owasp

问题 What is a clear explanation of the difference between server XSS and client XSS? I read the explanation on the site of OWASP, but it wasn't very clear for me. I know the reflected, stored en DOM types. 回答1: First, to set the scene for anyone else finding the question we have the text from the OWASP Types of Cross-Site Scripting page: Server XSS Server XSS occurs when untrusted user supplied data is included in an HTML response generated by the server. The source of this data could be from the

问题 In my current project I am using Maven and Spring. I am currently using SLF4J logger for logging services. In place of that I want to use OWASP-ESAPI logger. I don't want to use OWASP-ESAPI security, just the log services. Can anybody please guide me how to use OWASP-ESAPI logger by replacing slf4j logger with minimum efforts ? I tried a lot of google search but nothing helps. I will really appreciate some links to gain knowledge about OWASP-ESAPI logger as well. 回答1: Refactoring your code to

问题 What is this response header (x-Application-Context) stands for? is it specific to Spring framework? what does the below header means? X-Application-Context airtel-project-service:aws:27094 does it reveals any senstive information like hostname or port number? 回答1: Spring Boot ApplicationContextHeaderFilter does add this header. Class description: OncePerRequestFilter to add a X-Application-Context header that contains the ApplicationContext ID. AppliationContext ID is a name for the deployed

问题 Closed . This question needs to be more focused. It is not currently accepting answers. Want to improve this question? Update the question so it focuses on one problem only by editing this post. Closed 2 years ago . I am trying to fetch bulk data from a website database but could not succeed. Can somebody suggest if SQL injection is possible and how to do in this case. 回答1: There are many ways to do SQL Injection to a website similar to the one you provided. In the where clause it is

问题 I am trying to incorporate the CSRFGuard library(< org.owasp csrfguard 3.1.0 >) in order to rectify some CSRF vulnerabilities in an application. However after configuring as specified here I am now getting the below message: Here I would like to explain scenario when I am getting this message - For suppose my application landing page like this And code snippet for this page(HelloWorld.jsp) is <%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%> <%@

问题 We are currently using OWASP Antisamy project to protect our application against XSS attacks. Every input field is sanitized when any given form is submitted to server. It works fine, but we have issues with the fields like company name, organization name, etc. Ex: Ampersand is escaped for AT&T and the company name is displayed wrong (displayed with escaped characters). We manually update the fields on database to fix this issue. However, this is a pain in the neck as you can imagine. Is

问题 I've been going through the OWASP top 10 to get a deeper understanding of each specific type of vulnerability. I've made my way to the last item, Unvalidated URL Redirects. I understand the attack; such a phishing scheme seems completely obviously now that I have read about it in OWASP. What I am struggling to understand is why this style of redirecting ever occurs in the first place. There must be some advantage(s) to including the redirect URL as a parameter in the URL ie example.com/go.php

问题 OWASP ZAP reported “alert(1);” XSS vulnerability, but we could not get pop up in browser. Is this just a false positive? The HTML surrounding the injected attack is: <script type="text/javascript"> DataSet.FilterBuilder.QueryValuesDictionary['57_ctl00'] = ;alert(1);; </script> 来源： https://stackoverflow.com/questions/29223275/owasp-zap-reported-alert1-xss-vulnerability-but-no-popup-showed-up

问题 One of my REST APIs is expecting a property "url" which expects a URL as input from the user. I am using ESAPI to prevent from XSS attacks. The problem is that the user supplied URL is something like http://example.com/alpha?abc=def&phil=key%3dbdj The cannonicalize method from the ESAPI encoder throws intrusion exception here claiming that the input has mixed encoding, since it is url encoded and the piece '&phi' is treated as HTML encoded and thus the exception. I had a similar problem with

问题 One of my REST APIs is expecting a property "url" which expects a URL as input from the user. I am using ESAPI to prevent from XSS attacks. The problem is that the user supplied URL is something like http://example.com/alpha?abc=def&phil=key%3dbdj The cannonicalize method from the ESAPI encoder throws intrusion exception here claiming that the input has mixed encoding, since it is url encoded and the piece '&phi' is treated as HTML encoded and thus the exception. I had a similar problem with