owasp | 易学教程

How to properly end a users session?

阅读更多关于 How to properly end a users session?

问题 I've been working on the security of my site (PHP) and there's a ton of information to ingest. I've tried to implement security I've researched on OWASP, but one thing I'm a little nervous about, among other things, is how to handle SESSIONS when the user logs out. Currently all I'm using is: session_destroy(); But, I've read that I should change the XRSF token and start another SESSION so it forces the user to resubmit login credentials in-turn explicitly ending the users SESSION. Is session

GWT & XSRF Protection

阅读更多关于 GWT & XSRF Protection

问题 I'm looking at possible solutions to protect my GWT app against XSRF. If I understand GWT's solution correctly - it makes available a Servlet which you use to both generate the token on the client-side (when calling your RPC endpoint) and to validate on the server-side (when the call hits your service). Does this solution only cater for RPC calls? Surely we need it to cover all user generated requests to the server? Any other recommended XSRF solutions (I'm also looking at OWASP's CSRFGuard)?

Which XSS OWASP Rule

阅读更多关于 Which XSS OWASP Rule

Using the OWASP checklist, which is the correct way protect this situation? This is url inside of a javascript string where a url parameter needs to have xss protection. Problem: <script> var u = 'xyz.html?x=<% url.baddata %>' dosomeAjax(u); </script> Possible solution 1: var u = 'xyz.html?x=<% encodeForURL(url.baddata) %>' Possible solution 2: var u = 'xyz.html?x=<% encodeForJavaScript(url.baddata) %>' Possible solution 3: var u = 'xyz.html?x=<% encodeForJavaScript(encodeForURL(url.baddata)) %>' Solution 3 should be used: //solution 3: var u = 'xyz.html?x=<% encodeForJavaScript(encodeForURL

Error when using Esapi validation

阅读更多关于 Error when using Esapi validation

问题 I hope someone could help me with some issue. I'm using OWASP ESAPI 2.1.0 with JavaEE, to help me to validate some entries in a web application. At some point I needed to validate a Windows file path, so I added a new property entry in the 'validation.properties' like this one: Validator.PathFile=^([a-zA-Z]:)?(\\\\[\\w. -]+)+$ When I try to validate, for example, a string like "C:\TEMP\file.txt" via ESAPI, I get a ValidationException: ESAPI.validator().getValidInput("PathFile", "C:\\TEMP\

ESAPI canonicalize malforming url

阅读更多关于 ESAPI canonicalize malforming url

We have an application that accepts URLs from users. This data needs validation, and we're using ESAPI for this purpose. However, we're struggling with URLs containing ampersands. The problem appears when ESAPI canonicalizes the data before validation. &pid=123 in the URL turns into πd=123 for example. Since π is not whitelisted, the validation fails. I've tried encoding it, but ESAPI is smarter than that and does canonicalization to avoid double encoding and mixed encoding. I'm a bit stumped here and I'm not sure how to proceed. avgvstvs This problem is a known bug in ESAPI. I started working

Adding security headers in response using spring security

阅读更多关于 Adding security headers in response using spring security

问题 Am using spring security version 3.2. Am adding headers such as X-Frame-options, X-content-type-options in the response headers of the authenticated request. <sec:http auto-config="false"> <sec:headers> <sec:frame-options policy="DENY" /> <sec:content-type-options /> <sec:xss-protection enabled="true" block="true" /> </sec:headers> </sec:http> but those headers are not get adding in the security none request. <sec:http security="none" pattern="/spring/loginpage" /> what might be the reason?

How to structure my app to use Firebase, Braintree, Ionic/AngularJS, and a minimal nodejs server

阅读更多关于 How to structure my app to use Firebase, Braintree, Ionic/AngularJS, and a minimal nodejs server

问题 Refer to this question: Braintree Dropin UI does not work with Ionic Framework unless force refresh My current Ionic / Angular / Firebase + a very simple Node server app has security issue when using Braintree to charge user credit card. The problem, according to @RaymondBerg is because client can post any customerId and create a braintree token and charge that customer. Since all my user authorization happened in Firebase / Angular - client side. So when user do a $HTTP.post from my

OWSAP WEB扫描器介绍和使用一

阅读更多关于 OWSAP WEB扫描器介绍和使用一

一、 OWASP ZAP 介绍 OWASP ZAP是一款开源的web安全工具，它简单易用，与burp suite相似，主要功能包含了：代理、数据拦截修改、主动扫描、被动扫描、主动攻击、爬虫、fuzzing、渗透测试。二、 OWASP ZAP 下载地址 (1) ZAP 下载地址：https://www.ow asp .org/index.php/OWASP_Zed_Attack_Proxy_Project （2) ZAP中国：http://www.owasp.org.cn/ 三、 OWASP ZAP 安装环境本人：jdk1.8 + owasp2.7.0 windows版本，其余可以使用kalinux集成的zap 四、启动zap （1)保存会话，基于时间戳的方式（2)保存会话到本地指定目录（3)仅本次使用,不保留历史记录一般默认选择第二项,点击开始（4）设置浏览器代理,默认监听8080端口五、案例测试演示 (1) url to attack 数据被测试地址：http://www.baidu.com，点击攻击 (2) 点击左侧站点，查看爬取到内容（3) 下方点击历史记录（4）查看下方警报查看告警信息，分为高中低，一般高和中警报需要做修改和加固 (5)查看测试报告 (1)点击上方报告,导出html 来源： https://www.cnblogs.com

Pentest-bookmarks v1.5

阅读更多关于 Pentest-bookmarks v1.5

Bookmarks Bookmarks Menu Recently Bookmarked Recent Tags Mozilla Firefox Help and Tutorials Customize Firefox Get Involved About Us Recently Bookmarked Recent Tags Mozilla Firefox Help and Tutorials Customize Firefox Get Involved About Us Hackery http://www.ikkisoft.com/stuff/SMH_XSS.txt XFS 101: Cross-Frame Scripting Explained | SecureState Information Security Blog What The Fuck Is My Information Security Strategy? OWASP_DanielCutbert_Evolution_WebAppPenTest.mp4 DeepSec 2007 - Aaron Portnoy Cody Pierce - RPC Auditing Tools and Techniques extern blog SensePost; Zen One: PCI Compliance -

How to use JSON Sanitizer at Server Side?

阅读更多关于 How to use JSON Sanitizer at Server Side?

I want to implement the 'JSON Sanitizer' validation as mentioned by OWASP. My understanding is that this needs to be done in two places: JSON data (in Request) received from Client or Other Systems - This needs to be sanitized at Server side before being processed JSON data (in Response) to be sent to Client - This needs to be sanitized at Server side before being sent to client Is it sufficient that I just call a sanitizing method in JSON Sanitizing library on that JSON Data ? Will that perform all sanitization or are there any other validations to be done in this regard ? The OWASP JSON