问题场景:通过 api 上传截屏照片,有时可以成功上传,有时会触发 xss 拦截
拦截详情:
| 远程端口 | 48897 |
|---|---|
| 时间 | 2025-08-07 10:44:37 |
| 请求类型 | POST |
| User-Agent | |
| 动作 | 禁止 |
| 命中规则 | XSS |
| 匹配值 | –cbce6523-3746-4b79-841d-54ce6511fc5f Content-Type: image/png Content-Disposition: form-data; name=file; filename=screenshot.png; filename*=utf-8’'screenshot.png �PNG IHDR |
| IHDR | |
| ���sRGB���gAMA���a pHYs���o�d��IDATx^��i��}�����ϜI&�$'vƖ��$Hľb#v�4h�$��(ґ�XN�(�;"e˜h�(Z�H�"Y�lX�m9��U�$Φl�gq������jT?�z��۸hԧ������vo7/������0�L�’7> |
上传脚本如下:
try {
$httpClient = New-Object System.Net.Http.HttpClient
$multipartContent = New-Object System.Net.Http.MultipartFormDataContent
$fileContent = New-Object System.Net.Http.StreamContent($ImageStream)
$fileContent.Headers.ContentType = [System.Net.Http.Headers.MediaTypeHeaderValue]::Parse("image/png")
$multipartContent.Add($fileContent, "file", $FileName)
$response = $httpClient.PostAsync($ApiUrl, $multipartContent).Result
$responseContent = $response.Content.ReadAsStringAsync().Result
if ($response.IsSuccessStatusCode) {
Write-Host "✅ 上传成功,服务器响应:"
Write-Host $responseContent
} else {
Write-Host "❌ 上传失败,状态码: $($response.StatusCode)"
Write-Host $responseContent
}
} catch {
Write-Host "❌ 上传过程中出现异常:$_"
}
xss 的校验比较严格 你可以给上传图片的接口增加白名单
好的,谢谢回复