• Web Security 免費測試工具與相關資源

    這篇文章主要介紹幾種測試Web Security Testing 與 XSS 的工具,

    最後說明XSS防護方法與相關資源。

    哪一種工具最好用?

    其實自己習慣,團隊可以熟悉應用在安全開發測試流程中就是最好用。

    7+ XSS免費測試工具

    Xenotix XSS Exploit Framework

    IronWASP

    arachni

    ImmuniWeb Self-Fuzzer Addon for Firefox

    VEGA

    OWASP ZAP

    BurpSuite

    Xenotix XSS相關文件與教學

    http://xenotix.in/

    https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework

    XSS 防護之道 – 編碼

    http://www.strictly-software.com/scripts/downloads/encoder.js

    http://www.strictly-software.com/htmlencode

    • 將使用者輸入資料做一定的驗證
    • 資料儲存到資料庫前編碼
    • 資料輸出到瀏覽器執行前編碼

    XSS encoding protection

    HTML 編碼

    <h1> Welcome html_escape(untrusted string) </html>

    編碼的用意在於轉換下列符號,讓輸入的資料不會變成任意執行的JavaScript 程式碼

    & &amp;
    < &lt;
    > &gt;
    &quot;
    ` &#x60;
    &#x27;
    / &#x2F;

     

    編碼HTML中的屬性

    <img src="x" alt="html_escape(untrusted string)">

    編碼URL

    <a href=”http://sampleWebsite.com/index?test=url_escape(untrusted string)“>l</a>

    黑名單或是白名單的資料驗證?

    如果可以建議使用白名單。只允許特定字元輸入。

    善用HTML tag

    明確定義UTF8文件編碼:

    • <meta httpequiv=”content-type” content=”text/html;charset=UTF-8“>

    在<html>前定義

    •  <!doctype html>

    使用HTTP Header定義

    這些 Http Header 定義可以讓瀏覽器也啟動內建 XSS保護機制,相關的 Http header 如下:

    • X-XSS-Protection: 1; mode=block
    • X-Frame-Options: deny
    • X-Content-Type-Options: nosniff
    • Content-Security-Policy: default-src ‘self’
    • Set-Cookie: key=value; HttpOnly
    • Content-Type: type/subtype; charset=utf-8

    JavaScript程式如何防護呢?

    http://www.strictly-software.com/htmlencode

    http://www.strictly-software.com/scripts/downloads/encoder.js

    • HTML2Numerical
    • numEncode
    • htmlEncode
    • XSSEncode
    • correctEncoding
    • stripUnicode

    如果是 jQuery 可以使用 .text() 而不是 .html()

    相關資源

    當然每一種 UI framework 或是網頁開發程式語言都會提供相關的 HTML encoding 的工具與函數

    https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
    https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet
    https://www.owasp.org/index.php/List_of_useful_HTTP_headers
    https://www.owasp.org/index.php/HttpOnly
    https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework https://www.owasp.org/index.php/OWASP_Java_Encoder_Project
    https://code.google.com/p/owasp-esapi-java/
    http://www.w3.org/TR/CSP11/
    https://w3c.github.io/webappsec/specs/content-security-policy/
    http://www.html5rocks.com/en/tutorials/security/content-security-policy/
    https://tools.ietf.org/rfc/rfc7034.txt
    http://msdn.microsoft.com/en-us/library/system.web.security.antixss.antixssencoder(v=vs.110).aspx
    http://msdn.microsoft.com/en-us/library/system.web.httputility(v=vs.110).aspx
    http://openmya.hacker.jp/hasegawa/security/utf7cs.html
    http://www.thespanner.co.uk/2013/05/16/dom-clobbering/
    http://www.slideshare.net/x00mario/the-innerhtml-apocalypse/46
    http://wpl.codeplex.com/ http://opensecurity.in/

    http://cure53.de/fp170.pdf
    https://www.modsecurity.org/
    https://www.ironbee.com/
    http://taligarsiel.com/Projects/howbrowserswork1.htm
    https://frederik-braun.com/xfo-clickjacking.pdf
    http://mootools.net/docs/core/Types/String
    http://www.strictly-software.com/htmlencode
    http://backbonejs.org/#Model
    https://www.ng-book.com/p/Security/
    https://docs.angularjs.org/api/ng/service/$sce
    http://spinejs.com/docs/views
    https://github.com/cure53/DOMPurify
    https://github.com/leizongmin/js-xss
    http://api.rubyonrails.org/classes/ERB/Util.html
    http://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html
    http://yuilibrary.com/yui/docs/api/classes/Escape.html#method_html
    http://prototypejs.org/doc/latest/language/String/prototype/escapeHTML/
    http://docs.php.net/manual/en/function.htmlspecialchars.php
    http://www.smarty.net/docsv2/en/language.modifier.escape
    https://www.superevr.com/blog/2012/exploiting-xss-in-ajax-web-applications/
    http://blog.opensecurityresearch.com/2011/12/evading-content-security-policy-with.html
    http://www.janoszen.com/2012/04/16/proper-xss-protection-in-javascript-php-and-smarty/

    http://wpcme.coverity.com/wp-content/uploads/What_Every_Developer_Should_Know_0213.pdf

     

     

     

     

    Posted by Tony @ 2:50 pm

  • Leave a Reply

    Your email address will not be published.