如何解决OWASP ZAP报告的“alert(1);"XSS 漏洞 [英] how to solve OWASP ZAP reported "alert(1);" XSS vulnerability
问题描述
针对我们的应用程序运行 OWASP ZAP 扫描工具后,当该工具使用此字符串进行攻击时,我们发现了许多 XSS 漏洞:
After running OWASP ZAP scanning tool against our application, we see a number of XSS vulnerabilities when the tool attacked with this string:
" onMouseOver="alert(1);
或
;alert(1)
所以这样的字符串会出现在服务器响应中.虽然它在浏览器中没有做任何事情.可能是想给Html标签插入额外的属性,但是怎么解决?
So such strings will appear in the server response. Though it doesn't do anything in the browser. Maybe it's trying to insert additional attributes to Html tags, but how to solve the problem?
推荐答案
如果您可以发布有关注入攻击的 html,那么这可能就足够了.如果您在 ZAP 中选择警报,则攻击将在响应"选项卡中突出显示.请注意,我们刚刚发布了更新的主动扫描规则,修复了反射 XSS 扫描规则中的误报,因此请确保更新规则,然后再次扫描.
If you can post the html surrounding the injected attack then that might be enough. If you select the alert in ZAP then the attack will be highlighted in the Response tab. Note that we have just released updated active scan rules which fix a false positive in the reflected XSS scan rule, so make sure you update the rules and then scan again.
这篇关于如何解决OWASP ZAP报告的“alert(1);"XSS 漏洞的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
