我们最近使用 hikashop 建立了一个网站 (http://www.doverjewelry.com/),该域具有 Godaddy 网站保护功能,因此它会扫描网站并警告漏洞。扫描当前报告该网站容易受到跨站点脚本攻击。这是扫描输出:
Using the GET HTTP method, Site Scanner found that :
+ The following resources may be vulnerable to XSS (on parameters names) :
/bands-and-settings/category/371-all-ring-settings/limit_hikashop_catego
ry_information_module_223_371-0/limitstart_hikashop_category_information
_module_223_371-0/filter_order_hikashop_category_information_module_223_
371-a.ordering/filter_order_Dir_hikashop_category_information_module_223
_371-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-atom?<<<<<<<<<<foo"bar'
314>>>>>=1
-------- request --------
GET /bands-and-settings/category/371-all-ring-settings/limit_hikashop_category_information_module_223_371-0/limitstart_hikashop_category_information_module_223_371-0/filter_order_hikashop_category_information_module_223_371-a.ordering/filter_order_Dir_hikashop_category_information_module_223_371-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-atom?<<<<<<<<<<foo"bar'314>>>>>=1 HTTP/1.1\r
Host: www.doverjewelry.com\r
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1\r
Accept-Language: en\r
Connection: Close\r
Cookie: 7eedc822c6dd39ecf3c8ab00003d56f9=764a229107bda6b48c2863965f50ca03\r
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; MSIE 6.0; Site Scanner Bot; +http://www.websiteprotection.com) Firefox/2.0.0.3\r
Pragma: no-cache\r
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
------------------------
-------- output --------
[...] bd44a6ec-1/type-atom?<<<<<<<<<<foo"bar'314>>>>>=1" method="post" name="ad [...]
<div class="hikashop_products_pagination hikashop_products_paginat [...]
------------------------
/engagement-rings/category/366-antique-engagement-rings/limit_hikashop_c
ategory_information_module_222_366-25/limitstart_hikashop_category_infor
mation_module_222_366-0/filter_order_hikashop_category_information_modul
e_222_366-a.ordering/filter_order_Dir_hikashop_category_information_modu
le_222_366-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-atom?<<<<<<<<<<fo
o"bar'314>>>>>=1
-------- request --------
GET /engagement-rings/category/366-antique-engagement-rings/limit_hikashop_category_information_module_222_366-25/limitstart_hikashop_category_information_module_222_366-0/filter_order_hikashop_category_information_module_222_366-a.ordering/filter_order_Dir_hikashop_category_information_module_222_366-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-atom?<<<<<<<<<<foo"bar'314>>>>>=1 HTTP/1.1\r
Host: www.doverjewelry.com\r
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1\r
Accept-Language: en\r
Connection: Close\r
Cookie: 7eedc822c6dd39ecf3c8ab00003d56f9=764a229107bda6b48c2863965f50ca03\r
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; MSIE 6.0; Site Scanner Bot; +http://www.websiteprotection.com) Firefox/2.0.0.3\r
Pragma: no-cache\r
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
------------------------
-------- output --------
[...] bd44a6ec-1/type-atom?<<<<<<<<<<foo"bar'314>>>>>=1" method="post" name="ad [...]
<div class="hikashop_products_pagination hikashop_products_paginat [...]
------------------------
/engagement-rings/category/366-antique-engagement-rings/limit_hikashop_c
ategory_information_module_222_366-25/limitstart_hikashop_category_infor
mation_module_222_366-0/filter_order_hikashop_category_information_modul
e_222_366-a.ordering/filter_order_Dir_hikashop_category_information_modu
le_222_366-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-rss?<<<<<<<<<<foo
"bar'314>>>>>=1
-------- request --------
GET /engagement-rings/category/366-antique-engagement-rings/limit_hikashop_category_information_module_222_366-25/limitstart_hikashop_category_information_module_222_366-0/filter_order_hikashop_category_information_module_222_366-a.ordering/filter_order_Dir_hikashop_category_information_module_222_366-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-rss?<<<<<<<<<<foo"bar'314>>>>>=1 HTTP/1.1\r
Host: www.doverjewelry.com\r
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1\r
Accept-Language: en\r
Connection: Close\r
Cookie: 7eedc822c6dd39ecf3c8ab00003d56f9=764a229107bda6b48c2863965f50ca03\r
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; MSIE 6.0; Site Scanner Bot; +http://www.websiteprotection.com) Firefox/2.0.0.3\r
Pragma: no-cache\r
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
------------------------
-------- output --------
[...] abd44a6ec-1/type-rss?<<<<<<<<<<foo"bar'314>>>>>=1" method="post" name="ad [...]
<div class="hikashop_products_pagination hikashop_products_paginat [...]
------------------------
/engagement-rings/category/50-estate-engagement-rings/limit_hikashop_cat
egory_information_module_222_50-0/limitstart_hikashop_category_informati
on_module_222_50-0/filter_order_hikashop_category_information_module_222
_50-a.ordering/filter_order_Dir_hikashop_category_information_module_222
_50-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-atom?<<<<<<<<<<foo"bar'3
14>>>>>=1
我们认为它是指产品页面底部的分页形式。这是其中一个产品页面的表单代码:
<form action="http://www.doverjewelry.com/engagement-rings/category/50-estate-engagement-rings?filter_order_hikashop_category_information_module_222_50=%3C%3C%3C%3C%3C%3C%3C%3C%3C%3Cfoo%22bar'204%3E%3E%3E%3E%3E" method="post" name="adminForm_hikashop_category_information_module_222_50_bottom">
<div class="hikashop_products_pagination hikashop_products_pagination_bottom">
<div class="list-footer">
<div class="limit">Display #<select id="limit_hikashop_category_information_module_222_50" name="limit_hikashop_category_information_module_222_50" class="inputbox" size="1" onchange="this.form.submit()">
<option value="20" selected="selected">20</option>
<option value="5">5</option>
<option value="10">10</option>
<option value="15">15</option>
<option value="20" selected="selected">20</option>
<option value="25">25</option>
<option value="30">30</option>
<option value="50">50</option>
<option value="100">100</option>
<option value="0">all</option>
</select>
</div><span class="pagenav_start_chevron"><< </span><span class="pagenav pagenav_text">Start</span><span class="pagenav_previous_chevron"> < </span><span class="pagenav pagenav_text">Prev</span> <span class="pagenav">1</span> <a class="pagenav" title="2" onclick="javascript: document.adminForm_hikashop_category_information_module_222_50_bottom.limitstart_hikashop_category_information_module_222_50.value=20; document.adminForm_hikashop_category_information_module_222_50_bottom.submit();return false;">2</a> <a class="pagenav" title="3" onclick="javascript: document.adminForm_hikashop_category_information_module_222_50_bottom.limitstart_hikashop_category_information_module_222_50.value=40; document.adminForm_hikashop_category_information_module_222_50_bottom.submit();return false;">3</a> <a class="pagenav" title="Next" onclick="javascript: document.adminForm_hikashop_category_information_module_222_50_bottom.limitstart_hikashop_category_information_module_222_50.value=20; document.adminForm_hikashop_category_information_module_222_50_bottom.submit();return false;">Next</a><span class="pagenav_next_chevron"> ></span> <a class="pagenav" title="End" onclick="javascript: document.adminForm_hikashop_category_information_module_222_50_bottom.limitstart_hikashop_category_information_module_222_50.value=40; document.adminForm_hikashop_category_information_module_222_50_bottom.submit();return false;">End</a><span class="pagenav_end_chevron"> >></span>
<div class="counter">Page 1 of 3</div>
<input type="hidden" name="limitstart_hikashop_category_information_module_222_50" value="0">
</div>
<span class="hikashop_results_counter">
Results 1 - 20 of 48</span>
</div>
<input type="hidden" name="filter_order_hikashop_category_information_module_222_50" value="a.ordering">
<input type="hidden" name="filter_order_Dir_hikashop_category_information_module_222_50" value="ASC">
<input type="hidden" name="18aa959f74c6262cdb2863f0ffaff82e" value="1">
</form>
我们已经与 hikashop 的人员讨论过这个问题,他们说我们需要更新到他们的最新版本(我们的版本仅比最新版本低一个)但是我们对代码进行了一些主要的修改以包含一些客户请求所以我们不想丢失这些更改(也许将来我们会更新到最新版本,但现在我们只想知道是否有快速解决此问题的方法)。
表单真的容易受到跨站点脚本攻击吗?我们可以做些什么来保护它或让 godaddy 站点扫描仪停止显示此警告消息?