针对 html 安全漏洞创建测试用例

发布于 2024-08-18 06:23:42 字数 101 浏览 15 评论 0原文

在 ASP.NET MVC 和测试用例项目中,

如何创建测试用例来测试控制器方法上的现有安全漏洞?

例如,如何为需要防伪令牌的调用创建测试用例?还是XSS?

In a ASP.NET MVC along with a test case project,

How does someone create a test case to test against existing security exploits on a controller method?

For example, how do you create a test case for a call that need anti-forgery token? Or XSS?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

翻身的咸鱼 2024-08-25 06:23:42

测试 XSS 的最佳方法是使用专门的工具来测试这些类型的漏洞。 Wapiti 和 w3af 都是很好的开源工具,可以测试 XSS、SQL 注入和更严重的漏洞。 Acunetix 易于使用,但价格昂贵,但免费版只会测试 XSS,这正是您所需要的:
http://www.acunetix.com/cross-site-scripting/scanner。 htm

我相信“防伪托尔肯”指的是 XSRF 保护系统。我不相信可以针对 XSRF 创建自动化测试。 XSRF 与请求中发送的数据类型完全无关,而与数据的来源无关。已经编写了测试 XSRF 的工具,w3af 拥有其中一项测试。然而,我见过的每一个自动化 XSRF 测试都是完全没有价值的。如果您希望正确完成 XSRF 测试,您必须自己进行:
http://www.owasp.org/index.php/ Testing_for_CSRF_%28OWASP-SM-005%29

The best way to test for XSS is by using a specialized tool for testing for these types of vulnerabilities. Wapiti and w3af are both good open source tools that can test for XSS, SQL Injection and worse vulnerabilities. Acunetix is easy to use but it is expensive, however the free edition will only test for XSS which is what you need:
http://www.acunetix.com/cross-site-scripting/scanner.htm

I believe that by "anti-forgery tolken" you are referring to an XSRF protection system. I don't believe that an automated test can be created against XSRF. XSRF has absolutely nothing to do with the type of data being sent in a request, but rather where it is coming from. Tools have been written to test for XSRF and w3af has one of these tests. However every automated XSRF test I have seen is COMPLETELY WORTHLESS. If you want XSRF test done right you have to do it your self:
http://www.owasp.org/index.php/Testing_for_CSRF_%28OWASP-SM-005%29

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文