7+個Web Security XSS免費測試工具與XSS防護

Web Security 免費測試工具與相關資源

這篇文章主要介紹幾種測試Web Security Testing 與 XSS 的工具,

最後說明XSS防護方法與相關資源。

哪一種工具最好用?

其實自己習慣,團隊可以熟悉應用在安全開發測試流程中就是最好用。

7+ XSS免費測試工具

Xenotix XSS Exploit Framework

IronWASP

arachni

ImmuniWeb Self-Fuzzer Addon for Firefox

VEGA

OWASP ZAP

BurpSuite

Xenotix XSS相關文件與教學

http://xenotix.in/

https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework

XSS 防護之道 – 編碼

http://www.strictly-software.com/scripts/downloads/encoder.js

http://www.strictly-software.com/htmlencode

  • 將使用者輸入資料做一定的驗證
  • 資料儲存到資料庫前編碼
  • 資料輸出到瀏覽器執行前編碼

XSS encoding protection

HTML 編碼

<h1> Welcome html_escape(untrusted string) </html>

編碼的用意在於轉換下列符號,讓輸入的資料不會變成任意執行的JavaScript 程式碼

& &amp;
< &lt;
> &gt;
&quot;
` &#x60;
&#x27;
/ &#x2F;

 

編碼HTML中的屬性

<img src="x" alt="html_escape(untrusted string)">

編碼URL

<a href=”http://sampleWebsite.com/index?test=url_escape(untrusted string)“>l</a>

黑名單或是白名單的資料驗證?

如果可以建議使用白名單。只允許特定字元輸入。

善用HTML tag

明確定義UTF8文件編碼:

  • <meta httpequiv=”content-type” content=”text/html;charset=UTF-8“>

在<html>前定義

  •  <!doctype html>

使用HTTP Header定義

這些 Http Header 定義可以讓瀏覽器也啟動內建 XSS保護機制,相關的 Http header 如下:

  • X-XSS-Protection: 1; mode=block
  • X-Frame-Options: deny
  • X-Content-Type-Options: nosniff
  • Content-Security-Policy: default-src ‘self’
  • Set-Cookie: key=value; HttpOnly
  • Content-Type: type/subtype; charset=utf-8

JavaScript程式如何防護呢?

http://www.strictly-software.com/htmlencode

http://www.strictly-software.com/scripts/downloads/encoder.js

  • HTML2Numerical
  • numEncode
  • htmlEncode
  • XSSEncode
  • correctEncoding
  • stripUnicode

如果是 jQuery 可以使用 .text() 而不是 .html()

相關資源

當然每一種 UI framework 或是網頁開發程式語言都會提供相關的 HTML encoding 的工具與函數

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet
https://www.owasp.org/index.php/List_of_useful_HTTP_headers
https://www.owasp.org/index.php/HttpOnly
https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework https://www.owasp.org/index.php/OWASP_Java_Encoder_Project
https://code.google.com/p/owasp-esapi-java/
http://www.w3.org/TR/CSP11/
https://w3c.github.io/webappsec/specs/content-security-policy/
http://www.html5rocks.com/en/tutorials/security/content-security-policy/
https://tools.ietf.org/rfc/rfc7034.txt
http://msdn.microsoft.com/en-us/library/system.web.security.antixss.antixssencoder(v=vs.110).aspx
http://msdn.microsoft.com/en-us/library/system.web.httputility(v=vs.110).aspx
http://openmya.hacker.jp/hasegawa/security/utf7cs.html
http://www.thespanner.co.uk/2013/05/16/dom-clobbering/
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse/46
http://wpl.codeplex.com/ http://opensecurity.in/

http://cure53.de/fp170.pdf
https://www.modsecurity.org/
https://www.ironbee.com/
http://taligarsiel.com/Projects/howbrowserswork1.htm
https://frederik-braun.com/xfo-clickjacking.pdf
http://mootools.net/docs/core/Types/String
http://www.strictly-software.com/htmlencode
http://backbonejs.org/#Model
https://www.ng-book.com/p/Security/
https://docs.angularjs.org/api/ng/service/$sce
http://spinejs.com/docs/views
https://github.com/cure53/DOMPurify
https://github.com/leizongmin/js-xss
http://api.rubyonrails.org/classes/ERB/Util.html
http://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html
http://yuilibrary.com/yui/docs/api/classes/Escape.html#method_html
http://prototypejs.org/doc/latest/language/String/prototype/escapeHTML/
http://docs.php.net/manual/en/function.htmlspecialchars.php
http://www.smarty.net/docsv2/en/language.modifier.escape
https://www.superevr.com/blog/2012/exploiting-xss-in-ajax-web-applications/
http://blog.opensecurityresearch.com/2011/12/evading-content-security-policy-with.html
http://www.janoszen.com/2012/04/16/proper-xss-protection-in-javascript-php-and-smarty/

http://wpcme.coverity.com/wp-content/uploads/What_Every_Developer_Should_Know_0213.pdf

 

 

 

 

Leave a Reply

Your email address will not be published.