XSS攻击详细教学：存储型XSS攻击与防御<\/h1>

存储型XSS概述<\/h2>

存储型XSS（又称持久性XSS）是一种常见的XSS攻击类型，与反射型XSS和DOM型XSS相比具有以下特点：<\/p>

持久性<\/strong>：攻击脚本被永久存储在目标服务器上（数据库、内存、文件系统等）<\/li>
危害面广<\/strong>：可以让用户机器变成DDoS攻击的肉鸡<\/li>

信息窃取<\/strong>：能够盗取用户敏感私密信息<\/li> <\/ol>
典型攻击场景：攻击者在论坛发帖时将恶意脚本注入帖子内容，服务器存储该帖子后，其他用户浏览时恶意脚本会在其浏览器中执行。<\/p>
存储型XSS攻击演示（DVWA环境）<\/h2>
LOW级别攻击<\/h3>

基本注入<\/strong>：<\/p>
<script<\/span>>alert<\/span>()<\/script<\/span>> <\/span><\/span><\/code><\/pre>直接注入成功，服务器未做任何防护。<\/p> <\/li> 窃取Cookie<\/strong>：<\/p> <script<\/span>>document.write<\/span>(''<\/span>)<\/script<\/span>> <\/span><\/span><\/code><\/pre>攻击者启动HTTP服务监听：<\/p> Python2: python2 -m SimpleHTTPServer 8899<\/code><\/li> Python3: python3 -m http.server 8899<\/code><\/li> <\/ul> <\/li> 源码分析<\/strong>：<\/p> 仅使用trim()<\/code>去除首尾空格<\/li> 使用stripslashes()<\/code>删除反斜杠<\/li> 使用mysqli_real_escape_string()<\/code>转义SQL特殊字符<\/li> 无XSS防护措施<\/li> <\/ul> <\/li> <\/ol> MEDIUM级别攻击<\/h3> 绕过限制<\/strong>：<\/p> 输入框有长度限制，可通过修改HTML属性绕过<\/li> 有效payload： <a<\/span> href<\/span>=<\/span>"javascript:alert()"<\/span>>alert()<\/a<\/span>> <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> 源码分析<\/strong>：<\/p> 对message字段： strip_tags()<\/code>去除HTML\/PHP标签<\/li> addslashes()<\/code>转义特殊字符<\/li> htmlspecialchars()<\/code>转换为HTML实体<\/li> <\/ul> <\/li> 对name字段：仅移除<script><\/code>标签<\/li> 可使用双写或大小写绕过：双写：<sc<script>ript>alert()<sc<script>ript><\/code><\/li> 大小写：<sCript>alert()<\/sCript><\/code><\/li> <\/ul> <\/li> <\/ul> <\/li> <\/ul> <\/li> <\/ol> HIGH级别攻击<\/h3> 绕过技巧<\/strong>：<\/p> 使用单标签+事件属性： <\/span><\/span><\/code><\/pre><input<\/span> onchange<\/span>=<\/span>"alert()"<\/span>> <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> 源码分析<\/strong>：<\/p> 使用preg_replace<\/code>正则替换： preg_replace<\/span>('\/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t\/i'<\/span>, ''<\/span>, $name) <\/span><\/span><\/code><\/pre><\/li> 防御较强，但仍可通过非script<\/code>标签的事件属性绕过<\/li> <\/ul> <\/li> <\/ol> IMPOSSIBLE级别防御<\/h3> 防御措施<\/strong>：<\/p> 使用CSRF token防止跨站请求伪造<\/li> 表单防重复提交<\/li> htmlspecialchars()<\/code>将所有输出转换为HTML实体<\/li> 使用PDO预编译语句防止SQL注入<\/li> <\/ul> <\/li> 源码关键点<\/strong>：<\/p> checkToken<\/span>($_REQUEST['user_token'<\/span>], $_SESSION['session_token'<\/span>], 'index.php'<\/span>); <\/span><\/span>$message =<\/span> htmlspecialchars<\/span>($message); <\/span><\/span>$name =<\/span> htmlspecialchars<\/span>($name); <\/span><\/span>$data =<\/span> $db-><\/span>prepare<\/span>('INSERT INTO guestbook (comment, name) VALUES (:message, :name)'<\/span>); <\/span><\/span>$data-><\/span>bindParam<\/span>(':message'<\/span>, $message, PDO<\/span>::<\/span>PARAM_STR<\/span>); <\/span><\/span>$data-><\/span>bindParam<\/span>(':name'<\/span>, $name, PDO<\/span>::<\/span>PARAM_STR<\/span>); <\/span><\/span><\/code><\/pre><\/li> <\/ol> 存储型XSS防御方案<\/h2> 后端防御<\/strong>：<\/p> 入库前对所有前端数据进行转义处理<\/li> 输出给前端时统一进行转义处理<\/li> 使用预编译语句防止SQL注入<\/li> <\/ul> <\/li> 前端防御<\/strong>：<\/p> 渲染DOM时不信任任何后端数据<\/li> 对所有动态内容进行转义处理<\/li> 使用CSP(Content Security Policy)限制脚本执行<\/li> <\/ul> <\/li> 综合措施<\/strong>：<\/p> 输入验证和过滤<\/li> 输出编码<\/li> 使用安全的API<\/li> 实施CSP策略<\/li> 定期安全审计<\/li> <\/ul> <\/li> <\/ol> 总结<\/h2> 存储型XSS因其持久性和广泛影响成为最危险的XSS类型。防御需要前后端协同，采用"不信任任何输入"的原则，对所有数据进行严格过滤和转义处理。DVWA演示展示了从简单注入到高级绕过的全过程，以及最终级别的全面防御方案。<\/p>