英文:
Stored xss security threat
问题
我们正在进行安全预防工作,在下面的代码中,buffer 在 test 方法中存在存储型跨站脚本攻击(Stored XSS)的问题...以下是我们从 Checkmark 工具获取到的信息。
方法
test从数据库获取数据,针对buffer元素。然后,该元素的值在代码中流动,而没有经过适当的过滤或编码,在test方法中最终向用户显示。这可能导致 存储型跨站脚本攻击。
private void test(HttpServletResponse response, SessionInfo sessionInfo, String applicationName, String resourceName, String resourcePath, String domainAddress, String siteAddress, String fileNames) throws KatalystServletException, IOException, FSException
{
InputStream in = resourceFile.getInputStream();
ZipOutputStream zipOut = null;
try {
byte[] buffer = new byte[8 * 1024];
int bytesRead = 0;
while ((bytesRead = in.read(buffer)) != -1) {
zipOut.write(buffer, 0, bytesRead);
}
} finally {
in.close();
zipOut.flush();
}
}
英文:
We are working on security prevention and in the below code at buffer is giving stored XSS attack...below is the info we are getting from Checkmark tool.
> Method test gets data from the database, for the buffer element. This element’s value then flows through the code without being properly filtered or encoded and is eventually displayed to the user in method test. This may enable a Stored Cross-Site-Scripting attack.
private void test(HttpServletResponse response, SessionInfo sessionInfo, String applicationName, String resourceName, String resourcePath, String domainAddress, String siteAddress, String fileNames) throws KatalystServletException, IOException, FSException
{
InputStream in = resourceFile.getInputStream();
ZipOutputStream zipOut = null;
try {
byte[] buffer = new byte[8 * 1024];
int bytesRead = 0;
while ((bytesRead = in.read(buffer)) != -1) {
zipOut.write(buffer, 0, bytesRead);
}
} finally {
in.close();
zipOut.flush();
}
}
答案1
得分: 3
这里是解决方案,适用于问题以及Checkmarx在Java中标记的HRA_JAVA_CGI_STORED_XSS或Stored XSS漏洞。
这个问题是由于Checkmarx对于使用byte[]数组作为缓冲区的任何Java文件操作而标记的。
在写入任何输出流之前,您需要对双手(伤心的表情)和字节数组进行清理。您可以使用ESAPI的验证函数来纠正这个问题。
将ESAPI jar添加到您的项目中:
<dependency>
<groupId>org.owasp.esapi</groupId>
<artifactId>esapi</artifactId>
<version>2.2.2.0</version>
</dependency>
导入org.owasp.esapi:
import org.owasp.esapi.*;
在写入OutputStream之前,对于您的情况,一个ZipOutputStream,我们需要使用getValidFileContent(String context, byte[] input, int maxBytes, boolean allowNull)方法来过滤字节数组缓冲区。
这个方法检查任何文件结束利用、文件损坏攻击或其他入侵攻击(我没有找到关于它们的更多信息,如果我找到更多信息,我会更新的)。
具体方法请参考:Validator.getValidFileContent
private void test(HttpServletResponse response, SessionInfo sessionInfo, String applicationName, String resourceName, String resourcePath, String domainAddress, String siteAddress, String fileNames) throws KatalystServletException, IOException, FSException
{
InputStream in = resourceFile.getInputStream();
ZipOutputStream zipOut = null;
try {
byte[] buffer = new byte[8 * 1024];
int bytesRead = 0;
while ((bytesRead = in.read(buffer)) != -1) {
// 这里是关键代码行
buffer = ESAPI.validator().getValidFileContent("blah blah", buffer, 8192, true);
// TADA
zipOut.write(buffer, 0, bytesRead);
}
} finally {
in.close();
zipOut.flush();
}
}
我之前在一个工具方法中也遇到过类似的问题,被标记了8次。在此修复之后,所有问题都得到了解决。
我还建议使用try-catch-finally块,并在“finally”部分关闭InputStream和OutputStream,或者您可以使用“Try with Resources”来处理。
不关闭这些流会被标记为“资源耗尽”,在另一个代码扫描中,未释放的资源可能会导致系统减速并使其他组件的内存不足。
英文:
Here is the solution for the question and also for HRA_JAVA_CGI_STORED_XSS or Stored XSS Vulnerability flagged by Checkmarx in Java.
This issue is flagged by Checkmarx for any Java File Operations that use a byte[] array as a buffer.
You need to sanitize your hands(sad face) and also your byte array before writing to any output stream. You can use ESAPI's validator function to remediate this.
Add the ESAPI jar to your project
<dependency>
<groupId>org.owasp.esapi</groupId>
<artifactId>esapi</artifactId>
<version>2.2.2.0</version>
</dependency>
import org.owasp.esapi.*;
Before writing into the OutputStream ,in your case a ZipOutputStream we need to filter the byte array buffer using
getValidFileContent(String context,byte[] input, int maxBytes, boolean allowNull)
This method checks for any end of file exploits, File Corruption attacks or other intrusion attacks(I could not find much info regarding them, will update if I find more info.)
private void test(HttpServletResponse response, SessionInfo sessionInfo, String applicationName, String resourceName, String resourcePath, String domainAddress, String siteAddress, String fileNames) throws KatalystServletException, IOException, FSException
{
InputStream in = resourceFile.getInputStream();
ZipOutputStream zipOut = null;
try {
byte[] buffer = new byte[8 * 1024];
int bytesRead = 0;
while ((bytesRead = in.read(buffer)) != -1) {
// HERE IS THE MAGIC LINE
buffer=ESAPI.validator().getValidFileContent("blah blah",buffer,8192,true);
//TADA
zipOut.write(buffer, 0, bytesRead);
}
} finally {
in.close();
zipOut.flush();
}
}
I had similar issue with a Util method and it was flagged at 8 places.
All of them were resolved after this fix.
I would also recommend using try catch finally block and closing the InputStreams and OutputStreams in the 'finally' section or you could use 'Try with Resources'.
Not Closing these streams was flagged as 'Resource Starvation' in another CodeScan- Unreleased resources could cause system slowdowns and starve other components of memory.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论