/**
* 检查站外资源
*/
function checkSiteOut() {
for(var i=0,tags=document.querySelectorAll('iframe[src],frame[src],script[src],link[rel=stylesheet],object[data],embed[src]'),tag;tag=tags[i];i++){
var a = document.createElement('a');
a.href = tag.src||tag.href||tag.data;
if(a.hostname!=location.hostname){
console.warn(location.hostname+' 发现第三方资源['+tag.localName+']:'+a.href);
new Image().src = "http://h5.iamberry.com/iamberry/security/log";
}
}
}
/**
* 监听是否有人进行漏洞调试
*/
function checkAlert() {
var backAlert = alert;
windows.alert = function(str) {
// 继续弹出错误,但是发送服务器报警
backAlert(str);
console.warn("发现有人alert调试漏洞");
new Image().src = "http://h5.iamberry.com/iamberry/security/log";
};
}
/**
* XSS过滤
*/
function xssCheck(str,reg){
return str ? str.replace(reg || /[&<">'](?:(amp|lt|quot|gt|#39|nbsp|#\d+);)?/g, function (a, b) {
if(b){
return a;
}else{
return {
'<':'<',
'&':'&',
'"':'"',
'>':'>',
"'":''',
}[a]
}
}) : '';
}
/**
* 主动防御,检测
*/
var mCheckMap = {};
var mCheckID = 0;
function scanXSS() {
function hookEvent(eventName, eventID) {
var isClick = (eventName == 'onclick');
function scanElement(el) {
//
// 跳过已扫描的事件
//
var flag = el['_k'];
if (!flag) {
flag = el['_k'] = ++mCheckID;
}
var hash = (flag << 8) | eventID;
if (hash in mCheckMap) {
return;
}
mCheckMap[hash] = true;
// 非元素节点
if (el.nodeType != Node.ELEMENT_NODE) {
return;
}
// 扫描内联代码
var code;
if (el[eventName]) {
code = el.getAttribute(eventName);
if (code && /xss/.test(code)) {
// 不主动防御,但是我们把下面注释代码打开,既可以阻止攻击,但是我们只是做监视,不处理
// el[eventName] = null;
console.warn('可疑事件:' + code);
new Image().src = "http://h5.iamberry.com/iamberry/security/log";
}
}
// 扫描 <a href="javascript:"> 的脚本
if (isClick && el.tagName == 'A' && el.protocol == 'javascript:') {
var code = el.href.substr(11);
if (/xss/.test(code)) {
// el.href = 'javascript:void(0)';
console.warn('可疑事件:' + code);
new Image().src = "http://h5.iamberry.com/iamberry/security/log";
}
}
// 扫描上级元素
scanElement(el.parentNode);
}
document.addEventListener(eventName.substr(2), function(e) {
scanElement(e.target.innerHTML);
}, true);
}
var i = 0;
for (var k in document) {
if (/^on./.test(k)) {
hookEvent(k, i++);
}
}
}
scanXSS();
checkAlert();
checkSiteOut();