防止站点范围内的 XSS 攻击 [英] Prevent XSS attacks site-wide
问题描述
我是 ColdFusion 的新手,所以我不确定是否有简单的方法可以做到这一点.我被指派在这个 CF 站点上修复站点范围内的 XSS 漏洞.不幸的是,有大量页面需要用户输入,几乎不可能进入并修改它们.
I'm new to ColdFusion, so I'm not sure if there's an easy way to do this. I've been assigned to fix XSS vulnerabilities site-wide on this CF site. Unfortunately, there are tons of pages that are taking user input, and it would be near impossible to go in and modify them all.
有没有办法(在 CF 或 JS 中)轻松防止整个站点的 XSS 攻击?
Is there a way (in CF or JS) to easily prevent XSS attacks across the entire site?
推荐答案
我不想告诉你,但是 -
I hate to break it out to you, but -
- XSS 是输出问题,不是输入问题.过滤/验证输入是额外的防御层,但它永远无法完全保护您免受 XSS 攻击.看看 RSnake 的 XSS 备忘单 - 逃避过滤器的方法太多了.李>
- 没有简单的方法可以修复旧版应用.您必须对放入 html 或 javascript 文件中的任何内容进行正确编码,这确实意味着重新访问生成 html 的每一段代码.
- XSS is an Output problem, not an Input problem. Filtering/Validating input is an additional layer of defence, but it can never protect you completely from XSS. Take a look at XSS cheatsheet by RSnake - there's just too many ways to escape a filter.
- There is no easy way to fix a legacy application. You have to properly encode anything that you put in your html or javascript files, and that does mean revisiting every piece of code that generates html.
有关如何预防的信息,请参阅 OWASP 的 XSS 预防备忘单跨站脚本.
See OWASP's XSS prevention cheat sheet for information on how to prevent XSS.
下面的一些评论表明,输入验证是一种更好的策略,而不是在输出时进行编码/转义.我将仅引用 OWASP 的 XSS 预防备忘单 -
传统上,输入验证一直是处理不受信任数据的首选方法.然而,输入验证并不是注入攻击的一个很好的解决方案.首先,输入验证通常在接收到数据时完成,在目的地已知之前.这意味着我们不知道目标解释器中哪些字符可能很重要.其次,可能更重要的是,应用程序必须允许可能有害的字符.例如,是否应该仅仅因为 SQL 认为 ' 是一个特殊字符而阻止可怜的 O'Malley 先生在数据库中注册?
Traditionally, input validation has been the preferred approach for handling untrusted data. However, input validation is not a great solution for injection attacks. First, input validation is typically done when the data is received, before the destination is known. That means that we don't know which characters might be significant in the target interpreter. Second, and possibly even more importantly, applications must allow potentially harmful characters in. For example, should poor Mr. O'Malley be prevented from registering in the database simply because SQL considers ' a special character?
详细说明 - 当用户输入像 O'Malley 这样的字符串时,您不知道是否需要在 javascript、html 或其他语言中使用该字符串.如果它是在 javascript 中,你必须将它渲染为 Ox27Malley,如果它是在 HTML 中,它应该看起来像 O'Malley.这就是为什么建议在您的数据库中将字符串存储在完全按照用户输入的方式,然后根据字符串的最终目的地适当地对其进行转义.
To elaborate - when the user enters a string like O'Malley, you don't know whether you need that string in javascript, or in html or in some other language. If its in javascript, you have to render it as Ox27Malley, and if its in HTML, it should look like O'Malley. Which is why it is recommended that in your database the string should be stored exactly the way the user entered, and then you escape it appropriately according to the final destination of the string.
这篇关于防止站点范围内的 XSS 攻击的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
