防止网站范围内的XSS攻击 [英] Prevent XSS attacks site-wide
问题描述
我是ColdFusion的新手,所以我不知道是否有一个简单的方法来做到这一点。我已被分配到修复这个CF网站上的网站范围内的XSS漏洞。不幸的是,有大量的页面正在接受用户输入,它几乎不可能进入和修改它们。
I'm new to ColdFusion, so I'm not sure if there's an easy way to do this. I've been assigned to fix XSS vulnerabilities site-wide on this CF site. Unfortunately, there are tons of pages that are taking user input, and it would be near impossible to go in and modify them all.
有一种方法(在CF或JS),以便轻松防止整个网站上的XSS攻击?
Is there a way (in CF or JS) to easily prevent XSS attacks across the entire site?
推荐答案
p>
I hate to break it out to you, but -
- XSS是一个输出问题,不一个输入问题。过滤/验证输入是一个额外的防御层,但它永远不能保护你完全从XSS。请查看RSnake 的 XSS骗局 - 有太多的方法可以逃避过滤器。
- 没有简单的方法来修复旧版应用程序。
- XSS is an Output problem, not an Input problem. Filtering/Validating input is an additional layer of defence, but it can never protect you completely from XSS. Take a look at XSS cheatsheet by RSnake - there's just too many ways to escape a filter.
- There is no easy way to fix a legacy application. You have to properly encode anything that you put in your html or javascript files, and that does mean revisiting every piece of code that generates html.
您必须对HTML或JavaScript文件中的任何内容进行正确编码,这意味着重新访问生成html的每一段代码。 p>请参阅 OWASP的XSS防止作弊表,了解如何防止XSS。
See OWASP's XSS prevention cheat sheet for information on how to prevent XSS.
下面的一些注释表明输入验证是一个更好的策略,而不是输出时的编码/转义。我只是引用 OWASP的XSS防止作弊表 -
传统上,输入验证是处理不受信任数据的首选方法。然而,输入验证不是注入攻击的一个很好的解决方案。首先,输入验证通常在接收到数据时,在目的地已知之前完成。这意味着我们不知道目标解释器中哪些字符可能很重要。第二,甚至更重要的是,应用程序必须允许潜在有害的字符。例如,如果O'Malley先生不能在数据库中注册,只是因为SQL认为是一个特殊字符?
Traditionally, input validation has been the preferred approach for handling untrusted data. However, input validation is not a great solution for injection attacks. First, input validation is typically done when the data is received, before the destination is known. That means that we don't know which characters might be significant in the target interpreter. Second, and possibly even more importantly, applications must allow potentially harmful characters in. For example, should poor Mr. O'Malley be prevented from registering in the database simply because SQL considers ' a special character?
要详细说明 - 当用户输入像O'Malley这样的字符串时,你不知道你需要的字符串是javascript,还是html或其他语言。如果在JavaScript中,你必须将它转换为 O\x27Malley ,如果它在HTML中,它应该看起来像 O' Malley 。这是为什么建议在您的数据库中字符串应该以用户输入的方式存储,然后根据字符串的最终目的地适当地转义它。
To elaborate - when the user enters a string like O'Malley, you don't know whether you need that string in javascript, or in html or in some other language. If its in javascript, you have to render it as O\x27Malley, and if its in HTML, it should look like O'Malley. Which is why it is recommended that in your database the string should be stored exactly the way the user entered, and then you escape it appropriately according to the final destination of the string.
这篇关于防止网站范围内的XSS攻击的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
