Struts XSS预防-防止GET XSS
[英]Struts XSS Prevention - Prevent a GET XSS
问题描述
I have been able to prevent an XSS attack in struts 1.2 through a combination of filter="true" in the bean:write messages and by using StringEscapeUtils.escapeHtml4(string) in the tag libs I am using. 
通过结合bean:write消息中的filter =“ true”并在我正在使用的标签库中使用StringEscapeUtils.escapeHtml4(string),我已经能够防止Struts 1.2中的XSS攻击。 However I can attack my site through an attack in the URL in the following form... 但是,我可以通过以下形式的URL攻击来攻击我的网站...
www.mysite.com/App/Start.do?logo=mylogo'><script>alert("ATTACK")</script>
Any advice on the best way to prevent this. 关于防止这种情况的最佳方法的任何建议。 I tried using a servlet filter but I don't want to convert all request inputs to special characters. 我尝试使用Servlet过滤器,但不想将所有请求输入都转换为特殊字符。
1 个解决方案
解决方案1
1 2013-07-31 18:58:19
Easiest way I've found to block XSS is replacing all > , < and " characters with < , > and " before writing to the webpage. This should protect you from XSS so long as you aren't placing user input inside places such as script tags, image tags (XSS has been possible from the src= of image tags) etc as they won't be able to create their own tags. 我发现阻止XSS的最简单方法是在写入网页之前,用< , >和"替换所有> , <和"字符。只要您不将用户输入内容放在XSS中,就应该保护您免受XSS的攻击位置,例如脚本标签,图像标签(可以从图像标签的src =获得XSS)等,因为它们将无法创建自己的标签。
In PHP you would do this with the htmlSpecialChars method that encodes all characters like that. 在PHP中,您可以使用htmlSpecialChars方法对所有字符进行编码。 However Java doesn't have this method so the quickest way is to just replace those, you should really go through the entire list yourself. 但是Java没有这种方法,因此最快的方法就是替换那些方法,您应该亲自检查整个列表。 Shouldn't be too hard to implement 5 replaceAll() 应该不太难实现5 replaceAll()
The docs for the StringEscapeUtils method your using claims to perform what I suggest above, so you should check that your using the method correctly as your example shouldn't survive this form of prevention. 您使用StringEscapeUtils方法的文档声称可以执行我在上面建议的操作,因此您应检查您使用该方法的正确性,因为您的示例不能幸免于这种形式的预防。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.