关于Java的Fortify Open重定向问题
[英]Fortify Open redirect issue on Javascript
问题描述
var param=document.getElementById("test").value;
var url= "http://localhost/app/default.aspx?test="+param;
Window.showModalDialog(url);
showModalDialog method line is showing me fortify open redirect issue. 
showModalDialog方法行向我显示了强化开放重定向的问题。 Is there anyway I can resolve the issue on client side (in javascript file)? 无论如何,我可以在客户端(在javascript文件中)解决问题吗?
Your help would be highly appreciated. 您的帮助将不胜感激。
1 个解决方案
解决方案1
0 2017-07-07 14:19:14
Fortify is saying that you're redirecting the user to a new site whose URL is composed of the user's input, which could allow an attacker to phish or perform other attacks if it was manipulated in a special way using the input value. Fortify表示您正在将用户重定向到URL由用户输入组成的新站点,如果使用输入值以特殊方式对其进行了操纵,则攻击者可能会仿冒网站或进行其他攻击。 OWASP.org reference OWASP.org参考
The best way to fix this is to create a white list on the server of acceptable parameters values for the parameter test , so when the server receives a request with a value for test , it can redirect the user to a page if the value of the parameter is not recognized/invalid. 解决此问题的最佳方法是在服务器上为参数test创建可接受的参数值的白名单,因此,当服务器接收到带有test值的请求时,如果该参数的值可以将用户重定向到页面参数无法识别/无效。 There's no reliable fix for this issue that lies solely on the client side, given the information provided in the question. 鉴于问题中提供的信息,没有针对此问题的可靠解决方案完全在客户端。 A regex would help in theory, although I am unsure if Fortify will be happy with a regex sanitation. 尽管我不确定Fortify是否会对正则表达式卫生满意,但是正则表达式将在理论上有所帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.