英文:
Best Practice For XSS Attacks in Rest Api
问题
我已经阅读了很多相关信息,但实际上无法决定哪种方式是最佳的。
我有一个 Web 应用和一个 Java REST 应用,为客户提供服务。
防止在 REST API 和前端中使用参数遭受 XSS 攻击的最佳方法是什么?
- 在服务器和客户端两侧验证每个参数
- 对请求参数进行过滤和控制
- 在客户端上,在将每个数据放入标签之前进行控制
等等...
感谢您的时间。
英文:
I have read a lot about it, but couldnt really decide which way is the best.
I have a web app and a java rest application which serves to customers.
What is the best way to prevent xss attacks using parameters in rest api and frontend?
- Validating each parameter in both server and client side
- Filter and control request params
- On client side control before putting every data in between tags
etc...
Thank you for your time.
答案1
得分: 3
深度防御对于任何事物都很重要,因此对任何用户提供的输入都应进行验证和编码。编码非常重要,因为可能被视为恶意的内容是有上下文的。例如,被认为是安全的HTML可能会成为SQL注入攻击。
在REST API中,参数可能会被保存,这意味着它们会从后续请求中返回,或者结果可能会在请求中反射回用户。这意味着您可能会遇到反射型和存储型XSS攻击。您还需要小心基于DOM的XSS攻击。更现代的分类方法涵盖了存储型、反射型和DOM XSS之间的重叠,即服务器端XSS和客户端XSS。
OWASP有一个很棒的跨站脚本攻击防御备忘单,详细介绍了如何防止跨站脚本攻击。我发现XSS防御规则摘要和输出编码规则摘要部分非常有用。
重要的一点是,浏览器根据上下文解析数据的方式不同,因此不仅仅是对数据进行HTML实体编码就足够了。这意味着需要做两件事情:
-
规则#0 - 仅在允许的位置插入不受信任(用户提供的)数据。只能将数据插入到HTML文档中由规则#1-5定义的“插槽”中。
-
当您将数据插入到受信任的插槽之一时,请遵循该特定插槽的编码规则。这些规则在先前链接的跨站脚本攻击防御备忘单中有详细说明。
还有一个基于DOM的XSS攻击防御备忘单。与服务器端XSS防御备忘单类似,它提供了一组规则来防止基于DOM的XSS攻击。
英文:
As with anything defense in depth is important, so validation and encoding should be done on any user provided input. Encoding is very important because what might be considered malicious is contextual. For example, what might be safe HTML might be an SQL Injection attack.
Parameters in a REST API may be saved which means they are returned from subsequent requests or the results may be reflected back to the user in the request. This means that you can get both reflected and stored XSS attacks. You also need to be careful about DOM Based XSS attacks. A more modern categorization that addresses overlap between stored, reflected, and DOM XSS is Server XSS and Client XSS.
OWASP has a great Cross Site Scripting Prevention Cheat Sheet that details out how to prevent cross site scripting. I find the XSS Prevention Rules Summary and the Output Encoding Rules Summary sections to be very handy.
The big take away is that browsers parse data differently depending on the context, so it is very important that you don't just HTML Entity Encode the data everywhere. This means it is important to do two things:
-
Rule #0 - Only insert untrusted (user provided) data in allowed locations. Only insert data into an HTML document into a "slot" defined by Rules #1-5.
-
When you insert data into one of the trusted slots follow the encoding rules for that specific slot. Again the rules are detailed in the previously linked Cross Site Scripting Prevention Cheat Sheet.
There is also a DOM based XSS Prevention cheat sheet. Like the server side XSS cheat sheet, it provies a set of rules to prevent DOM based XSS.
答案2
得分: 2
关于跨站脚本攻击(XSS),唯一可能的选择是验证用户输入,无论是从浏览器传递的还是从其他方式(比如终端客户端)传递的任何类型的用户输入。
这取决于您所遵循的情境。
如果仅是数据而没有HTML内容,则无需担心XSS。
否则,仅需移除*<、>这些符号或将它们转换为字符编码字符串即可。
另外,您可以避免使用innerHTML将新内容附加到文档中,改用innerText*,即使存在XSS内容,也不会被执行。
但是,当API响应也返回HTML内容并且您需要在某个地方显示它时,情况会变得稍微复杂。在这种情况下,避免直接在HTML片段中显示用户输入 - 尝试进行字符编码或移除*<、>*这些符号,就能够正常运行。
英文:
When it comes to XSS only possible choice is to validate user input, any kind of user input, whether it is passed from the browser or in any other way (like from terminal client).
It depends on the scenario you are following.
If it is just data without HTML content then you don't need to worry about XSS.
Otherwise, just removing <,> symbols or casting them into character encoded string would be enough.
Also you can avoid using innerHTML to append new content to the document, use innerText instead and even if there are XSS content it won't execute.
But it gets little bit complicated when api response returns HTML content as well which you need to display somewhere. In such cases avoid directly displaying user input inside HTML snippet - try to character encode or remove <, > symbols and it will be just fine
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论