owasp

问题 I want to bring a doubt about JWT tokens and CSRF from the Stormpath post that explain the advantages and disadvantages of storing the JWT either in localStorage or cookies. [...] if you are reading values out of a cookie using JS, that means you can't set the Httponly flag on the cookie, so now any JS on your site can read it, thus making it the exact same security-level as storing something in localStorage. I'm trying to understand why they recommend adding the xsrfToken to the JWT. Doesn't

问题 Since the recent problems with GitHub and Twitter: GitHub Accidentally Recorded Some Plaintext Passwords in Its Internal Logs Twitter Admits Recording Plaintext Passwords in Internal Logs, Just Like GitHub I was wondering, why isn't the best practice to bcrypt the password both on the client and the server? Since I won't change anything that already are the best practices for the server side (salt, strong hash, HTTPS), it can only be safer. The server would consider the already hashed

问题 How to pass authentication details to the ZAP tool to scan the website. Please help me to solve the problem. 回答1: Quite old question but here it goes. The most simple way to do this is setting your browser to Proxy through ZAP. On Firefox you can go to: Options -> Advanced -> Network -> Settings. Select Manual Proxy Configuration and fill the HTTP Host with the address of the machine running ZAP (most probably localhost) and the configured ZAP port. You can check and configure ZAP port

问题 After running OWASP ZAP scanning tool against our application, we see a number of XSS vulnerabilities when the tool attacked with this string: " onMouseOver="alert(1); or ;alert(1) So such strings will appear in the server response. Though it doesn't do anything in the browser. Maybe it's trying to insert additional attributes to Html tags, but how to solve the problem? 回答1: If you can post the html surrounding the injected attack then that might be enough. If you select the alert in ZAP then

问题 can we use owasp-ESAPI for logging android application, as I have tried to search on google and then as per my understanding I found OWASP-ESAPI can be used with JAVA-EE. can someone help me to integrate secure logger with OWASP-ESAPI on android application? For better understanding my problem please go though following : " esapi-2.1.0.jar " allow us to write Following code that I am trying: private final Logger logger = ESAPI.getLogger(MyActivity.class.getName()); logger.error(Logger

问题 I have trigger zap with Python API as below:- Script source:- https://github.com/zaproxy/zaproxy/wiki/ApiPython I want an HTML report generated via command line. I am trying to integrate same with Jenkins. I have found few plug-ins of Owasp in Jenkins but doesn't seem to work as expected. Any idea, link, tutorials will really help me. 回答1: At this URL/API ( http://ZAP-IP:PORT/UI/core/other/htmlreport/) user can get the report. I havn't found any zap support plug-in so I have wrote selenium

问题 BELOW IS THE static code analysis report from SpotBugs XSS_SERVLET: Potential XSS in Servlet A potential XSS was found. It could be used to execute unwanted JavaScript in a client's browser. (See references) Vulnerable Code: protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { String input1 = req.getParameter("input1"); [...] resp.getWriter().write(input1); } Solution: protected void doGet(HttpServletRequest req, HttpServletResponse

问题 I am running netspark vulnerability test and it flags following url http://localhost:54923/search/'ns='netsparker(0x005AAD) I am not able to understand what 'ns='netsparker(0x005AAD) is this part or how to fix this issue i am sanitizing input /search/searchkeyword to make user ENcoding the input also User enter the keyword in search input box and then page is redirected with search page with the search keyword http://localhost:54923/search/apple 1> it doesn't contain and JS script if

问题 I found an interesting bug report related to X-Frame-Options header. But I dont understand how this can be security problem. Following code is given as proof of vulnerability: require 'net/http' require 'uri' uri = URI.parse("https://play.google.com/#{"a" * 10000}") @r = Net::HTTP.get_response uri ret = @r.each_header {|x| puts x} if ret["x-frame-options"] puts ret["x-frame-options"] else puts "Missing x-frame-options!" end But it is trying to access an invalid URL (https://play.google.com

问题 I need to attack endpoints via OWASP ZAP tool (got 2.5.0 version). I tested endpoints via Postman. I`ve got Authorization with Type: Basic Auth, Username:exampleUserName, Password: examplePass. Please could you give me any hints, how to set up Basic Auth in OWASP ZAP please? I set up User for my Context. What esle is needed? Found solution: 1) Control Panel -> Internet Options -> Connections ->LAN Settings -> check "Use a proxy for etc." -> click OK 2) Send request via Postman with Basic Auth