堆栈内存溢出
  简体   繁体   English

如何开始修复网站中的XSS漏洞

[英]How to begin fixing XSS hole in website

 原文  2013-06-17 22:55:00       web/ security/ xss

问题描述

I've never dealt with XSS before, but I just received a comment from a vistor that my website has XSS vulnerabilities. 我以前从未处理过XSS,但是刚刚收到来自访客的评论,我的网站存在XSS漏洞。

He was nice enough to provide me with the string that activated a prompt box that displays the user's cookies. 他很高兴向我提供了一个字符串,该字符串激活了显示用户Cookie的提示框。 I have a lot code within this website and webapp, how do I find this and fix it? 我在此网站和webapp中有很多代码,如何找到并修复它? Where do I start? 我从哪里开始?

2 个解决方案

解决方案1
 0  2013-06-18 09:35:36

OWASP also provided API to prevent this kind of attacks. OWASP还提供了防止此类攻击的API。 Those API is written in several Programming languages. 这些API用几种编程语言编写。

You can download those API from here . 您可以从此处下载这些API。

Why don't you go and download that API (in your preferred programming language) and use if for sanitizing the user input. 您为什么不去下载该API(以您首选的编程语言)并使用它来清理用户输入。

解决方案2
 0  2013-06-18 09:40:45

One easy way to reduce (not stop) XSS vulnerabilities is to HTML encode all your output. 减少(而不是停止)XSS漏洞的一种简单方法是对所有输出进行HTML编码。 You should also scrub the data that someone submits for XSS vulnerabilities. 您还应该清除某人针对XSS漏洞提交的数据。 On the .NET platform you can use the antixss library, on PHP you could use strip_tags(), there should be something for whatever platform you're using but they're not going to be 100%. 在.NET平台上,您可以使用antixss库,在PHP上,您可以使用strip_tags(),无论您使用什么平台,都应该有一些东西,但它们不会达到100%。 And check out the OWASP XSS Cheat Sheet at https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet 并在https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet中查看OWASP XSS备忘单

XSS can be tricky, Stack Overflow, Gmail, Outlook Web Access all had XSS vulnerabilities in the past. XSS可能很棘手,堆栈溢出,Gmail,Outlook Web Access过去都具有XSS漏洞。 But if you follow the cheat sheet for all your input and output you should be able to greatly reduce the problem. 但是,如果对所有输入和输出都遵循备忘单,则应该可以大大减少问题。 Search your code for any echo or response.write or 在您的代码中搜索任何回声或响应。 

<?= ?>, <%= %>

After that move on to the input points, look for any Request.Form or $_GET or $_POST or however you're getting your data input. 在转到输入点之后,查找任何Request.Form或$ _GET或$ _POST,但是您正在获取数据输入。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何应对XSS攻击 - How to respond to an XSS attack 如何在以下代码中防止XSS? - How to prevent XSS in the following code? 如何在禁用$ sceProvider的情况下利用Angular中的XSS - How to exploit XSS in Angular with $sceProvider being disabled xss攻击后如何恢复站点? - How to recover a site after an xss attack? 如何在我的物联网项目中实施“ UDP打孔”? - How can I implement “UDP hole punching” in my IoT project? 使用Google Captcha的网站联系表,我是否安全(XSS注入等)? - Am I safe (XSS injection, etc) with my website contact form with Google Captcha? 如何保护Web服务器免受大型XSS扫描仪的侵害? - How to protect a web server from massive XSS Scanners? 如何将一个网站嵌入另一个网站? - How to embed a website in another website? PHP 安全测试为我提供了 GetHTMLValueString 的关键反射 XSS 警告,我该如何解决? - PHP Security test gives me critical Reflected XSS warning for GetHTMLValueString, how can i fix? 网站所有者在部署后如何对网站收费 - how a owner of website charges for website after deployment
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM