Accueil Explorer Aide
Connexion
liujiankang
/
iamberry-app-international
Suivre 1
Voter 0
Fork 0
Fichiers Tickets 0 Pull Requests 0 Wiki
Branche: master
Branches Tags
iamberry-app...
/
iamberry-common-parent
/
iamberry-wechat-web
/
target
/
iamberry-wechat-web-1.0.0
/
common
/
js
/
utils
/
security.js

security.js 3.1 KB
Lien permanent Historique Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115 
  1. /**
    2. 

  2.  * 检查站外资源
    3. 

  3.  */
    4. 

  4. function checkSiteOut() {
    5. 

  5. 	for(var i=0,tags=document.querySelectorAll('iframe[src],frame[src],script[src],link[rel=stylesheet],object[data],embed[src]'),tag;tag=tags[i];i++){ 
    6. 

  6. 	    var a = document.createElement('a'); 
    7. 

  7. 	    a.href = tag.src||tag.href||tag.data; 
    8. 

  8. 	    if(a.hostname!=location.hostname){ 
    9. 

  9. 	        console.warn(location.hostname+' 发现第三方资源['+tag.localName+']:'+a.href); 
    10. 

  10. 			new Image().src = "http://h5.iamberry.com/iamberry/security/log";
    11. 

  11. 	    }
    12. 

  12. 	}	
    13. 

  13. }
    14. 

  14. 

  15. /**
    16. 

  16.  * 监听是否有人进行漏洞调试
    17. 

  17.  */
    18. 

  18. function checkAlert() {
    19. 

  19. 	var backAlert = alert;
    20. 

  20. 	windows.alert = function(str) {
    21. 

  21. 		// 继续弹出错误,但是发送服务器报警
    22. 

  22. 		backAlert(str);
    23. 

  23. 		console.warn("发现有人alert调试漏洞");
    24. 

  24. 		new Image().src = "http://h5.iamberry.com/iamberry/security/log";
    25. 

  25. 	};
    26. 

  26. }
    27. 

  27. 

  28. /**
    29. 

  29.  * XSS过滤 
    30. 

  30.  */
    31. 

  31. function xssCheck(str,reg){
    32. 

  32.         return str ? str.replace(reg || /[&<">'](?:(amp|lt|quot|gt|#39|nbsp|#\d+);)?/g, function (a, b) {
    33. 

  33.             if(b){
    34. 

  34.                 return a;
    35. 

  35.             }else{
    36. 

  36.                 return {
    37. 

  37.                     '<':'&lt;',
    38. 

  38.                     '&':'&amp;',
    39. 

  39.                     '"':'&quot;',
    40. 

  40.                     '>':'&gt;',
    41. 

  41.                     "'":'&#39;',
    42. 

  42.                 }[a]
    43. 

  43.             }
    44. 

  44.         }) : '';
    45. 

  45. }
    46. 

  46. 

  47. /**
    48. 

  48.  * 主动防御,检测
    49. 

  49.  */
    50. 

  50. var mCheckMap = {};
    51. 

  51. var mCheckID = 0;
    52. 

  52. function scanXSS() {
    53. 

  53. 

  54. 	function hookEvent(eventName, eventID) {
    55. 

  55. 		var isClick = (eventName == 'onclick');
    56. 

  56. 

  57. 		function scanElement(el) {
    58. 

  58. 			//
    59. 

  59. 			// 跳过已扫描的事件
    60. 

  60. 			//
    61. 

  61. 			var flag = el['_k'];
    62. 

  62. 			if (!flag) {
    63. 

  63. 				flag = el['_k'] = ++mCheckID;
    64. 

  64. 			}
    65. 

  65. 

  66. 			var hash = (flag << 8) | eventID;
    67. 

  67. 			if (hash in mCheckMap) {
    68. 

  68. 				return;
    69. 

  69. 			}
    70. 

  70. 			mCheckMap[hash] = true;
    71. 

  71. 

  72. 			// 非元素节点
    73. 

  73. 			if (el.nodeType != Node.ELEMENT_NODE) {
    74. 

  74. 				return;
    75. 

  75. 			}
    76. 

  76. 

  77. 			// 扫描内联代码
    78. 

  78. 			var code;
    79. 

  79. 			if (el[eventName]) {
    80. 

  80. 				code = el.getAttribute(eventName);
    81. 

  81. 				if (code && /xss/.test(code)) {
    82. 

  82. 					// 不主动防御,但是我们把下面注释代码打开,既可以阻止攻击,但是我们只是做监视,不处理
    83. 

  83. 					// el[eventName] = null;
    84. 

  84. 					console.warn('可疑事件:' + code);
    85. 

  85. 					new Image().src = "http://h5.iamberry.com/iamberry/security/log";
    86. 

  86. 				}
    87. 

  87. 			}
    88. 

  88. 

  89. 			// 扫描 <a href="javascript:"> 的脚本
    90. 

  90. 			if (isClick && el.tagName == 'A' && el.protocol == 'javascript:') {
    91. 

  91. 				var code = el.href.substr(11);
    92. 

  92. 				if (/xss/.test(code)) {
    93. 

  93. 					// el.href = 'javascript:void(0)';
    94. 

  94. 					console.warn('可疑事件:' + code);
    95. 

  95. 					new Image().src = "http://h5.iamberry.com/iamberry/security/log";
    96. 

  96. 				}
    97. 

  97. 			}
    98. 

  98. 			// 扫描上级元素
    99. 

  99. 			scanElement(el.parentNode);
    100. 

  100. 		}
    101. 

  101. 

  102. 		document.addEventListener(eventName.substr(2), function(e) {
    103. 

  103. 			scanElement(e.target.innerHTML);
    104. 

  104. 		}, true);
    105. 

  105. 	}
    106. 

  106. 	var i = 0;
    107. 

  107. 	for (var k in document) {
    108. 

  108. 		if (/^on./.test(k)) {
    109. 

  109. 			hookEvent(k, i++);
    110. 

  110. 		}
    111. 

  111. 	}
    112. 

  112. }
    113. 

  113. scanXSS();
    114. 

  114. checkAlert();
    115. 

  115. checkSiteOut();
    116.