[英]Prevent XSS attacks site-wide
I'm new to ColdFusion, so I'm not sure if there's an easy way to do this. 我是ColdFusion的新手,所以我不确定是否有一种简单的方法可以做到这一点。 I've been assigned to fix XSS vulnerabilities site-wide on this CF site.
我被指派在这个CF站点修复站点范围内的XSS漏洞。 Unfortunately, there are tons of pages that are taking user input, and it would be near impossible to go in and modify them all.
不幸的是,有大量的页面正在接受用户输入,并且几乎不可能进入并修改它们。
Is there a way (in CF or JS) to easily prevent XSS attacks across the entire site? 有没有办法(在CF或JS中)轻松防止整个站点的XSS攻击?
I hate to break it out to you, but - 我讨厌把它分给你,但是 -
See OWASP's XSS prevention cheat sheet for information on how to prevent XSS. 有关如何预防XSS的信息,请参阅OWASP的XSS预防备忘单 。
Traditionally, input validation has been the preferred approach for handling untrusted data.
传统上,输入验证是处理不受信任数据的首选方法。 However, input validation is not a great solution for injection attacks.
但是,输入验证不是注入攻击的理想解决方案。 First, input validation is typically done when the data is received, before the destination is known.
首先,输入验证通常在接收数据时,在目的地已知之前完成。 That means that we don't know which characters might be significant in the target interpreter.
这意味着我们不知道目标解释器中哪些字符可能很重要。 Second, and possibly even more importantly, applications must allow potentially harmful characters in. For example, should poor Mr. O'Malley be prevented from registering in the database simply because SQL considers ' a special character?
其次,甚至可能更重要的是,应用程序必须允许潜在有害的字符。例如,如果可怜的O'Malley先生被禁止在数据库中注册,仅仅因为SQL认为是一个特殊字符?
To elaborate - when the user enters a string like O'Malley, you don't know whether you need that string in javascript, or in html or in some other language. 详细说明 - 当用户输入像O'Malley这样的字符串时,您不知道是否需要javascript,html或其他语言的字符串。 If its in javascript, you have to render it as
O\\x27Malley
, and if its in HTML, it should look like O'Malley
. 如果它在javascript中,你必须将其渲染为
O\\x27Malley
,如果它在HTML中,它应该看起来像O'Malley
。 Which is why it is recommended that in your database the string should be stored exactly the way the user entered , and then you escape it appropriately according to the final destination of the string. 这就是为什么建议在数据库中字符串应该以用户输入的方式存储,然后根据字符串的最终目的地适当地转义它。
One thing you should look at is implementing an application firewall like Portcullis: http://www.codfusion.com/blog/page.cfm/projects/portcullis which includes a much stronger system then the built in scriptProtect which is easily defeated. 您应该注意的一件事是实现像Portcullis这样的应用程序防火墙: http : //www.codfusion.com/blog/page.cfm/projects/portcullis ,其中包含一个强大的系统,然后内置的scriptProtect很容易被击败。
These are a good starting point for preventing many attacks but for XSS you are going to end up going in by hand and verifying that you are using things like HTMLEditFormat() on any outputs that can be touched by the client side or client data to prevent outputting valid html/js code. 这些是防止许多攻击的良好起点,但对于XSS,您将最终手动进入并验证您在客户端或客户端数据可以触及的任何输出上使用HTMLEditFormat()等内容以防止输出有效的html / js代码。
The ColdFusion 9 Livedocs describe a setting called "scriptProtect" which allows you to utilize coldfusion's protection. ColdFusion 9 Livedocs描述了一个名为“scriptProtect”的设置,它允许您利用coldfusion的保护。 I've have not used it yet, so I'm not sure how effective it is.
我还没用过它,所以我不确定它有多有效。
However, if you implement a third-party or your own method of handling it, you would most likely want to put it in the "onRequestStart" event of the application to allow it to handle the entire site when it comes to URL and FORM scope violations (because every request would execute that code). 但是,如果您实现第三方或您自己的处理方法,您很可能希望将其放在应用程序的“onRequestStart”事件中,以允许它在URL和FORM范围内处理整个站点违规(因为每个请求都会执行该代码)。
Besides applying all the ColdFusion hot fixes and patches you can also: 除了应用所有ColdFusion热修复和补丁之外,您还可以:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.