owasp

问题 I'm developing an application in Java which seems to have a session hijacking vulnerability. In order to prevent this, the recommendation is to change the JSESSION ID for a user after log in My application is based on Struts 2.0 and Tomcat 7 and I have implemented a code to change the JSESSIONID after the user logs in. However i am facing the following problem while running the code. java.lang.IllegalStateException: setAttribute: Session already invalidated at org.apache.catalina.session

问题 I am trying to use OWASP ESAPI library in my Maven Web Project.The problem i am facing is that the controllers are not able to find the ESAPI properties file. I tried putting them in the resources folder ,but it does not work.I can't seem to get it working. Can someone help me with the correct location of ESAPI resources in a Maven Project. 回答1: The class Javadoc for the implementation class, [DefaultSecurityConfiguration] (http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp

问题 I have installed Owasp ModSecurity, after that all pages on my application have this rule alert. ModSecurity: Warning. Match of "eq 1" against "&ARGS:CSRF_TOKEN" required. [file "/etc/modsecurity/activated_rules/modsecurity_crs_43_csrf_protection.conf"] [line "31"] [id "981143"] [msg "CSRF Attack Detected - Missing CSRF Token."] I also tried to create a blank php file just to check, same rule alert is shown. From this point I assume that the problem is not code level any more. Here is the

问题 We are using nginx for https traffic offloading, proxying to a locally installed jasperserver (5.2) running on port 8080. internet ---(https/443)---> nginx ---(http/8080)---> tomcat/jasperserver When accessing the jasperserver directly on its port everything is fine. When accessing the service through nginx some functionalities are broken (e.g. editing a user in the jasperserver UI) and the jasperserver log has entries like this: CSRFGuard: potential cross-site request forgery (CSRF) attack

问题 I use Owasp Anti samy with Ebay policy file to prevent XSS attacks on my website. I also use Hibernate search to index my objects. When I use this code: String html = "special word: été"; // use the Ebay configuration file Policy policy = Policy.getInstance(xssPolicyFile.getInputStream()); AntiSamy as = new AntiSamy(); CleanResults cr = as.scan(html, policy); // result is now : "special word: été" result = cr.getCleanHTML(); As you can see all chars "é" has been transformed to their html

问题 I am looking at custom forms in Magento. I saw these tutorials http://fastdivision.com/2012/03/29/diy-magento-create-ajax-login-registration-forms-for-your-magento-theme/ http://inchoo.net/ecommerce/magento/magento-email/magento-custom-email-contact-form-with-notification-system/ I did not see any mention of CSRF prevention, like checking a client token with one stored in a user session. I also looked in the Magento Contact Us form, and saw this but I do not think it relates to CSRF: <input

问题 Closed. This question is off-topic. It is not currently accepting answers. Want to improve this question? Update the question so it's on-topic for Stack Overflow. Closed 4 years ago . Are there any standard library methods that can filter out paths which include special traversal sequences, such as ../ and all other convoluted forms of upwards directory traversal, to safeguard a file path API input from traversing upwards of a given "root" path? I have a class that contains a root folder

问题 I am new to ESAPI and I have added esapi-2.0.1 jar to my Android app,was able to call any of the ESAPI methods.However, I am getting Caused by: java.lang.IllegalArgumentException: Failed to load ESAPI.properties as a classloader resource Error.My concern is it possible to use ESAPI for any android apps and if Yes then where to locate ESAPI.properties in an App. Any help would be appreciated. PS:This is my first question on stackoverflow.com pardon me if I did not follow any of the rules .

问题 Using the OWASP checklist, which is the correct way protect this situation? This is url inside of a javascript string where a url parameter needs to have xss protection. Problem: <script> var u = 'xyz.html?x=<% url.baddata %>' dosomeAjax(u); </script> Possible solution 1: var u = 'xyz.html?x=<% encodeForURL(url.baddata) %>' Possible solution 2: var u = 'xyz.html?x=<% encodeForJavaScript(url.baddata) %>' Possible solution 3: var u = 'xyz.html?x=<% encodeForJavaScript(encodeForURL(url.baddata))

问题 I want to implement the 'JSON Sanitizer' validation as mentioned by OWASP. My understanding is that this needs to be done in two places: JSON data (in Request) received from Client or Other Systems - This needs to be sanitized at Server side before being processed JSON data (in Response) to be sent to Client - This needs to be sanitized at Server side before being sent to client Is it sufficient that I just call a sanitizing method in JSON Sanitizing library on that JSON Data ? Will that