在JSP页面中逃脱JavaScript注入
这个问题被标记为重复,但事实并非如此,所引用的问题根本没有解决JavaScript注入。到目前为止,下面提供的两个答案都完全忽略了我使用c:out tag的Escapexml属性的事实,但它行不通。问题是JavaScript不一定包含任何HTML字符。我需要能够防止可运行的JavaScript注入我的JSP代码。
我为通过代码扫描仪运行每个Web应用程序而开发的组织,以找到代码中可能包含的任何潜在漏洞。我们发现了几个,仅仅是因为我们的应用程序最初是在XSS漏洞是一回事之前就已经部署的。通常,这些问题很容易消除,因为在跨站点脚本和各种注入技术方面有很多工作。
技术是:Java 8,JSP,Spring,JavaScript,Oracle,
但是,我遇到了一个脆弱性,我几乎没有讨论...逃脱JavaScript注入。
我们有一个将字符串作为requestParam的URL: testapp.com?stringvalue = test
我们的漏洞检查器将警报注入requestParam: testapp.com?stringvalue = test'+ alert( 6853)+'
所讨论的JSP页面使用< c:out value =“ $ {stringValue}” cassexml =“ true”/> 以输出所讨论的字符串。当页面渲染时,我们将获得一个JavaScript警报对话框,该对话框在页面上弹出,表明JavaScript注入成功。
在这种特殊情况下,StringValue中包含的数据是两个预期值之一,因此,只需检查控制器中的RequestParam即可,如果该值与两个预期值中的一个不匹配,则会扔一个InvaridParametErexception。但是我们有几种情况下可以使用基于字符串的请求Param,因此上面使用的解决方案将无效。
我花了几天的时间研究这个问题,尽管关于如何消除JSP应用程序中注射的HTML有很多建议,但我几乎找不到有关消除注射的JavaScript的有用信息,对我来说似乎是一个更大的问题,这是一个更大的问题,,,,这是一个更大的问题注射的JavaScript可以为Web应用程序做恶意的事情。
有人对如何解决此问题有任何有用的建议吗?
This question was flagged as a duplicate, but it is not, and the question referenced did not address javascript injection at all. And both answers provided below so far completely ignore the fact that I AM using the escapeXML attribute of the c:out tag, but it doesn't work. The issue is that javascript does not necessarily contain ANY HTML characters. I need to be able to prevent runnable javascript from being injected into my JSP code.
The organization that I develop for runs every web application through a code scanner to locate any potential vulnerabilities that may be contained in the code. We've had several found simply because our application was initially deployed long before XSS vulnerabilities were a thing. Normally these issues are easy to eliminate, since there is a significant body of work on Cross-site scripting and various injection techniques.
Technologies are: Java 8, jsp, Spring, Javascript, Oracle
However, I have come across a vulnerability that I can find very little discussion on...escaping javascript injection.
We have a url that takes a string as a RequestParam: testapp.com?stringValue=test
Our vulnerability checker injects an alert into the RequestParam: testapp.com?stringValue=test'+alert(6853)+'
The jsp page in question uses <c:out value="${stringValue}" escapeXML="true"/> to output the string in question. When the page renders, we get a javascript alert dialog that pops up on the page, indicating that the javascript injection was successful.
In this particular case, the data contained in stringValue is one of two expected values, and so it is easy to just check the RequestParam in the controller and if the value does not match one of the two expected values, throw an InvalidParameterException. But we have several cases where a string-based RequestParam can be anything, so the solution used above would not work.
I have spent several days researching this issue, and while there are plenty of suggestions as to how to eliminate injected HTML in a jsp application, I can find very little useful information about eliminating injected javascript, which to me seems like a much bigger issue, as injected javascript could do malicious things to a web application.
Does anyone have any useful recommendations as to how to resolve this issue?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
只是逃脱它。我使用此功能:
Just escape it. I use this function: