如何防止 Checkmarx 中 location.href 的 CLIENT_DOM_XSS?
[英]How to prevent CLIENT_DOM_XSS for location.href in Checkmarx?
问题描述
I am getting "CLIENT_DOM_XSS" vulnerability while scanning my project with Checkmarx.
我在使用 Checkmarx 扫描我的项目时遇到“CLIENT_DOM_XSS”漏洞。
Below is the line of code which causing issue:以下是导致问题的代码行:
// make sure we are the top most window
if (window != top) top.location.href = location.href;
I am getting this vulnerability for location.href.我收到了 location.href 的漏洞。
Can anyone please suggest me for fix?任何人都可以建议我修复吗?
Thank you.谢谢你。
1 个解决方案
解决方案1
0 2021-01-15 14:41:44
Most of the Vulnerabilities are coming from the user input, to the potential vulnerable point.大多数漏洞都来自用户输入,到潜在的漏洞点。
It means that most of the time is better to sanitize the user input to avoid getting malicious input in the code flow.这意味着大多数时候最好对用户输入进行清理,以避免在代码流中出现恶意输入。 Then you can try to think about use-case.然后你可以尝试考虑用例。
So you need to sanitize the location.href before you are using it.因此,您需要在使用location.href之前清理它。
Use Case:用例:
You are taking the href into top.href .您正在将href带入top.href 。 The top can be an iframe or something, right? top可以是iframe的,对吗? (I'm not professional on it). (我对此并不专业)。
You don't know always what the iframe doing, but maybe I know, so I'm sending a link to you website with a malicious XSS in the QueryString, so that the iframe will get the XSS.你并不总是知道iframe在做什么,但也许我知道,所以我在 QueryString 中发送一个带有恶意 XSS 的链接到你的网站,这样iframe就会得到 XSS。
Maybe you might to say "the iframe will handle this vulnerability, but for my opinion, you don't want malicious code in you app, in any level.也许你可能会说“ iframe将处理这个漏洞,但在我看来,你不希望你的应用程序中有任何级别的恶意代码。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.