owasp

问题 I'm not sure if this is on-topic or not here, but it's so specific to .NET WinForms that I believe it makes more sense here than at the Security stackexchange site. (Also, it's related strictly to secure coding , and I think it's as on-topic as any question asking about common website vulnerabilities that I see all over the site.) For years, our team has been doing threat modeling on Website projects. Part of our template includes the OWASP Top 10 plus other well-known vulnerabilities, so

问题 Receiving this ModSecurity error: ModSecurity: collection_store: Failed to write to DBM file "/tmp/default_SESSION": Invalid argument There is not a Rule ID associated with this error. I know I can disable by rule id using SecRuleRemoveById xxxxxx How can I disable writing to DBM file and/or locating the rules that are specifically causing this error? 回答1: Collections are initialised by rules 900020 and 900021 in the OWASP CRS in the modsecurity_crs_10_setup.conf file. They are primarily used

问题 Receiving this ModSecurity error: ModSecurity: collection_store: Failed to write to DBM file "/tmp/default_SESSION": Invalid argument There is not a Rule ID associated with this error. I know I can disable by rule id using SecRuleRemoveById xxxxxx How can I disable writing to DBM file and/or locating the rules that are specifically causing this error? 回答1: Collections are initialised by rules 900020 and 900021 in the OWASP CRS in the modsecurity_crs_10_setup.conf file. They are primarily used

问题 I am trying to automate owasp zap for scanning project to identify security vulnerability as per below article: https://www.securify.nl/blog/SFY20150303/automating-security-tests-using-owasp-zap-and-jenkins.html I am getting error in below line of code :- zap.spider.scan(target) Script source :- https://github.com/zaproxy/zaproxy/wiki/ApiPython Code I am using :- #!/usr/bin/env python import time from pprint import pprint from zapv2 import ZAPv2 # Here the target is defined and an instance of

问题 I have used Spring MVC to build my restful services: http://localhost:8088/SpringRestCSRF/rest/rest/greeting I am using OWASP CSRFGuard 3.0 to protect these Restful services from CSRF. When accessing the same Rest service using a simple HTML - AJAX request - CSRF token is getting set and I am getting the response: Below code is working Fine. <!DOCTYPE html> <html> <head> <title>REST Service with CSRF Protection</title> <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery

问题 We have an application that accepts URLs from users. This data needs validation, and we're using ESAPI for this purpose. However, we're struggling with URLs containing ampersands. The problem appears when ESAPI canonicalizes the data before validation. &pid=123 in the URL turns into πd=123 for example. Since π is not whitelisted, the validation fails. I've tried encoding it, but ESAPI is smarter than that and does canonicalization to avoid double encoding and mixed encoding. I'm a bit stumped

问题 I'm trying to prevent open redirect attack. Please look at the code below and check for security: var = require('url'); // http://example.com/login?redirect=http://example.com/dashboard app.route('/login', function (req, res, next) { var redirect = req.query.redirect, paths = url.parse(redirect); if (paths.host !== req.headers.host) { return next(new Error('Open redirect attack detected')); } return res.redirect(redirect); }); Is it enough for preventing open redirect attack or should I add

问题 I use Antisamy for validating HTML. My policy allow iframes, like youtube videos. Problem is - if tag is empty(like this): <iframe src="//www.youtube.com/embed/uswzriFIf_k?feature=player_detailpage" allowfullscreen></iframe> than after cleaning it will be like this: <iframe src="//www.youtube.com/embed/uswzriFIf_k?feature=player_detailpage" allowfullscreen/> But it should have normal closing tag. And this break all content on page after. I already set my directives to use most of HTML but not

问题 I know next-to-nothing about Java's security model, including XML configuration, policy-setting, any security framework components, tools (such as keystore, etc.) and everything in between. Although I understand it will eventually become essential for me to roll up my sleeves and learn Java security in-depth, I was wondering if using something like Apache Shiro would help ease the transition a bit. As such, I have a few concerns with it. Is Shiro, essentially, a "turnkey, catchall wrapper"

问题 I am trying to incorporate the CSRFGuard library in order to rectify some CSRF vulnerabilties in an application. However after configuring as specified here I am now getting the below messages in the log, when I navigate the application: WARNING: potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:169.xx.x.xxx, uri:/myapp/MyAction, error:request token does not match session token) Through including the: <script src="/sui/JavaScriptServlet"></script> On my main