June 2021
Beginner to intermediate
355 pages
5h 5m
Chinese
Content preview from Web应用程序安全
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
174
|
第
12
章
12.1
直接型
XXE
在直接型
XXE
中,一个
XML
对象被发送到服务器,并带有外部实体标志。
然后服务器对其进行解析,并返回一个包含外部实体的结果(见图
12-1
)。
设想一下,
mega-bank.com
有一个屏幕截图工具,可以将银行门户网站中的内
容直接发送截图给客户支持。
用户1发送XML载荷至服务器端点
XML解析器解析载荷
外部实体标志被处理,解析结果
体现来自服务器的文件内容
服务器本地文件和请求
结果被发回用户1
图
12
-
1
:直接型 XXE
在客户端上,该功能的实现代码看起来像这样:
<!--
一个简单的按钮。点击时调用函数
"screenshot()"
。
-->
<button class="button"
id="screenshot-button" onclick="screenshot()">
Send Screenshot to Support</button>
/*
*
从
`content`
元素中收集
HTML DOM
并调用
XML
*
解析器将
DOM
文本转换为
XML
。
*
*
通过
HTTP
发送
XML
到一个函数中,该函数将从所提供的
XML
中
*
生成屏幕截图。
*
*
将截图发给客户支持人员作进一步分析。
*/
XXE
攻击
|
175
const screenshot = function() { try {
/*
*
尝试将
`content`
元素转换为
XML
。
*
如果这个过程失败了,就捕获(异常)—通常情况下应该会成功。 ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.