[英]How to prevent CLIENT_DOM_XSS for location.href in Checkmarx?
I am getting "CLIENT_DOM_XSS" vulnerability while scanning my project with Checkmarx.我在使用 Checkmarx 扫描我的项目时遇到“CLIENT_DOM_XSS”漏洞。
Below is the line of code which causing issue:以下是导致问题的代码行:
// make sure we are the top most window
if (window != top) top.location.href = location.href;
I am getting this vulnerability for location.href.我收到了 location.href 的漏洞。
Can anyone please suggest me for fix?任何人都可以建议我修复吗?
Thank you.谢谢你。
Most of the Vulnerabilities are coming from the user input, to the potential vulnerable point.大多数漏洞都来自用户输入,到潜在的漏洞点。
It means that most of the time is better to sanitize the user input to avoid getting malicious input in the code flow.这意味着大多数时候最好对用户输入进行清理,以避免在代码流中出现恶意输入。 Then you can try to think about use-case.
然后你可以尝试考虑用例。
So you need to sanitize the location.href
before you are using it.因此,您需要在使用
location.href
之前清理它。
Use Case:用例:
You are taking the href
into top.href
.您正在将
href
带入top.href
。 The top
can be an iframe
or something, right? top
可以是iframe
的,对吗? (I'm not professional on it). (我对此并不专业)。
You don't know always what the iframe
doing, but maybe I know, so I'm sending a link to you website with a malicious XSS in the QueryString, so that the iframe
will get the XSS.你并不总是知道
iframe
在做什么,但也许我知道,所以我在 QueryString 中发送一个带有恶意 XSS 的链接到你的网站,这样iframe
就会得到 XSS。
Maybe you might to say "the iframe
will handle this vulnerability, but for my opinion, you don't want malicious code in you app, in any level.也许你可能会说“
iframe
将处理这个漏洞,但在我看来,你不希望你的应用程序中有任何级别的恶意代码。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.