用于XSS预防的ESAPI不起作用 [英] ESAPI for XSS prevention not working
问题描述
我正在修复代码中的Cross站点脚本问题,主要是在JSPS中。
I am working on fixing Cross site scripting issues in our code mainly in JSPS.
以下是原始代码
//scriplet code
<% String userId = request.getParameter("sid");
...%>
在同一个Jsp中他们有
and in the same Jsp they have
<input type = hidden name = "userID" value = "<%= userId %>" />
我做了更改,在lib和ESAPI.properties中包含esapi-2.1.0.jar,验证类路径中的.properties。然后在下面更改scriplet代码以修复上面的代码
I have made changes to include esapi-2.1.0.jar in lib and ESAPI.properties, validation.properties in classpath. Then made below changes to scriplet code to fix the above code
//scriplet code
<% String userId = ESAPI.encoder().encodeForHTML(request.getParameter("sid"));
...%>
我认为这可以解决问题但是当我使用Fortify扫描我的代码时,这些行再次突出显示因为有XSS问题。如果你们对如何处理这个问题有任何想法,请帮忙。谢谢。
I thought this would fix the issue but when I scan my code using Fortify, these lines are again highlighted as having XSS issue. Please help if you guys have any idea on how this should be handled. Thanks.
-------更新
非常感谢@avgvstvs。这是非常有见地的.Follwd指南,不确定我是否有点想念。代码 -
Thanks a lot @avgvstvs. This is very insightful.Follwd guidelines, Not sure if I am missng somethn. Code -
String userSID=ESAPI.encoder().encodeForHTMLAttribute(request.getHeader("janus_sid")); session.setAttribute("username",userSID);<input type=hidden name="USERNAME" value="<%= userSID %>"
对于另一个varibale调试,以下是用法
And for another varibale debug, below is the usage
String debugFlag = ESAPI.encoder().encodeForJavaScript(request.getParameter("debug"));var debugFlag = "<%= debugFlag%>";if(debugFlag == "y"){
document.title= title + " (" + host + ")";
defaultAppTitle = title + " (" + host + ")";
}
最新的Fortify扫描仍然将它们列为漏洞: - (
Latest Fortify scan still lists them as vulnerabilities :-(
推荐答案
感谢您的帮助。最后想出了一个防止XSS问题并通过Fortify静态代码分析的解决方案。我已经将ESAPI和Anitsamy库一起使用了。以下是所需的3个主要更改。
Thanks for help guys. Finally figured out a solution to prevent XSS issue and pass Fortify static code analysis. I have used ESAPI together with Anitsamy library. Here are the 3 main changes required.
-
实施Anitsamy过滤器
Implement Anitsamy Filter
添加一个新的过滤器并覆盖请求方法getParameter,getParameterValues以去除请求中的任何可疑标签。过滤器加载一个策略文件,我们在其中定义我们的规则,如
Add a new filter and override request methods getParameter , getParameterValues to strip out any suspicious tags in the request. Filter loads a policy file where we define our rules like
a。需要从请求中删除的标签(标签等)
a. tags which needs to be removed from the requests ( tags like , etc)
b。常用属性的正则表达式,如href,align等。
b. Regexs for common attributes like href, align etc.
过滤器的实现示例在这里 http://barrypitman.com/2011/04/14/using-input-validation-XSS/
Example for implementation of filter is here http://barrypitman.com/2011/04/14/using-input-validation-XSS/
-
使用ESAPI库执行输入验证
Perform input validation using ESAPI library
String reportName = request.getParameter("reportName");
ESAPI.validator().getValidInput("Report Name",
reportName, "ReportNamePattern", 100, false);
在上面的代码中,
- 报告名称是上下文
- reportName是数据字段
- ReportNamePattern是ESAPI.properties中定义的正则表达式模式Validator.ReportNamePattern = ^ [a-zA-Z] {1} [0-9] {6} $
- 100是数据字段reportName的最大长度
- false是一个不允许空值的标志。
- "Report Name" is the context
- reportName is the data field
- ReportNamePattern is the regex pattern defined in ESAPI.properties as Validator.ReportNamePattern =^[a-zA-Z]{1}[0-9]{6}$
- 100 is max length for data field reportName
- false is a flag to say null value is not allowed.
执行输出编码
正如@avgvstvs指出的那样,输出编码也是必须的。
Perform output encoding
As pointed by @avgvstvs, output encoding is also a must.
如果要在HTML中使用reportName字段,下面是如何编码
If reportName field is to be used in HTML, below is how to encode
<tr> <th> Report : <%=ESAPI.encoder().encodeForHTML(reportName)%> </th> </tr>
如果要在javascript代码中使用reportName字段,下面是如何编码
If reportName field is to be used in javascript code , below is how to encode
var reportName = "<%= ESAPI.encoder().encodeForJavaScript(reportName)%>";
如果要在HTML属性中使用reportName字段,下面是如何编码
If reportName field is to be used in HTML Attribute, below is how to encode
<input type=hidden name="USERNAME" value="<%=ESAPI.encoder().encodeForHTMLAttribute
(reportName)%>"/>
这篇关于用于XSS预防的ESAPI不起作用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!