未检测到 OWASP ESAPI XSS 攻击
[英]OWASP ESAPI XSS Attack undetected
问题描述
In a web project we use ESAPI validator to detect XSS attacks using antisamy XML file.
在一个 web 项目中,我们使用 ESAPI 验证器来检测使用 antisamy XML 文件的 XSS 攻击。 While most of the attacks are detected as expected, it fails to detect the below given input as an XSS attack.虽然大多数攻击都按预期检测到,但它无法将下面给定的输入检测为 XSS 攻击。
<img src=x onerror=alert(1) alt= <img src=x onerror=alert(1) alt=
Potentially, the browser closes the tag itself, hence triggering the alert function.浏览器可能会自行关闭标签,从而触发警报 function。
Surprisingly, ESAPI detects the below given input as an XSS attack:令人惊讶的是,ESAPI 将以下给定输入检测为 XSS 攻击:
<img src=x onerror=alert(1) alt="text" <img src=x onerror=alert(1) alt="文本"
The backend has been written in Java and the UI in JavaScript. Antisamy file used:后端写在Java,UI写在JavaScript。使用的Antisamy文件:
https://github.com/OWASP/EJSF/blob/master/esapi_master_FULL/antisamy-esapi.xml https://github.com/OWASP/EJSF/blob/master/esapi_master_FULL/antisamy-esapi.xml
I also tried using the myspace antisamy file, but the problem still persists.我也试过使用myspace antisamy 文件,但问题仍然存在。
Can someone please help me with the reason for the difference in behavior or how to mitigate the problem?有人可以帮我解决行为差异的原因或如何缓解问题吗?
Thanks.谢谢。
1 个解决方案
解决方案1
0 2021-02-26 05:30:20
It also would help for us to know which version of ESAPI you were testing this with as different versions use different versions of AntiSamy.这也有助于我们了解您正在使用哪个版本的 ESAPI 进行测试,因为不同版本使用不同版本的 AntiSamy。 (In fact, there is a new 1.6.0 version coming out shortly, after which we expect to release a new ESAPI point release.) But knowing the ESAPI version (or more specifically, the AntiSamy version) would allow us to make sure that this isn't a bug in AntiSamy. (事实上 ,不久将发布一个新的 1.6.0 版本,之后我们希望发布一个新的 ESAPI 点版本。)但了解 ESAPI 版本(或更具体地说,AntiSamy 版本)将使我们能够确保这不是 AntiSamy 中的错误。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.