HTML5 localStorageXSS漏洞
<p style="font-weight: bold; color: rgba(255, 255, 255, 1); font-family: 微软雅黑, 宋体, 黑体, Arial; min-height: 25px; line-height: 25px; opacity: 0.8; background: rgba(0, 221, 221, 1); border-radius: 6px; padding: 8px; border: 1px dashed rgba(0, 221, 221, 1); margin: 18px 5px !important">localStorage基础</p><h1>Window <span class="color_h1">localStorage 属性</span></h1>
<p>HTML5 提供了两种新的本地存储方案,sessionStorage和localStorage,统称WebStorage。 <br>顾名思义: <br>sessionStorage 是针对session的数据存储,关闭窗口后删除。 <br>localStorage 是一个本地的没有时间限制的数据存储。</p>
<p>它们同样遵循SOP</p>
<p>语法:</p>
<div class="cnblogs_code">
<pre>window.localStorage</pre>
</div>
<p> </p>
<p>保存数据语法:</p>
<h1>localStorage的局限</h1>
<p>1、浏览器的大小不统一,并且在IE8以上的IE版本才支持localStorage这个属性</p>
<p>2、目前所有的浏览器中都会把localStorage的值类型限定为string类型,这个在对我们日常比较常见的JSON对象类型需要一些转换</p>
<p>3、localStorage在浏览器的隐私模式下面是不可读取的</p>
<p>4、localStorage本质上是对字符串的读取,如果存储内容多的话会消耗内存空间,会导致页面变卡</p>
<p>5、localStorage不能被爬虫抓取到</p>
<p>localStorage与sessionStorage的唯一一点区别就是localStorage属于永久性存储,而sessionStorage属于当会话结束的时候,sessionStorage中的键值对会被清空</p>
<p>6、localStorage的使用也是遵循同源策略的,所以不同的网站直接是不能共用相同的localStorage</p>
<p><span style="font-size: 18pt"><strong>localStorage方法</strong></span><br>setItem 存储数据【增】<br>getItem 读取数据【查单个】<br>removeItem 删除某个数据【删单个】<br>clear 删除全部数据【删全部】<br>length localStorage存储变量的个数【计算数据总数】<br>key 读取第i个数据的名字或称为键值(从0开始计数)<br>valueOf 获取所有存储的数据【查全部】<br>hasOwnProperty 检查localStorage上是否保存了变量x,需要传入x【判断】<br>propertyIsEnumerable 用来检测属性是否属于某个对象的【判断】<br>toLocaleString 将(数组)转为本地字符串</p>
<p><strong>localStorage.setltem()存储数据</strong></p>
<p><img src="https://img2018.cnblogs.com/i-beta/967964/202002/967964-20200213193833792-1357790437.png" alt="" width="467" height="167"></p>
<p><strong>localStorage.getItem()读取数据</strong></p>
<p><img src="https://img2018.cnblogs.com/i-beta/967964/202002/967964-20200213194052650-469520808.png" alt="" width="410" height="207"></p>
<p> </p>
<p><strong>localStorage.removeItem()删除数据</strong></p>
<p><strong>localStorage.clear()</strong></p>
<p> </p>
<p> <img src="https://img2018.cnblogs.com/i-beta/967964/202002/967964-20200213194903706-1641515931.png" alt="" width="459" height="202"></p>
<p> </p>
<p> </p>
<p> </p>
<p style="font-weight: bold; color: rgba(255, 255, 255, 1); font-family: 微软雅黑, 宋体, 黑体, Arial; min-height: 25px; line-height: 25px; opacity: 0.8; background: rgba(0, 221, 221, 1); border-radius: 6px; padding: 8px; border: 1px dashed rgba(0, 221, 221, 1); margin: 18px 5px !important">localStorage安全分析</p>
<p>现在越来越多的前端人员把性能优化的目标指向了本地存储,利用localStorage来进行本地资源缓存,因为其大小上限为5MB,可以装相当多的东西,甚至在FireFox中你还可以修改这个上限。</p>
<p>虽然说这个localStorage非常好用但也存在安全隐患,如果我们将恶意代码植入里面那么这段恶意代码也会一直存在知道用户清空我们的localStorage为止</p>
<p> </p>
<p>我们可以看一段代码:将原来localStorage存储的name数据赋值给id为test的页面元素 我们可以设想万一里面是恶意代码呢</p>
<p> </p>
<div class="cnblogs_code"><img id="code_img_closed_d792d225-17c8-4702-bb11-c8649d846eca" class="code_img_closed" src="https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif" alt=""><img id="code_img_opened_d792d225-17c8-4702-bb11-c8649d846eca" class="code_img_opened" style="display: none" src="https://images.cnblogs.com/OutliningIndicators/ExpandedBlockStart.gif" alt="">
<div id="cnblogs_code_open_d792d225-17c8-4702-bb11-c8649d846eca" class="cnblogs_code_hide">
<pre><span style="color: rgba(0, 0, 255, 1)"><!</span><span style="color: rgba(255, 0, 255, 1)">DOCTYPE html</span><span style="color: rgba(0, 0, 255, 1)">></span>
<span style="color: rgba(0, 0, 255, 1)"><</span><span style="color: rgba(128, 0, 0, 1)">html</span><span style="color: rgba(0, 0, 255, 1)">></span>
<span style="color: rgba(0, 0, 255, 1)"><</span><span style="color: rgba(128, 0, 0, 1)">head</span><span style="color: rgba(0, 0, 255, 1)">></span>
<span style="color: rgba(0, 0, 255, 1)"><</span><span style="color: rgba(128, 0, 0, 1)">title</span><span style="color: rgba(0, 0, 255, 1)">></span>localStorage XSS<span style="color: rgba(0, 0, 255, 1)"></</span><span style="color: rgba(128, 0, 0, 1)">title</span><span style="color: rgba(0, 0, 255, 1)">></span>
<span style="color: rgba(0, 0, 255, 1)"></</span><span style="color: rgba(128, 0, 0, 1)">head</span><span style="color: rgba(0, 0, 255, 1)">></span>
<span style="color: rgba(0, 0, 255, 1)"><</span><span style="color: rgba(128, 0, 0, 1)">body</span><span style="color: rgba(0, 0, 255, 1)">></span>
<span style="color: rgba(0, 0, 255, 1)"><</span><span style="color: rgba(128, 0, 0, 1)">div </span><span style="color: rgba(255, 0, 0, 1)">id</span><span style="color: rgba(0, 0, 255, 1)">="test"</span><span style="color: rgba(0, 0, 255, 1)">></</span><span style="color: rgba(128, 0, 0, 1)">div</span><span style="color: rgba(0, 0, 255, 1)">></span>
<span style="color: rgba(0, 0, 255, 1)"><</span><span style="color: rgba(128, 0, 0, 1)">script </span><span style="color: rgba(255, 0, 0, 1)">type</span><span style="color: rgba(0, 0, 255, 1)">="text/javascript"</span><span style="color: rgba(0, 0, 255, 1)">></span><span style="background-color: rgba(245, 245, 245, 1); color: rgba(0, 0, 0, 1)">
localStorage.setItem(</span><span style="background-color: rgba(245, 245, 245, 1); color: rgba(0, 0, 0, 1)">'</span><span style="background-color: rgba(245, 245, 245, 1); color: rgba(0, 0, 0, 1)">name</span><span style="background-color: rgba(245, 245, 245, 1); color: rgba(0, 0, 0, 1)">'</span><span style="background-color: rgba(245, 245, 245, 1); color: rgba(0, 0, 0, 1)">,</span><span style="background-color: rgba(245, 245, 245, 1); color: rgba(0, 0, 0, 1)">'</span><span style="background-color: rgba(245, 245, 245, 1); color: rgba(0, 0, 0, 1)">xiaohua</span><span style="background-color: rgba(245, 245, 245, 1); color: rgba(0, 0, 0, 1)">'</span><span style="background-color: rgba(245, 245, 245, 1); color: rgba(0, 0, 0, 1)">);
document.getElementById(</span><span style="background-color: rgba(245, 245, 245, 1); color: rgba(0, 0, 0, 1)">"</span><span style="background-color: rgba(245, 245, 245, 1); color: rgba(0, 0, 0, 1)">test</span><span style="background-color: rgba(245, 245, 245, 1); color: rgba(0, 0, 0, 1)">"</span><span style="background-color: rgba(245, 245, 245, 1); color: rgba(0, 0, 0, 1)">).innerHTML </span><span style="background-color: rgba(245, 245, 245, 1); color: rgba(0, 0, 0, 1)">=</span><span style="background-color: rgba(245, 245, 245, 1); color: rgba(0, 0, 0, 1)"> localStorage.name;
</span><span style="color: rgba(0, 0, 255, 1)"></</span><span style="color: rgba(128, 0, 0, 1)">script</span><span style="color: rgba(0, 0, 255, 1)">></span>
<span style="color: rgba(0, 0, 255, 1)"></</span><span style="color: rgba(128, 0, 0, 1)">body</span><span style="color: rgba(0, 0, 255, 1)">></span>
<span style="color: rgba(0, 0, 255, 1)"></</span><span style="color: rgba(128, 0, 0, 1)">html</span><span style="color: rgba(0, 0, 255, 1)">></span></pre>
</div>
<span class="cnblogs_code_collapse">View Code</span></div>
<p> </p>
<p><img src="https://img2018.cnblogs.com/i-beta/967964/202002/967964-20200213204137894-885880844.png" alt="" width="550" height="301"></p>
<p>我们修改原有的localStorage里面name的值为恶意的XSS弹窗代码 此时XSS弹窗发生</p>
<div class="cnblogs_code"><img id="code_img_closed_8ffffc87-5ae5-45c1-9bcf-80998fa241db" class="code_img_closed" src="https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif" alt=""><img id="code_img_opened_8ffffc87-5ae5-45c1-9bcf-80998fa241db" class="code_img_opened" style="display: none" src="https://images.cnblogs.com/OutliningIndicators/ExpandedBlockStart.gif" alt="">
<div id="cnblogs_code_open_8ffffc87-5ae5-45c1-9bcf-80998fa241db" class="cnblogs_code_hide">
<pre><span style="color: rgba(0, 0, 255, 1)"><!</span><span style="color: rgba(255, 0, 255, 1)">DOCTYPE html</span><span style="color: rgba(0, 0, 255, 1)">></span>
<span style="color: rgba(0, 0, 255, 1)"><</span><span style="color: rgba(128, 0, 0, 1)">html</span><span style="color: rgba(0, 0, 255, 1)">></span>
<span style="color: rgba(0, 0, 255, 1)"><</span><span style="color: rgba(128, 0, 0, 1)">head</span><span style="color: rgba(0, 0, 255, 1)">></span>
<span style="color: rgba(0, 0, 255, 1)"><</span><span style="color: rgba(128, 0, 0, 1)">title</span><span style="color: rgba(0, 0, 255, 1)">></span>localStorage XSS<span style="color: rgba(0, 0, 255, 1)"></</span><span style="color: rgba(128, 0, 0, 1)">title</span><span style="color: rgba(0, 0, 255, 1)">></span>
<span style="color: rgba(0, 0, 255, 1)"></</span><span style="color: rgba(128, 0, 0, 1)">head</span><span style="color: rgba(0, 0, 255, 1)">></span>
<span style="color: rgba(0, 0, 255, 1)"><</span><span style="color: rgba(128, 0, 0, 1)">body</span><span style="color: rgba(0, 0, 255, 1)">></span>
<span style="color: rgba(0, 0, 255, 1)"><</span><span style="color: rgba(128, 0, 0, 1)">div </span><span style="color: rgba(255, 0, 0, 1)">id</span><span style="color: rgba(0, 0, 255, 1)">="test"</span><span style="color: rgba(0, 0, 255, 1)">></</span><span style="color: rgba(128, 0, 0, 1)">div</span><span style="color: rgba(0, 0, 255, 1)">></span>
<span style="color: rgba(0, 0, 255, 1)"><</span><span style="color: rgba(128, 0, 0, 1)">script </span><span style="color: rgba(255, 0, 0, 1)">type</span><span style="color: rgba(0, 0, 255, 1)">="text/javascript"</span><span style="color: rgba(0, 0, 255, 1)">></span><span style="background-color: rgba(245, 245, 245, 1); color: rgba(0, 0, 0, 1)">
localStorage.setItem(</span><span style="background-color: rgba(245, 245, 245, 1); color: rgba(0, 0, 0, 1)">'</span><span style="background-color: rgba(245, 245, 245, 1); color: rgba(0, 0, 0, 1)">name</span><span style="background-color: rgba(245, 245, 245, 1); color: rgba(0, 0, 0, 1)">'</span><span style="background-color: rgba(245, 245, 245, 1); color: rgba(0, 0, 0, 1)">,</span><span style="background-color: rgba(245, 245, 245, 1); color: rgba(0, 0, 0, 1)">'</span><span style="background-color: rgba(245, 245, 245, 1); color: rgba(0, 0, 0, 1)"><img src=@ onerror=alert(1)></span><span style="background-color: rgba(245, 245, 245, 1); color: rgba(0, 0, 0, 1)">'</span><span style="background-color: rgba(245, 245, 245, 1); color: rgba(0, 0, 0, 1)">);
document.getElementById(</span><span style="background-color: rgba(245, 245, 245, 1); color: rgba(0, 0, 0, 1)">"</span><span style="background-color: rgba(245, 245, 245, 1); color: rgba(0, 0, 0, 1)">test</span><span style="background-color: rgba(245, 245, 245, 1); color: rgba(0, 0, 0, 1)">"</span><span style="background-color: rgba(245, 245, 245, 1); color: rgba(0, 0, 0, 1)">).innerHTML </span><span style="background-color: rgba(245, 245, 245, 1); color: rgba(0, 0, 0, 1)">=</span><span style="background-color: rgba(245, 245, 245, 1); color: rgba(0, 0, 0, 1)"> localStorage.name;
</span><span style="color: rgba(0, 0, 255, 1)"></</span><span style="color: rgba(128, 0, 0, 1)">script</span><span style="color: rgba(0, 0, 255, 1)">></span>
<span style="color: rgba(0, 0, 255, 1)"></</span><span style="color: rgba(128, 0, 0, 1)">body</span><span style="color: rgba(0, 0, 255, 1)">></span>
<span style="color: rgba(0, 0, 255, 1)"></</span><span style="color: rgba(128, 0, 0, 1)">html</span><span style="color: rgba(0, 0, 255, 1)">></span></pre>
</div>
<span class="cnblogs_code_collapse">View Code</span></div>
<p> </p>
<p><img src="https://img2018.cnblogs.com/i-beta/967964/202002/967964-20200213204457548-96720709.png" alt="" width="570" height="335"></p>
<p> </p>
<p><strong><span style="font-size: 18pt">实例场景:</span></strong></p>
<p><strong><span style="font-size: 18pt"><img src="https://img2018.cnblogs.com/i-beta/967964/202002/967964-20200213203802568-122138091.png" alt="" width="553" height="284"></span></strong></p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p><strong><span style="font-size: 18pt"><img src="https://img2018.cnblogs.com/i-beta/967964/202002/967964-20200213203747680-2005618268.png" alt=""></span></strong></p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> 参考学习:https://blog.csdn.net/yanghuan313/article/details/55260232</p><br><br>
来源:https://www.cnblogs.com/xhds/p/12305103.html
頁:
[1]