xss

is it okay to “repeatedly” xss-clean data in CodeIgniter?

不羁岁月 提交于 2019-12-23 11:54:30
问题 The following are ways to XSS-clean data in Codeigniter: set global_xss_filtering in config to TRUE use xss_clean() use xss_clean as a validation rule set the second parameter to TRUE in $this->input->post('something', TRUE) Is it okay to use all or more than one of them on one piece of data? For example, would it be okay if I still used $this->input->post('something', TRUE) even if the data has already been cleaned by global_xss_filtering and xss_clean validation rule? 回答1: It's not going to

Ignoring base tag after post

折月煮酒 提交于 2019-12-23 09:52:39
问题 On Chrome I'm getting an error Refused to execute a JavaScript script. Source code of script found within request. after posting data that contains the name of the domain (also note the lack of javascript on either page) . badpage1.html: <form action="/badpage2.html" method="post"> <input type="hidden" name="name" value="href=%22http://www.w3.org/%22"/> <input type="submit" name="submit"/> </form> badpage2.html: <!DOCTYPE html> <html> <head> <base href="http://www.w3.org/"/> </head> <body>

PHP Validate base64 encoded images

你说的曾经没有我的故事 提交于 2019-12-23 05:37:19
问题 I need to find a way to validate an image that is base64 encoded in PHP. By validate i'm thinking of XSS and other security things like that. The flow is: User has some parameters where one og more in a base64 encode string of an image and post them to my site. When i receive the parameter fx called img1 with the base64 encoded image string as value. I would then like to make sure that this base64 encoded string only consist of the image and doest not have any tags and any other things

Reading document.links from an IFrame

为君一笑 提交于 2019-12-23 05:26:32
问题 EDIT: Just a quick mention as to the nature of this program. The purpose of this program is for web inventory. Drawing different links and other content into a type of hierarchy. What I'm having trouble with is pulling a list of links from a webpage within an IFrame. I get the feeling this one is gonna bite me hard. (other posts indicate relevance to xss and domain controls) I'm just trying something with javascript and Iframes. Basically I have a panel with an IFrame inside that goes to

href security, prevent xss attack

倖福魔咒の 提交于 2019-12-23 02:01:53
问题 <?PHP //fetch website data from db.. $website=htmlentities("javascript:alert()"); ?> <a href="<?PHP echo $website;?>">Click me</a>//without http will get attack <a href="http://<?PHP echo $website;?>">Click me</a> I have a web application provide an input for user to add their website. however i am consider the security problem, I did the testing. if I have add http:// it won't run javascript. My question is are there anything else I need to do for href security? $url="example.php?name=Peter

Is Xss protection in Spring security enabled by default?

天大地大妈咪最大 提交于 2019-12-23 01:55:28
问题 I want to enable Spring Security XSS protection in my application. 1) Read docs and blogs, and https://spring.io/blog/2013/08/23/spring-security-3-2-0-rc1-highlights-security-headers/ indicates XSS is there by default 2) And http://docs.spring.io/spring-security/site/docs/current/reference/html/headers.html indicates it is not there by default 3) If I use http.headers().xssProtection() in my configure method in an class extending WebSecurityConfigurerAdapter : does that disable all the other

Is URLEncoder.encode(string, “UTF-8”) a poor validation?

旧时模样 提交于 2019-12-23 01:45:09
问题 In a portion of my J2EE/java code, I do a URLEncoding on the output of getRequestURI() to sanitize it to prevent XSS attacks, but Fortify SCA considers that poor validation. Why? 回答1: The key point is that you need to convert HTML special characters to HTML entities. This is also called "HTML escaping" or "XML escaping". Basically, the characters < , > , " , & and ' needs to be replaced by < , > , " , & and ' . URL encoding does not do that. URL encoding converts URL special characters to

csrf与xss

烈酒焚心 提交于 2019-12-23 00:56:30
CSRF 攻击攻击原理及过程如下: 1. 用户C打开浏览器,访问受信任网站A,输入用户名和密码请求登录网站A; 2.在用户信息通过验证后,网站A产生Cookie信息并返回给浏览器,此时用户登录网站A成功,可以正常发送请求到网站A; 3. 用户未退出网站A之前,在同一浏览器中,打开一个TAB页访问网站B; 4. 网站B接收到用户请求后,返回一些攻击性代码,并发出一个请求要求访问第三方站点A; 5. 浏览器在接收到这些攻击性代码后,根据网站B的请求,在用户不知情的情况下携带Cookie信息,向网站A发出请求。网站A并不知道该请求其实是由B发起的,所以会根据用户C的Cookie信息以C的权限处理该请求,导致来自网站B的恶意代码被执行。 防御CSRF攻击: (1)验证 HTTP Referer 字段 (2)在请求地址中添加 token 并验证 (3)在 HTTP 头中自定义属性并验证 扩展:     SSRF(Server-Side Request Forgery:服务器端请求伪造) 是一种由攻击者构造形成由服务端发起请求的一个安全漏洞。一般情况下,SSRF攻击的目标是从外网无法访问的内部系统。(正是因为它是由服务端发起的,所以它能够 请求到与它相连而与外网隔离的内部系统)   SSRF 形成的原因大都是由于服务端提供了从其他服务器应用获取数据的功能且没有对目标地址做过滤与限制

I use AntiXSS but I still can hack page

跟風遠走 提交于 2019-12-22 21:30:57
问题 I don't know if I am doing this right. I first time build something to prevent attack on page. I will start from the bottom: I have property: public string Description {get;set;} User can set it's value through tinyMCE tinyMCE.init({ mode: "textareas", theme: "advanced", encoding : "xml"... In controller before I save this in database I do: model.Description = HttpUtility.HtmlDecode(model.Description); In database I have a value like: <p>bla bla bla</p> I added AntiXSS library to my project:

I use AntiXSS but I still can hack page

独自空忆成欢 提交于 2019-12-22 21:30:30
问题 I don't know if I am doing this right. I first time build something to prevent attack on page. I will start from the bottom: I have property: public string Description {get;set;} User can set it's value through tinyMCE tinyMCE.init({ mode: "textareas", theme: "advanced", encoding : "xml"... In controller before I save this in database I do: model.Description = HttpUtility.HtmlDecode(model.Description); In database I have a value like: <p>bla bla bla</p> I added AntiXSS library to my project:
订阅 xss