xss

CakePhp: Avoid XSS attack keeping the ease of use of cake

筅森魡賤 提交于 2019-12-21 21:28:53
问题 One of the things I like with cakePhp, is that we can easily have a generated edited form which allows us to save. E.g. in a controller: function add() { if (!empty($this->data)) { $this->Post->create(); if ($this->Post->save($this->data)) { $this->Session->setFlash(__('The post has been saved', true)); $this->redirect(array('action' => 'index')); } else { $this->Session->setFlash(__('The post could not be saved. Please, try again.', true)); } } $users = $this->Post->User->find('list'); $this

What is the best way to filter URLs for input?

廉价感情. 提交于 2019-12-21 20:45:05
问题 I have a form that is accepting URLs from users in PHP. What characters should I allow or disallow? Currently I use $input= preg_replace("/[^a-zA-Z0-9-\?:#.()\,/\&\'\\"]/", "", $string); $input=substr($input,0,255); So, it's trimmed to 255 chars and only can include letters, numbers, and ? - _ : # ( ) , & ' " / Anything I should be stripping that I'm not, or anything I'm stripping that might need to be in a valid URL? 回答1: RFC 1738 which defines the URL specification states that only the

Are XSS attacks possible through email addresses?

允我心安 提交于 2019-12-21 15:16:12
问题 I wonder whether an email address can be used for XSS attacks. Let's suppose there is a website where one can register and gives his email address. If one wants to attack the given website, he or she might create an email address, such as this one: "<script src=//my.evil.site/is/attacking/u.js></script>"@stmpname.com and then use this email address to attack the website. Is quote or script tag allowed in an email address? 回答1: The email address in your example appears valid. The only

大白话理解网络攻击(XSS、CSRF)

落爺英雄遲暮 提交于 2019-12-21 14:49:13
本文主要介绍了 XSS 和 CSRF 的攻击原理和防御措施及两者区别。接下来我们来了解下。 XSS 一、XSS 原理 Xss(cross-site scripting) 攻击: 通过向某网站写入 js 脚本或插入恶意 html标签来实现攻击 。 比如:攻击者在论坛中放一个 看似安全的链接,骗取用户点击后,窃取 cookie 中的用户私密信息; 或者攻击者在论坛中加一个恶意表单, 当用户提交表单的时候,却把信息传送到攻击者的服务器中,而不是用户原本以为的信任站点。 二、XSS攻击的类型 分为存储性(持久型)、反射型(非持久型)、基于DOM 1、存储性(持久型) 用户输入的带有恶意脚本的数据存储在 服务器端 。当浏览器请求数据时,服务器返回脚本并执行。 常见的场景: 攻击者在社区或论坛上写下一篇包含恶意 Js代码的文章或评论,文章或评论发表后,所有访问该文章或评论的用户,都会在他们的浏览器中执行这段恶意的 JavaScript 代码。 2、反射型(非持久型) 把用户输入的数据"反射"给 浏览器 。通常是,用户点击链接或提交表单时,攻击者向用户访问的网站注入恶意脚本。 常见的场景: 在正常页面上添加一个恶意链接。恶意链接的地址指向localhost:8080。然后攻击者有一个node服务来处理对localhost:8080的请求: 当用户点击恶意链接时

前端安全之XSS和csrf攻击

一笑奈何 提交于 2019-12-21 14:48:49
1.Csrf攻击概念: csrf攻击( Cross-site request forgery ): 跨站请求伪造 ; 2.Csrf攻击原理: 用户是网站A的注册用户,且登录进去,于是网站A就给用户下发cookie。 从上图可以看出,要完成一次CSRF攻击,受害者必须满足两个必要的条件: (1)登录受信任网站A,并在本地生成Cookie。(如果用户没有登录网站A,那么网站B在诱导的时候,请求网站A的api接口时,会提示你登录) (2)在不登出A的情况下,访问危险网站B(其实是利用了网站A的漏洞)。 我们在讲CSRF时,一定要把上面的两点说清楚。 温馨提示一下,cookie保证了用户可以处于登录状态,但网站B其实拿不到 cookie。 举个例子,前端事假你,微博网站有个api接口有漏洞,导致很多用户的粉丝暴增。 3.Csrf如何防御 方法一、Token 验证:(用的最多) (1)服务器发送给客户端一个token; (2)客户端提交的表单中带着这个token。 (3)如果这个 token 不合法,那么服务器拒绝这个请求。 方法二:隐藏令牌: 把 token 隐藏在 http 的 head头中。 方法二和方法一有点像,本质上没有太大区别,只是使用方式上有区别。 方法三、Referer 验证: Referer 指的是页面请求来源。意思是,只接受本站的请求,服务器才做响应;如果不是,就拦截。

Copy html content from iframe into div ( ajax )?

大兔子大兔子 提交于 2019-12-21 12:49:21
问题 Lets assume I have my browser load an Iframe with <iframe src="test.html"> Can I, using ajax, load the content of test.html into a div in the main html page? This idea is my solution for that fact that I'm actually trying to overcome the limitation with making ajax submits to remote hosts. The plan is to generate the dynamic page with 0 sized iframe which makes report request to remote host. Then, after the page (& iframe content) loads I will copy the iframe content into a div using JS. Tips

Are data URIs on <img>s XSS exploitable?

守給你的承諾、 提交于 2019-12-21 09:35:19
问题 After reading this article I don't have a clear answer: http://palizine.plynt.com/issues/2010Oct/bypass-xss-filters/ Will browsers interpret text/html data URI payload in <img> src as an document where <script> tags are executed? If not then is it safe to allow data URIs in third party HTML? What safety mechanisms exist at the browser level for this use case? 回答1: The MSDN documentation says IE does not: For security reasons, data URIs are restricted to downloaded resources. Data URIs cannot

Prevent auto clicked link XSS attack using CSP

橙三吉。 提交于 2019-12-21 07:34:38
问题 Whilst using CSP for a slightly different purpose (sandboxing) I realized that a very simple auto clicked link seems to bypass even relatively strict CSP. What I am describing is the following: Content security policy: default-src 'none'; script-src 'unsafe-inline'; And the body: <a href="http://www.google.com">test</a> <script> document.querySelector("a").click(); </script> Obviously in a real attack you would include the cookie information into the href field first and probably wrap this in

Security Runtime Engine VS AntiXSS Library

别等时光非礼了梦想. 提交于 2019-12-21 05:42:14
问题 I see that web protection library (WPL) comes with 2 different options: Security Runtime Engine (SRE) AntiXSS Library The first one seems great since no code is necessary, it's a HTTPModule. The second requires to manually add the escaping logic on the code. Despite this advantage I mentioned, SRE is not very popular and I'm wondering why. There is any known problem with this library or any big advantage of using AntiXSS that I'm not seeing? Thanks! 回答1: The biggest flaw I see in the SRE is

Modifying htmlpurifier allowed tags for this markup

陌路散爱 提交于 2019-12-21 05:25:09
问题 My html purifier settings now allow only these tags $configuration->set('HTML.Allowed', 'p,ul,ol,li'); I want to allow indentation of lists and my editor uses this html <ul style="margin-left: 40px;"> How should I change my HTMLPurifier Allowed tags? I thought to add style , but I think it would be better to specify exactly which style is allowed, which in this case would be margin-left . What is the right way to change the HTML.Allowed for this case? 回答1: Allow the style attributes, and then
订阅 xss