foo"bar'314>>>>>=1" method="post" name="ad [...]
<div class="hikashop_products_pagination hikashop_products_paginat [...]
------------------------
/engagement-rings/category/366-antique-engagement-rings/limit_hikashop_c
ategory_information_module_222_366-25/limitstart_hikashop_category_infor
mation_module_222_366-0/filter_order_hikashop_category_information_modul
e_222_366-a.ordering/filter_order_Dir_hikashop_category_information_modu
le_222_366-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-rss?<<<<<<<<<<foo
"bar'314>>>>>=1
-------- request --------
GET /engagement-rings/category/366-antique-engagement-rings/limit_hikashop_category_information_module_222_366-25/limitstart_hikashop_category_information_module_222_366-0/filter_order_hikashop_category_information_module_222_366-a.ordering/filter_order_Dir_hikashop_category_information_module_222_366-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-rss?<<<<<<<<<<foo"bar'314>>>>>=1 HTTP/1.1\r
Host: www.doverjewelry.com\r
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1\r
Accept-Language: en\r
Connection: Close\r
Cookie: 7eedc822c6dd39ecf3c8ab00003d56f9=764a229107bda6b48c2863965f50ca03\r
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; MSIE 6.0; Site Scanner Bot; +http://www.websiteprotection.com) Firefox/2.0.0.3\r
Pragma: no-cache\r
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
------------------------
-------- output --------
[...] abd44a6ec-1/type-rss?<<<<<<<<<<foo"bar'314>>>>>=1" method="post" name="ad [...]
<div class="hikashop_products_pagination hikashop_products_paginat [...]
------------------------
/engagement-rings/category/50-estate-engagement-rings/limit_hikashop_cat
egory_information_module_222_50-0/limitstart_hikashop_category_informati
on_module_222_50-0/filter_order_hikashop_category_information_module_222
_50-a.ordering/filter_order_Dir_hikashop_category_information_module_222
_50-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-atom?<<<<<<<<<<foo"bar'3
14>>>>>=1
我們認爲它是指在產品頁面底部的分頁格式。下面是某個產品頁面的表單代碼:
<form action="http://www.doverjewelry.com/engagement-rings/category/50-estate-engagement-rings?filter_order_hikashop_category_information_module_222_50=%3C%3C%3C%3C%3C%3C%3C%3C%3C%3Cfoo%22bar'204%3E%3E%3E%3E%3E" method="post" name="adminForm_hikashop_category_information_module_222_50_bottom">
<div class="hikashop_products_pagination hikashop_products_pagination_bottom">
<div class="list-footer">
<div class="limit">Display #<select id="limit_hikashop_category_information_module_222_50" name="limit_hikashop_category_information_module_222_50" class="inputbox" size="1" onchange="this.form.submit()">
<option value="20" selected="selected">20</option>
<option value="5">5</option>
<option value="10">10</option>
<option value="15">15</option>
<option value="20" selected="selected">20</option>
<option value="25">25</option>
<option value="30">30</option>
<option value="50">50</option>
<option value="100">100</option>
<option value="0">all</option>
</select>
</div><span class="pagenav_start_chevron"><< </span><span class="pagenav pagenav_text">Start</span><span class="pagenav_previous_chevron"> < </span><span class="pagenav pagenav_text">Prev</span> <span class="pagenav">1</span> <a class="pagenav" title="2" onclick="javascript: document.adminForm_hikashop_category_information_module_222_50_bottom.limitstart_hikashop_category_information_module_222_50.value=20; document.adminForm_hikashop_category_information_module_222_50_bottom.submit();return false;">2</a> <a class="pagenav" title="3" onclick="javascript: document.adminForm_hikashop_category_information_module_222_50_bottom.limitstart_hikashop_category_information_module_222_50.value=40; document.adminForm_hikashop_category_information_module_222_50_bottom.submit();return false;">3</a> <a class="pagenav" title="Next" onclick="javascript: document.adminForm_hikashop_category_information_module_222_50_bottom.limitstart_hikashop_category_information_module_222_50.value=20; document.adminForm_hikashop_category_information_module_222_50_bottom.submit();return false;">Next</a><span class="pagenav_next_chevron"> ></span> <a class="pagenav" title="End" onclick="javascript: document.adminForm_hikashop_category_information_module_222_50_bottom.limitstart_hikashop_category_information_module_222_50.value=40; document.adminForm_hikashop_category_information_module_222_50_bottom.submit();return false;">End</a><span class="pagenav_end_chevron"> >></span>
<div class="counter">Page 1 of 3</div>
<input type="hidden" name="limitstart_hikashop_category_information_module_222_50" value="0">
</div>
<span class="hikashop_results_counter">
Results 1 - 20 of 48</span>
</div>
<input type="hidden" name="filter_order_hikashop_category_information_module_222_50" value="a.ordering">
<input type="hidden" name="filter_order_Dir_hikashop_category_information_module_222_50" value="ASC">
<input type="hidden" name="18aa959f74c6262cdb2863f0ffaff82e" value="1">
</form>
我們已經談過hikashop人們關於這一點,他們說,我們需要更新他們的最新版本(我們的版本僅僅是一個低於最新的一個),但我們已經對代碼做了一些主要的修改以包含一些客戶端請求,所以我們不想丟失這些修改(也許將來我們會更新到最新版本,但現在我們只想知道是否存在這是一個快速修復)。
表單是否真的容易受到跨站腳本攻擊?我們可以做些什麼來保護它或讓godaddy站點掃描器停止顯示此警告消息?
將來您應該避免修改庫代碼,而是覆蓋可以的函數。 – Woot4Moo