首页 诗词 字典 板报 句子 名言 友答 励志 学校 网站地图
当前位置: 首页 > 教程频道 > 其他教程 > 其他相关 >

csrf跟xss安全漏洞总结

2014-01-12 
csrf和xss安全漏洞总结dependencygroupIdorg.owasp.antisamy/groupIdartifactIdantisamy/artifac

csrf和xss安全漏洞总结
<dependency><groupId>org.owasp.antisamy</groupId><artifactId>antisamy</artifactId><version>1.5.3</version></dependency>

?

import org.owasp.validator.html.AntiSamy;import org.owasp.validator.html.Policy;import org.owasp.validator.html.PolicyException;public class XSSChecker {    protected Policy policy;    /**     * relative to japa python root     */    protected String policyPath = "WEB-INF/ebay.xml";    protected AntiSamy as = null;    public void setPolicyPath(String policyPath) {        if (policyPath != null) {            this.policyPath = policyPath;        }    }    public void init() throws PolicyException {        policy = Policy.getInstance(policyPath);        as = new AntiSamy(policy);    }    public String scan(String html) {        if (html == null) {            return "";        }        try {            return as.scan(html, AntiSamy.SAX).getCleanHTML();        } catch (RuntimeException e) {            return html;        } catch (Exception e) {            return html;        }    }}

?在servlet中这样使用:

class XSSFilter(object):    def scan(self, request):        if request.GET:            request.GET0 = request.GET            ret = {}            for k, v in request.GET.items():                ret[k] = self.xssfilter.scan(v)            request.GET = ret        if request.POST:            request.POST0 = request.POST            ret = {}            for k, v in request.POST.items():                ret[k] = self.xssfilter.scan(v)            request.POST = retrouter:xssfilter = XSSFilter(config.getServletContext().getRealPath(''))xssfilter.scan(request)

?

owasp AntiSamy参考资料:

http://www.owasp.org.cn/owasp-project/download/owasp-antisamy-java/view

https://www.owasp.org/index.php/AntiSamy

更多安全参考:

http://www.freebuf.com/articles/web/9977.html 防御XSS的七条原则

http://www.freebuf.com/articles/web/9928.html XSS解决方案系列之一:淘宝、百度、腾讯的解决方案之瑕疵

http://blog.csdn.net/kkdelta/article/details/17374927 一个反射型XSS例子的解析

?

http://www.howtocreate.co.uk/crosssite.html

https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

http://stackoverflow.com/questions/2113984/is-replacing-and-with-lt-and-gt-enough-to-prevent-xss-injection

http://blog.csdn.net/kaosini/article/details/8778775http://blog.csdn.net/kaosini/article/details/8778775?

http://blog.csdn.net/kaosini/article/details/8778775?

案例:

<DIV ?STYLE="background-image: ?url(&#1;javascript:alert('XS ?S'))">

?

?

?

?

读书人精选
热点排行