admin管理员组

文章数量:1317898

As a temporary quick fix to mitigate the major risk while working on the permanent fix for XSS Vulnerability in a very large code base, I'm looking for a pre-existing XSS prevention blacklist that does a reasonable job of protecting against XSS.

Preferably a set of Regular Expressions. I'm aware of plenty of cheat sheets for testing and smoke tests etc, what I'm looking for is pre-tuned regexps for blocking the attacks.

I am fully aware that the best way is output escaping or if you need some markup from users to use whitelisting. But, with the size of the code base, we need something in quick to reduce the immediate footprint of the vulnerability and raise the bar whilst working on the real solution.

Is anyone aware of a good set?

As a temporary quick fix to mitigate the major risk while working on the permanent fix for XSS Vulnerability in a very large code base, I'm looking for a pre-existing XSS prevention blacklist that does a reasonable job of protecting against XSS.

Preferably a set of Regular Expressions. I'm aware of plenty of cheat sheets for testing and smoke tests etc, what I'm looking for is pre-tuned regexps for blocking the attacks.

I am fully aware that the best way is output escaping or if you need some markup from users to use whitelisting. But, with the size of the code base, we need something in quick to reduce the immediate footprint of the vulnerability and raise the bar whilst working on the real solution.

Is anyone aware of a good set?

  • javascript
  • html
  • security
  • xss
Share Improve this question edited May 23, 2017 at 11:47 CommunityBot 11 silver badge asked Sep 23, 2008 at 10:14 THEMikeTHEMike 1,7412 gold badges18 silver badges30 bronze badges
Add a ment  | 

6 Answers 6

Reset to default 3

I realise this may not be a direct answer to your question, but ASP.NET developers in a similar situation may find this useful:

Microsoft Anti-Cross Site Scripting Library V1.5

This library differs from most encoding libraries in that it uses the "principle of inclusions" technique to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The principle of inclusions approach provides a high degree of protection against XSS attacks and is suitable for Web applications with high security requirements.

Here is one: http://ha.ckers/xss.html but i don't know if it's plete.

CAL9000 is another list where you could find something like that.

Not sure if you're using PHP, but if so you should look at HTMLPurifer. It's extremely simple to use; just add a call to the purify() method where you accept your input, or where you output it. Its whitelist-based approach blocks every XSS attack I've tested it against.

The cheat sheet at ha.ckers/xss.html is not plete. A colleague of mine found one or two that aren't on there. RSnake does list many of the regex filters each attack string gets past. Use a few and you may close enough holes.

It would be a good starting place. If nothing else, to know what kinds of things you need to be looking for.

Use it as a place to start and make sure the scripts you write escape enough characters to make any attacks your blacklists miss rendered benign. What good is xss injection if no browser renders it?

In reality escaping enough of the right characters goes most of the way here. It's quite hard to inject XSS into a script that turns every < into a &lt; and escapes " into &quot;.

If you run Apache you could use mod_security to close some holes. At least it would provide you with a tool (the console or a plain logfile) to monitor the traffic and to react before it's too late. Also, gotroot. has a couple interesting rules for web applications.

Then again, I don't really know what kind of holes you are closing.

What you want is an IDS (Intrusion detection system). If you're using PHP, there is PHPIDS. It's maintained and tested by an excellent hacker munity. They have been throwing all kinds of things at it to improve the filters, well beyond Rsnake's original list. There was also a .NET port somewhere, not sure if it's still maintained.

本文标签: javascriptXSS BlacklistIs anyone aware of a reasonable oneStack Overflow

版权声明:本文标题:javascript - XSS Blacklist - Is anyone aware of a reasonable one? - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1742034741a2417128.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。