xss

Writing XSS Filter for (X)HTML Based on White List

有些话、适合烂在心里 提交于 2019-12-30 10:38:26
问题 I need to implement a simple and efficient XSS Filter in C++ for CppCMS. I can't use existing high quality filters written in PHP because because it is high performance framework that uses C++. The basic idea is provide a filter that have a while list of HTML tags and a white list of options for these tags. For example. typical HTML input can consist of <b> , <i> , tags and <a> tag with href . But straightforward implementation is not good enough, because, even allowed simple links may

varchar vs text - MySQL

て烟熏妆下的殇ゞ 提交于 2019-12-30 10:38:09
问题 in my project an user can write comment [plain text], and view others comment, can delete own comment, but can not update comment ! In this case which would should i use ? Text or Varchar(4048) ? What is the advantage and disadvantage of Text and Varchar(large like 4000) ? Is it secure enough if i replace only '<' with '& lt;' and '>' with '& gt;' to make sure everything is fine ? [i dont want to convert all those like ' " & ..., to save space, i just want to make sure user can not write

ESAPI XSS prevention for user supplied url property

可紊 提交于 2019-12-30 10:10:59
问题 One of my REST APIs is expecting a property "url" which expects a URL as input from the user. I am using ESAPI to prevent from XSS attacks. The problem is that the user supplied URL is something like http://example.com/alpha?abc=def&phil=key%3dbdj The cannonicalize method from the ESAPI encoder throws intrusion exception here claiming that the input has mixed encoding, since it is url encoded and the piece '&phi' is treated as HTML encoded and thus the exception. I had a similar problem with

ESAPI XSS prevention for user supplied url property

╄→尐↘猪︶ㄣ 提交于 2019-12-30 10:09:06
问题 One of my REST APIs is expecting a property "url" which expects a URL as input from the user. I am using ESAPI to prevent from XSS attacks. The problem is that the user supplied URL is something like http://example.com/alpha?abc=def&phil=key%3dbdj The cannonicalize method from the ESAPI encoder throws intrusion exception here claiming that the input has mixed encoding, since it is url encoded and the piece '&phi' is treated as HTML encoded and thus the exception. I had a similar problem with

Can a “new DOMParser.parseFromString” be safer than “createElement”?

蹲街弑〆低调 提交于 2019-12-30 09:32:26
问题 I create a script for try remove insecure content (I'm using it for browser extensions): var str = "<strong>Hello</strong> mundo <script src="http://site/badscript.js"></script>"; CreateDOM(str); function RemoveAttrs(target) { var attrs = target.attributes, currentAttr; var validAttrs = [ "href", "class", "id", "target" ]; for (var i = attrs.length - 1; i >= 0; i--) { currentAttr = attrs[i].name; if (attrs[i].specified && validAttrs.indexOf(currentAttr) === -1) { target.removeAttribute

User-editable HTML XSS protection (tumblr like)

别来无恙 提交于 2019-12-30 08:33:32
问题 I want my service to have such a feature: author can fully customize the page, but can't steal users' cookies. Tumblr had some troubles with that, but solved them successfully http://www.riyazwalikar.com/2012/07/stored-persistent-xss-on-tumblr.html So I need the solution with no moderation full access to html code of pages for users-authors, don't want white-list filtering and templating language (that is how it works now :( ) no opportunity to steal each others cookies (on pages of other

Codeigniter xss_clean dilemma

匆匆过客 提交于 2019-12-30 05:13:33
问题 I know this question has been asked over and over again, but I still haven't found the perfect answer for my liking, so here it goes again... I've been reading lots and lots polarizing comments about CI's xss_filter. Basically majority says that it's bad. Can someone elaborate how it's bad, or at least give 1 most probable scenario where it can be exploited? I've looked at the security class in CI 2.1 and I think it's pretty good as it doesn't allow malicious strings like document.cookie,

Is it necessary to “escape” character “<” and “>” for javascript string?

余生颓废 提交于 2019-12-30 03:49:11
问题 Sometimes, server side will generate strings to be embedded in inline JavaScript code. For example, if "UserName" should be generated by ASP.NET. Then it looks like. <script> var username = "<%UserName%>"; </script> This is not safe, because a user can have his/her name to be </script><script>alert('bug')</script></script> It is XSS vulnerability. So, basically, the code should be: <script> var username = "<% JavascriptEncode(UserName)%>"; </script> What JavascriptEncode does is to add

Alternative to using c:out to prevent XSS

北城以北 提交于 2019-12-30 03:15:06
问题 I'm working on preventing cross site scripting (XSS) in a Java, Spring based, Web application. I have already implemented a servlet filter similar to this example http://greatwebguy.com/programming/java/simple-cross-site-scripting-xss-servlet-filter/ which sanitizes all the input into the application. As an extra security measure I would like to also sanitize all output of the application in all JSPs. I have done some research to see how this could be done and found two complementary options.

会话劫持漏洞小结——cookie劫持的方式、属性、原理、危害及防御

戏子无情 提交于 2019-12-29 22:37:09
会话劫持 概念 会话劫持(Session hijacking)是一种通过获取用户Session ID后,使用该Session ID登录目标账号的攻击方法,此时攻击者实际上是使用了目标账户的有效Session。会话劫持的第一步是取得一个合法的会话标识来伪装成合法用户。 注:Session ID一般都设置在cookie 步骤 目标用户需要先登录站点 登录成功后,该用户会得到站点提供的一个会话标识SessionID 攻击者通过某种攻击手段捕获Session ID 攻击者通过捕获到的Session ID访问站点即可获得目标用户合法会话 原理图 获取cookie 了解cookie接口:找到Session ID位置进行破解 暴力破解:尝试各种Session ID,直到破解为止 预测:如果Session ID使用非随机的方式产生,那么就有可能计算出来 窃取:XSS攻击、使用网络嗅探(中间人攻击)等方法获得 XSS攻击劫持cookie 中间人攻击劫持cookie 危害 冒充其他人做事情:被冒充的人的权限越大,可以做的事情越多,比如:更改用户信息、进行转账、购买物品 对网站的影响:因为投诉等原因,会出现信誉下降、客户认为网站本身不可信 cookie机制 在动态网页语言中,某个用户(浏览器)访问(登陆)后,可以一直记录状态。这种状态浏览器使用Cookie来保存。
订阅 xss