如何阻止表单动作URL的XSS？ [英] How to prevent XSS for the form action URL?

问题描述

我们使用Shibboleth的SingleSingOut（SSO）来进行身份验证.Shibboleth是一个开源项目，已经被集成到我们的项目中。如果用户没有通过身份验证，Shibboleth会重定向到login.jsp页面。现在我们已经定制了login.jsp页面来支持本地化。所以，表单actionUrl必须由Shibboleth IDP（身份提供者）发送以执行认证。以下是Shibboleth提供的示例代码：

 <％if（request.getAttribute（actionUrl）！ = null）{％> 
< form id =loginaction =<％= request.getAttribute（actionUrl）％>方法= POST > 
<％} else {％> 
< form id =loginaction =j_security_checkmethod =post> 
<％}％> 
 
 <％if（true.equals（request.getAttribute（loginFailed）））{％> 
<节> 
< p class =form-element form-error>登录失败。仔细检查您的用户名和密码。< / p> 
< / section> 
<％}％> 
 
<图例> 
登录到< idpui：serviceName /> 
< / legend> 
 
< section> 
< label for =用户名>用户名< / label> 
< input class =form-element form-fieldname =j_usernametype =textvalue => 
< / section> 
 
< section> 
< label for =password>密码< / label> 
< input class =form-element form-fieldname =j_passwordtype =passwordvalue => 
< / section> 
 
< section> 
< button class =form-element form-b​​uttontype =submit>登入< / button> 
< / section> 
< / form> 
  

现在我已经使用OWASP ZAP工具来检查安全攻击。它在下面的代码中引发了高风险

 < form id =loginaction =<％= request .getAttribute（ actionUrl）％>中方法= POST > 
  

它告诉我们可能会发生XSS（跨站点脚本）攻击，因此它已经问我以编码上述代码。

如何防止表单动作url的XSS（跨站脚本）。因为它是一个不可信的数据，有什么方法可以对URL进行编码。经过一番研究，我发现，它更好地使用ESAPI.encoder（）。encodeForURL（'url'）;方法。我的疑问是，使用ESAPI.encoder（）。encodeForURL（'url'）作为表单动作URL是否正确？

从 Cross_Site_Scripting预防备忘单

实际的表单动作地址：

 < form name =loginFormid =loginmethod =POST行动= LT;％=用request.getParameter（ actionUrl ）％> 中> 
  

编码表单动作网址：

 < form name =loginFormid =loginmethod =POSTaction =<％= ESAPI.encoder（）。encodeForURL（request.getParameter（actionUrl）） ％>中> 
  

任何建议都将不胜感激。

解决方案

ESAPI.encoder（）。encodeForURL（）是不正确的，因为这会影响整个字符串的百分比编码，从而破坏url。在这种情况下，在一个属性中， ESAPI.encoder（）。encodeForHTMLAttribute（） / code>应该被使用。

尽管这里还有一个额外的问题。如果URL不可信，则用户可能将其日志详细信息发送到不可信站点。您应该确切地检查网址的来源，并确保用户无法控制其内容。

如果url始终具有相似的格式，那么您可以检查在控制器中反对这一点。

We use Shibboleth's SingleSingOut(SSO) to do the authentication.Shibboleth is an open-source project which has been integrated into our project. Shibboleth will do the redirect to login.jsp page, if the user has not been authenticated.Now we have customized login.jsp page to support localization. So, the form actionUrl has to be sent by the Shibboleth IDP(Identity Provider) to perform the authentication. Here is the below sample code which the Shibboleth has provided:

    <% if(request.getAttribute("actionUrl") != null){ %>
      <form id="login" action="<%=request.getAttribute("actionUrl")%>" method="post">
    <% }else{ %>
      <form id="login" action="j_security_check" method="post">
    <% } %>

      <% if ("true".equals(request.getAttribute("loginFailed"))) { %>
        <section>
          <p class="form-element form-error">Login has failed. Double-check your username and password.</p>
        </section>
      <% } %>

      <legend>
        Log in to <idpui:serviceName/>
      </legend>

      <section>
        <label for="username">Username</label>
        <input class="form-element form-field" name="j_username" type="text" value="">
      </section>

      <section>
        <label for="password">Password</label>
        <input class="form-element form-field" name="j_password" type="password" value="">
      </section>

      <section>
        <button class="form-element form-button" type="submit">Login</button>
      </section>
    </form>

Now I have used the OWASP ZAP tool to check the security attack. It has raised a High Risk at the below code

  <form id="login" action="<%=request.getAttribute("actionUrl")%>" method="post">

It has told that there can be XSS (Cross-site Scripting) attack so, it has asked me to encode the above code.

How can I prevent the XSS(Cross Site Scripting) for the form action url. Because, it is an untrusted data is there any way to encode the URL. After some research I found that, its better to use ESAPI.encoder().encodeForURL('url'); method. My doubt is that, is it a correct way to use the ESAPI.encoder().encodeForURL('url') for the form action URL?

From the Cross_Site_Scripting Prevention Cheat sheet

Actual form action url:

     <form name="loginForm" id="login" method="POST" action="<%=request.getParameter("actionUrl")%>">

Encoded form action url:

     <form name="loginForm" id="login" method="POST" action="<%=ESAPI.encoder().encodeForURL(request.getParameter("actionUrl"))%>">

Any suggestions would be appreciated.

解决方案

ESAPI.encoder().encodeForURL() is not correct because this does percent encoding of the whole string which can corrupt the url. It's meant more for encoding individual parameters within a url.

In this context, within an attribute, ESAPI.encoder().encodeForHTMLAttribute() should be used.

There is an extra problem here though. If the url is not trusted, then the user could be sending their log in details to an untrusted site. You should check exactly where the url comes from and make sure the user can't control its contents.

If the url is always of a similar format, then you can check against this in the controller.

这篇关于如何阻止表单动作URL的XSS？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！