服务器端有一个名为 mod security 的实时开源解决方案。它是一个 Web 应用程序防火墙:它可以检测请求和/或响应中的特定模式。它作为一个模块在 apache 上运行。这主要是生产解决方案,在开发过程中不检测注入。此外,您需要一些经验来调整它(与我们的客户交换数据的好坏),这可能很棘手,并且不能防止新的攻击或更智能的攻击(例如重新编码字符)。
It is difficult: you need to test every URL of your application and check if specific patterns are present in the reply (and it is very difficult to have a good algorithm which can understand which is good and bad javascript, or you need to configure this scanner which can be long and tricky).
There is a realtime open source solution called mod security on the server side. It is a web application firewall: it can detect specific patterns in requests and / or responses. It works on apache as a module. This is mainly a production solution, and does not detect injection during development. Furthermore, you need some experiences to tune it (what is good and wrong in the data exchanges with our clients) which can be tricky and does not protect against new attacks or more intelligent attacks (re-encoding characters for instance).
By the way, another solution is to use Content Security Policy but it is not available in all browsers (well, no one at the present time, wait for Firefox 4 ;-).
You can't. Because a bad script will always be able to rewrite/neutralize your scanner function when it arrives on the browser. And your server doesn't have any control of what happens in your page anymore.
There is a simple way to protect your page from injection: place all the untrusted content using an iframe pointing on a different subdomain or port on your server. You get the Same Origin Policy that sandbox the iframe and prevent the access to ressources of the parent page.
Then you may want to communicate safely between the iframes and the main page. If you target modern browsers or mobiles you can use window.postMessage to send string messages. For older browsers, there are some tricks here is a blog post with a solution
This does not protect you against cross site scripting, but this is another issue you can solve with a secret token in the parent page.
发布评论
评论(3)
这很困难:您需要测试应用程序的每个 URL 并检查回复中是否存在特定模式(并且很难有一个好的算法可以理解 JavaScript 的好坏,或者您需要配置此扫描仪可能又长又棘手)。
服务器端有一个名为 mod security 的实时开源解决方案。它是一个 Web 应用程序防火墙:它可以检测请求和/或响应中的特定模式。它作为一个模块在 apache 上运行。这主要是生产解决方案,在开发过程中不检测注入。此外,您需要一些经验来调整它(与我们的客户交换数据的好坏),这可能很棘手,并且不能防止新的攻击或更智能的攻击(例如重新编码字符)。
顺便说一句,另一种解决方案是使用 内容安全策略,但并非在所有浏览器中都可用(好吧,目前还没有人,请等待 Firefox 4 ;-)。
It is difficult: you need to test every URL of your application and check if specific patterns are present in the reply (and it is very difficult to have a good algorithm which can understand which is good and bad javascript, or you need to configure this scanner which can be long and tricky).
There is a realtime open source solution called mod security on the server side. It is a web application firewall: it can detect specific patterns in requests and / or responses. It works on apache as a module. This is mainly a production solution, and does not detect injection during development. Furthermore, you need some experiences to tune it (what is good and wrong in the data exchanges with our clients) which can be tricky and does not protect against new attacks or more intelligent attacks (re-encoding characters for instance).
By the way, another solution is to use Content Security Policy but it is not available in all browsers (well, no one at the present time, wait for Firefox 4 ;-).
你不能。
因为错误的脚本在到达浏览器时始终能够重写/中和您的扫描仪功能。
并且您的服务器不再能够控制页面中发生的情况。
有一种简单的方法可以保护您的页面免受注入:使用指向服务器上不同子域或端口的
iframe放置所有不受信任的内容。您将获得同源策略,该策略对 iframe 进行沙箱处理并阻止访问父页面的资源。
那么您可能希望在 iframe 和主页之间进行安全通信。
如果您的目标是现代浏览器或移动设备,则可以使用
window.postMessage发送字符串消息。对于较旧的浏览器,有一些技巧 这是一篇包含解决方案的博客文章
这并不能保护您免受跨站点脚本攻击,但这是您可以使用父页面中的秘密令牌解决的另一个问题。
You can't.
Because a bad script will always be able to rewrite/neutralize your scanner function when it arrives on the browser.
And your server doesn't have any control of what happens in your page anymore.
There is a simple way to protect your page from injection: place all the untrusted content using an
iframepointing on a different subdomain or port on your server.You get the Same Origin Policy that sandbox the iframe and prevent the access to ressources of the parent page.
Then you may want to communicate safely between the iframes and the main page.
If you target modern browsers or mobiles you can use
window.postMessageto send string messages.For older browsers, there are some tricks here is a blog post with a solution
This does not protect you against cross site scripting, but this is another issue you can solve with a secret token in the parent page.
StopBadware 小组提供免费扫描服务。 Google 和 Mozilla 依靠此服务来发出“此网站可能会损害您的计算机”的警告。
扫描服务可在此处使用:
http://www.stopbadware.org/home/reportsearch
有关保护您网站的详细信息请参见此处:
http://www.stopbadware.org/home/security
The StopBadware group offers a free scanning service. Google and Mozilla rely on this service for their "this site may harm your computer" warnings.
The scanning service is available here:
http://www.stopbadware.org/home/reportsearch
Details on protecting your website are here:
http://www.stopbadware.org/home/security