xss

Configure ESAPI Security Encoding Library to prevent XSS Cross-site scripting issue

假如想象 提交于 2020-01-15 17:52:10
问题 Am trying to use ESAPI for security encoding in a webapp (Jsps) to prevent XSS. I added esapi-2.1.0.jar under WEB-INF/lib and added below lines in JSP for encoding ESAPI.encoder().encodeForHTML(request.getParameter("")) But I get an exception as below org.owasp.esapi.errors.ConfigurationException: ESAPI.properties could not be loaded by any means. Fail. org.owasp.esapi.reference.DefaultSecurityConfiguration.loadConfiguration(DefaultSecurityConfiguration.java:439) I understand the problem is

How do I begin with making a small cross-site AJAX script using someone's API?

北城以北 提交于 2020-01-15 12:08:56
问题 Let's say I want to use this API: http://hiveminder.com/help/reference/API.html The instructions walk through its use via. the curl command line tool, which I'm unfamiliar with. I want to access this API through a simple script on my own page. What are the steps I need to do this? Keep in mind it's been years since I've done any of this. 回答1: Because cross-site requests can't be done from the client, they need to be initiated from the server. I'm personally not familiar with Hiveminder, but

Whitelisting, preventing XSS with WMD control in C#

北慕城南 提交于 2020-01-15 11:56:07
问题 Are there any problems with what I am doing here? This is my first time to deal with something like this, and I just want to make sure I understand all the risks, etc. to different methods. I am using WMD to get user input, and I am displaying it with a literal control. Since it is uneditable once entered I will be storing the HTML and not the Markdown, input = Server.HTMLEncode(stringThatComesFromWMDTextArea) And then run something like the following for tags I want users to be able to use.

kindEditor使用并防止xss攻击(day88)

穿精又带淫゛_ 提交于 2020-01-15 09:42:09
过滤关键字防范xss 参考博客 # pip3 install beautifulsoup4 from bs4 import BeautifulSoup def xss(old): """ 防范xss攻击,过滤关键字符串。 :param old: 用户提交的博文内容或字符串 :return: new_str,返回合法的字符 """ valid_tags = { "font": ['color', 'size', 'face', 'style'], 'b': [], 'div': [], "span": [], "table": [ 'border', 'cellspacing', 'cellpadding' ], 'th': [ 'colspan', 'rowspan' ], 'td': [ 'colspan', 'rowspan' ], "a": ['href', 'target', 'name'], "img": ['src', 'alt', 'title'], 'p': [ 'align' ], "pre": ['class'], "hr": ['class'], 'strong': [], "h1":[], "h2":[], "h3":[], "h4":[], "h5":[], } soup = BeautifulSoup(old, "html.parser") #

Server XSS vs. client XSS

吃可爱长大的小学妹 提交于 2020-01-15 08:00:31
问题 What is a clear explanation of the difference between server XSS and client XSS? I read the explanation on the site of OWASP, but it wasn't very clear for me. I know the reflected, stored en DOM types. 回答1: First, to set the scene for anyone else finding the question we have the text from the OWASP Types of Cross-Site Scripting page: Server XSS Server XSS occurs when untrusted user supplied data is included in an HTML response generated by the server. The source of this data could be from the

How do I disable the access denied message when trying to do cross scripting into an iframe?

自作多情 提交于 2020-01-15 07:04:12
问题 I have an iframe that points to a website ie. <iframe src='http://www.fish.com/' id='fish'> I have a html on my local pc that tries to click a button in the iframe: alert ( $('#fish').contents().find('#myButton').length ); I have enabled cross site scripting in my browser and lowered security to the max. I still get access denied errors. I have tried in IE6, IE8, and Firefox. How can I remove this restriction? I am trying to test something, and understand the risks etc. Here is an example:

Apache - Can I make a proxy server with just Apache?

眉间皱痕 提交于 2020-01-15 04:28:26
问题 I have a bunch of subdomains in one single server: a.example.com b.example.com news.example.com All of them are in the same Apache virtualhost. I need to use a feed provided by the news subdomain inside the a and b subdomain. The feeds typically look like this: news.example.com/news/a news.example.com/news/b On the a and b subdomains, I'm using jquery's ajax function to load the data from the news feeds, and present it on a and b. This initially didn't work, because of the same-origin policy.

web攻击之xss(一)

帅比萌擦擦* 提交于 2020-01-15 02:34:21
1,xss简介 跨站脚本攻击 (Cross Site Scripting),为了不和 层叠样式表 (Cascading Style Sheets, CSS )的缩写混淆,故将跨站脚本攻击缩写为XSS。恶意攻击者往Web页面里插入恶意Script代码, 当用户浏览该页之时,嵌入其中Web里面的Script代码会被执行,从而达到恶意攻击用户的目的。 百度的解释如上 其实Xss几乎每个网站都存在,google、baidu、360等都存在。(近些年来少了一些),但仍有大部分的网站都存在该漏洞。 xss是一门又热门又不太受重视的Web攻击手法,为什么会这样呢,原因有下: 耗时间、有一定几率不成功 、 没有相应的软件来完成自动化攻击 、 是一种被动的攻击手法 等。 总的来说,xss的危害可大可小,这种被动的攻击方式,只要管理员留意,一般不会出现大的危害,可管理员一旦疏忽就很可能就会暴露自己的cookie以及后台账号密码等,导致信息泄露。 常出现xss漏洞的地址无外乎留言框,搜索框等可以提交用户数据的地方 2.xss如何实现 其实xss的实现就是执行非法的js语句,从而获取管理员的cookie 我们将xss分为两大类: 1,反射型 (这类xss是最常见的,通常发生在搜索框中,只能在提交后改变该用户的html源码,只能影响打开该页面的用户,无法使得网站的源码发生变化)   2,存储型

DVWA--XSS解题过程

北城余情 提交于 2020-01-15 00:55:03
XSS 概念: 通常指黑客通过HTML注入纂改了网页,插入恶意脚本,从而在用户浏览网页时,控制用户浏览器的一种攻击。 XSS 有三种: 反射型xss:只是简单地把用户输入的数据反射给浏览器,简单来说,黑客往往需要用户诱使用户点击一个恶意链接,才能攻击成功。 存储型XSS:将用户输入的数据存储在服务器端。 DOM XSS:通过修改页面的DOM节点形成的XSS。 反射型xss LOW 等级: 先利用alert测试是否存在xss 出现弹窗,说明存在xss。 编写PHP文档获取页面的cookie: <?php $cookie=$_GET[‘cookie’]; file_put_contents(‘cookie.txt’,$cookie); ?> 编写js代码将页面的cookie发送到cookie.php中 这里的js代码要用url编码 页面跳转,说明js执行成功 接下来查看phpstudy中www目录下是否出现cookie.txt 成功拿到cookie 利用得到的cookie登陆DVWA的首页: 成功登陆 Medium 等级: 同样,先利用alert进行弹窗测试 发现页面没有反应,有可能是<script>被过滤了,浏览器虽然会过滤<script>标签关键字,但是只过滤一次,所以可以想办法绕过。 (1)通过构造两个<script>标签,即嵌套: 出现弹窗,说明存xss (2)

xss跨站脚本测试

流过昼夜 提交于 2020-01-15 00:54:24
测试的时候会涉及到xss测试,下面简要整理下xss的知识 xss跨站脚本特点就是能注入恶意的HTML/JS代码到用户浏览器,劫持用户会话,如果确认存在漏洞,会随着注入的内容不同而产生危害比如:窃取cookie,网页挂马,恶意操作,跨站蠕虫等等 分类: 反射型:非持久,一般为一个url,需要用户单击,在url中参数传入 持久型:常存在于评论等交互中,常见于<textarea>这种标签,可用于挂马钓鱼渗透等 可见,为了防止xss,字符过滤可以有效的较少被攻击的危害,但是xss攻击不止这么简单, 它还可以绕过服务端的xss过滤!!!待续 ps:常用的xss攻击语句列表 https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet 英文 http://drops.wooyun.org/tips/1955 中文 如果可以发现最基础的xss可以执行,那么就可以注入其他有害的操作或者获取信息 例如一些javacript事件:onerror,onfocus,onclick,ontimeout。。。 http://wenku.baidu.com/link?url=q9-QLRlKm788Hdn7F0-Fy2Ujqg8N995-DLk4cS_cXdds1h9lQIvtGf78KbUM55GtKiS6qTwd-
订阅 xss