Been reading up on various injection-type attacks, and it seems like the best way to get rid of these vulnurabilities is to encode all user input to remove / replace some characters with others (< > ; etc).
正在阅读各种注入型攻击,似乎摆脱这些漏洞的最佳方法是编码所有用户输入以删除/替换某些字符(<>;等)。
What's my best bet here? Are there any nice libraries out there to aid me with this? Or something that could help me spot potential vulnurabilities? - Or are regular expressions my best bet? :)
我最好的选择是什么?有没有漂亮的图书馆来帮我这个?还是可以帮助我发现潜在的漏洞的东西? - 或者正则表达式是我最好的选择? :)
Thanks a lot
非常感谢
5 个解决方案
#2
OWASP Antisamy and OWASP ESAPI.
OWASP Antisamy和OWASP ESAPI。
Of these, I would vote for ESAPI, since I've used the Java version of ESAPI to prevent XSS attacks. Keep in mind that plain HTML encoding of data will not prevent XSS. The context of the data is important as well - you will have to escape JavaScript if you are dynamically generating it and injecting it into the response at the server.
其中,我会投票支持ESAPI,因为我使用了Java版本的ESAPI来防止XSS攻击。请记住,纯HTML编码数据不会阻止XSS。数据的上下文也很重要 - 如果要动态生成JavaScript并将其注入服务器的响应,则必须转义JavaScript。
#3
The Server in ASP.NET Page instances (accessible via Page i.e. this) offers a HtmlEncode() method that should suffice to prevent XSS attacks.
ASP.NET页面实例中的服务器(可通过Page访问,即这样)提供了一个HtmlEncode()方法,该方法足以防止XSS攻击。
By default, without explicitly allowing it in either web.config or via a page directive, ASP.NET will reject any suspicious input with an error page.
默认情况下,如果没有在web.config或通过页面指令明确允许它,ASP.NET将拒绝任何带有错误页面的可疑输入。
#4
You got 3 nice choices for Cross-site Scripting protection:
您有三个很好的跨站点脚本保护选择:
I would try in this order.
我会尝试这个顺序。
- Microsoft Anti Cross-site Scripting Library
- OWASP Reform
- OWASP ESAPI
Microsoft反跨站点脚本库
#5
Recently I've been looking at ESAPI.NET and the project seems incomplete and perhaps inactive -- especially compared to the java package.
最近我一直在关注ESAPI.NET,该项目似乎不完整,可能不活跃 - 特别是与java包相比。
Anti-XSS only covers a subset of ESAPI's scope and, indeed, ESAPI.NET uses AntiXSS (though not the latest) for encoding.
Anti-XSS仅涵盖ESAPI范围的一个子集,实际上,ESAPI.NET使用AntiXSS(尽管不是最新的)进行编码。
Any comments testifying to ESAPI.NET's usefulness would be helpful.
任何证明ESAPI.NET有用的评论都会有所帮助。
#1
Take a look at the AntiXSS library.
看一下AntiXSS库。
#2
OWASP Antisamy and OWASP ESAPI.
OWASP Antisamy和OWASP ESAPI。
Of these, I would vote for ESAPI, since I've used the Java version of ESAPI to prevent XSS attacks. Keep in mind that plain HTML encoding of data will not prevent XSS. The context of the data is important as well - you will have to escape JavaScript if you are dynamically generating it and injecting it into the response at the server.
其中,我会投票支持ESAPI,因为我使用了Java版本的ESAPI来防止XSS攻击。请记住,纯HTML编码数据不会阻止XSS。数据的上下文也很重要 - 如果要动态生成JavaScript并将其注入服务器的响应,则必须转义JavaScript。
#3
The Server in ASP.NET Page instances (accessible via Page i.e. this) offers a HtmlEncode() method that should suffice to prevent XSS attacks.
ASP.NET页面实例中的服务器(可通过Page访问,即这样)提供了一个HtmlEncode()方法,该方法足以防止XSS攻击。
By default, without explicitly allowing it in either web.config or via a page directive, ASP.NET will reject any suspicious input with an error page.
默认情况下,如果没有在web.config或通过页面指令明确允许它,ASP.NET将拒绝任何带有错误页面的可疑输入。
#4
You got 3 nice choices for Cross-site Scripting protection:
您有三个很好的跨站点脚本保护选择:
I would try in this order.
我会尝试这个顺序。
- Microsoft Anti Cross-site Scripting Library
- OWASP Reform
- OWASP ESAPI
Microsoft反跨站点脚本库
#5
Recently I've been looking at ESAPI.NET and the project seems incomplete and perhaps inactive -- especially compared to the java package.
最近我一直在关注ESAPI.NET,该项目似乎不完整,可能不活跃 - 特别是与java包相比。
Anti-XSS only covers a subset of ESAPI's scope and, indeed, ESAPI.NET uses AntiXSS (though not the latest) for encoding.
Anti-XSS仅涵盖ESAPI范围的一个子集,实际上,ESAPI.NET使用AntiXSS(尽管不是最新的)进行编码。
Any comments testifying to ESAPI.NET's usefulness would be helpful.
任何证明ESAPI.NET有用的评论都会有所帮助。