服务器端从html页面(不是jsp)输出编码以防止XSS
我的应用程序存在由未经验证的 url 引起的反射型 XSS 漏洞。我想至少在客户端提供输出编码。我只能修改 html 和 js 中的前端页面。我无权访问后端应用程序代码,因此无法在服务器端使用 UrlEncoder.encode 。 我的问题是如何从客户端表单调用服务器端编码。 我知道在jsp中我可以写 <@page import=org.owaps.esapi.* var url = <%=Esapi.Encoderr.encodetoUrl(vulnerableUrl) =%>
但由于我的网页不是 jsp ,而是 html+js ,我如何调用服务器端编码函数?
I have an application with reflected XSS vulnerability caused by an unvalidated url. I want to provide atleast output encoding in the client side. I have access to modify only the front end pages which are in html and js. I do not have access to backend application code , so I cannot use UrlEncoder.encode at server side.
My question is how can I call server-side encoding from client side forms.
I know in jsp I can write
<@page import=org.owaps.esapi.*
var url = <%=Esapi.Encoderr.encodetoUrl(vulnerableUrl) =%>
But since my webpage is not jsp , but html+js , how can i call a server-side encoding function?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
鉴于您提供的信息,我会说不,这可能是不可能的。
假设您添加:
document.forms[0].redirect.value =encodeURI(malcious url)
现在攻击者出现并发送:
问题是,当客户端脚本运行时,恶意数据已经在页面中,并且已经改变了布局和页面的上下文。
我认为通过使用像 mod_security 这样的 WAF 来限制可以进入应用程序的可能值,然后尝试在客户端修复它,更有可能解决这个问题。尽管实际上解决服务器端的问题是最好的选择。
Given the information you provided I would say no, it's probably not possible.
Let's say you add:
document.forms[0].redirect.value = encodeURI(malcious url)
Now the attacker comes along and sends in:
The problem is that the malicious data is already in the page when the client script runs, and would already have altered the layout and contexts of the page.
I think there would be a better chance of fixing this by employing a WAF like mod_security to limit the prossible values that can enter the app, then trying to fix it client side. Though actually fixing the problem server side is the best option.