devbox
2023面试高手
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

WEB安全之代码安全----ESAPI_org.owasp.esapi.errors.intrusionexception: input v

作者:2023面试高手 | 2024-02-27 05:57:40

org.owasp.esapi.errors.intrusionexception: input validation failure

ESAPI是owasp提供的一套API级别的web应用解决方案。简单的说,ESAPI就是为了编写出更加安全的代码而设计出来的一些API,方便使用者调用,从而方便的编写安全的代码

其官方网站为:https://www.owasp.org/,其有很多针对不同语言的版本,其J2ee的版本需要jre1.5及以上支持

目录

 

安装篇

第一步:引入Jar

第二步:直接下载Jar

配置

测试

使用

1. 针对xss漏洞

2. 针对sql注入漏洞

3. 验证输入

4. 验证恶意文件

安装篇

第一步:引入Jar

Maven

  1. <dependency>
  2.     <groupId>org.owasp.esapi</groupId>
  3.     <artifactId>esapi</artifactId>
  4.     <version>2.1.0.1</version>
  5. </dependency>

gradle

compile group: 'org.owasp.esapi', name: 'esapi', version: '2.1.0.1'1


第二步:直接下载Jar

https://search.maven.org/search?q=g:org.owasp.esapi

配置

在工程的资源文件目录下增加配置文件ESAPI.properties及validation.properties,文件内容可为空。如果为空则都取默认值。建议参考以下文件内容设置

 

ESAPI.properties

  1. # 是否要打印配置属性,默认为true
  2. ESAPI.printProperties=true
  3.  
  4. ESAPI.AccessControl=org.owasp.esapi.reference.DefaultAccessController
  5. ESAPI.Authenticator=org.owasp.esapi.reference.FileBasedAuthenticator
  6. ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder
  7. ESAPI.Encryptor=org.owasp.esapi.reference.crypto.JavaEncryptor
  8. ESAPI.Executor=org.owasp.esapi.reference.DefaultExecutor
  9. ESAPI.HTTPUtilities=org.owasp.esapi.reference.DefaultHTTPUtilities
  10. ESAPI.IntrusionDetector=org.owasp.esapi.reference.DefaultIntrusionDetector
  11. ESAPI.Logger=org.owasp.esapi.reference.JavaLogFactory
  12. ESAPI.Randomizer=org.owasp.esapi.reference.DefaultRandomizer
  13. ESAPI.Validator=org.owasp.esapi.reference.DefaultValidator
  14.  
  15.  
  16. #===========================================================================
  17. # ESAPI Encoder
  18. Encoder.AllowMultipleEncoding=false
  19. Encoder.AllowMixedEncoding=false
  20. Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec
  21.  
  22.  
  23. #===========================================================================
  24. # ESAPI 加密模块
  25. Encryptor.PreferredJCEProvider=
  26. Encryptor.EncryptionAlgorithm=AES
  27. Encryptor.CipherTransformation=AES/CBC/PKCS5Padding
  28. Encryptor.cipher_modes.combined_modes=GCM,CCM,IAPM,EAX,OCB,CWC
  29. Encryptor.cipher_modes.additional_allowed=CBC
  30. Encryptor.EncryptionKeyLength=128
  31. Encryptor.ChooseIVMethod=random
  32. Encryptor.fixedIV=0x000102030405060708090a0b0c0d0e0f
  33. Encryptor.CipherText.useMAC=true
  34. Encryptor.PlainText.overwrite=true
  35. Encryptor.HashAlgorithm=SHA-512
  36. Encryptor.HashIterations=1024
  37. Encryptor.DigitalSignatureAlgorithm=SHA1withDSA
  38. Encryptor.DigitalSignatureKeyLength=1024
  39. Encryptor.RandomAlgorithm=SHA1PRNG
  40. Encryptor.CharacterEncoding=UTF-8
  41. Encryptor.KDF.PRF=HmacSHA256
  42.  
  43. #===========================================================================
  44. # ESAPI Http工具
  45.  
  46. HttpUtilities.UploadDir=C:\\ESAPI\\testUpload
  47. HttpUtilities.UploadTempDir=C:\\temp
  48. # Force flags on cookies, if you use HttpUtilities to set cookies
  49. HttpUtilities.ForceHttpOnlySession=false
  50. HttpUtilities.ForceSecureSession=false
  51. HttpUtilities.ForceHttpOnlyCookies=true
  52. HttpUtilities.ForceSecureCookies=true
  53. # Maximum size of HTTP headers
  54. HttpUtilities.MaxHeaderSize=4096
  55. # File upload configuration
  56. HttpUtilities.ApprovedUploadExtensions=.zip,.pdf,.doc,.docx,.ppt,.pptx,.tar,.gz,.tgz,.rar,.war,.jar,.ear,.xls,.rtf,.properties,.java,.class,.txt,.xml,.jsp,.jsf,.exe,.dll
  57. HttpUtilities.MaxUploadFileBytes=500000000
  58. # Using UTF-8 throughout your stack is highly recommended. That includes your database driver,
  59. # container, and any other technologies you may be using. Failure to do this may expose you
  60. # to Unicode transcoding injection attacks. Use of UTF-8 does not hinder internationalization.
  61. HttpUtilities.ResponseContentType=text/html; charset=UTF-8
  62. # This is the name of the cookie used to represent the HTTP session
  63. # Typically this will be the default "JSESSIONID" 
  64. HttpUtilities.HttpSessionIdName=JSESSIONID
  65.  
  66.  
  67.  
  68. #===========================================================================
  69. # ESAPI Executor
  70. Executor.WorkingDirectory=
  71. Executor.ApprovedExecutables=
  72.  
  73.  
  74. #===========================================================================
  75. # ESAPI Logging
  76. # Set the application name if these logs are combined with other applications
  77. Logger.ApplicationName=ExampleApplication
  78. # If you use an HTML log viewer that does not properly HTML escape log data, you can set LogEncodingRequired to true
  79. Logger.LogEncodingRequired=false
  80. # Determines whether ESAPI should log the application name. This might be clutter in some single-server/single-app environments.
  81. Logger.LogApplicationName=true
  82. # Determines whether ESAPI should log the server IP and port. This might be clutter in some single-server environments.
  83. Logger.LogServerIP=true
  84. # LogFileName, the name of the logging file. Provide a full directory path (e.g., C:\\ESAPI\\ESAPI_logging_file) if you
  85. # want to place it in a specific directory.
  86. Logger.LogFileName=ESAPI_logging_file
  87. # MaxLogFileSize, the max size (in bytes) of a single log file before it cuts over to a new one (default is 10,000,000)
  88. Logger.MaxLogFileSize=10000000
  89.  
  90.  
  91. #===========================================================================
  92. # ESAPI Intrusion Detection
  93. IntrusionDetector.Disable=false
  94. IntrusionDetector.event.test.count=2
  95. IntrusionDetector.event.test.interval=10
  96. IntrusionDetector.event.test.actions=disable,log
  97.  
  98. IntrusionDetector.org.owasp.esapi.errors.IntrusionException.count=1
  99. IntrusionDetector.org.owasp.esapi.errors.IntrusionException.interval=1
  100. IntrusionDetector.org.owasp.esapi.errors.IntrusionException.actions=log,disable,logout
  101.  
  102. IntrusionDetector.org.owasp.esapi.errors.IntegrityException.count=10
  103. IntrusionDetector.org.owasp.esapi.errors.IntegrityException.interval=5
  104. IntrusionDetector.org.owasp.esapi.errors.IntegrityException.actions=log,disable,logout
  105.  
  106. IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.count=2
  107. IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.interval=10
  108. IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.actions=log,logout
  109.  
  110.  
  111. #===========================================================================
  112. # ESAPI 校验器
  113. #校验器的配置文件
  114. Validator.ConfigurationFile=validation.properties
  115.  
  116. # Validators used by ESAPI
  117. Validator.AccountName=^[a-zA-Z0-9]{3,20}$
  118. Validator.SystemCommand=^[a-zA-Z\\-\\/]{1,64}$
  119. Validator.RoleName=^[a-z]{1,20}$
  120.  
  121. #the word TEST below should be changed to your application 
  122. #name - only relative URL's are supported
  123. Validator.Redirect=^\\/test.*$
  125. # Global HTTP Validation Rules
  126. # Values with Base64 encoded data (e.g. encrypted state) will need at least [a-zA-Z0-9\/+=]
  127. Validator.HTTPScheme=^(http|https)$
  128. Validator.HTTPServerName=^[a-zA-Z0-9_.\\-]*$
  129. Validator.HTTPParameterName=^[a-zA-Z0-9_]{1,32}$
  130. Validator.HTTPParameterValue=^[a-zA-Z0-9.\\-\\/+=@_ ]*$
  131. Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{1,32}$
  132. Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$
  134. # Note that max header name capped at 150 in SecurityRequestWrapper!
  135. Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{1,50}$
  136. Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$
  137. Validator.HTTPContextPath=^\\/?[a-zA-Z0-9.\\-\\/_]*$
  138. Validator.HTTPServletPath=^[a-zA-Z0-9.\\-\\/_]*$
  139. Validator.HTTPPath=^[a-zA-Z0-9.\\-_]*$
  140. Validator.HTTPQueryString=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ %]*$
  141. Validator.HTTPURI=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$
  142. Validator.HTTPURL=^.*$
  143. Validator.HTTPJSESSIONID=^[A-Z0-9]{10,30}$
  145. # Validation of file related input
  146. Validator.FileName=^[a-zA-Z0-9!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$
  147. Validator.DirectoryName=^[a-zA-Z0-9:/\\\\!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$
  149. # Validation of dates. Controls whether or not 'lenient' dates are accepted.
  150. # See DataFormat.setLenient(boolean flag) for further details.
  151. Validator.AcceptLenientDates=false123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151
  155. validation.properties
  159. # 校验某个字段的正则表达式
  160. Validator.SafeString=^[.\\p{Alnum}\\p{Space}]{0,1024}$
  161. Validator.Email=^[A-Za-z0-9._%'-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$
  162. Validator.IPAddress=^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$
  163. Validator.URL=^(ht|f)tp(s?)\\:\\/\\/[0-9a-zA-Z]([-.\\w]*[0-9a-zA-Z])*(:(0-9)*)*(\\/?)([a-zA-Z0-9\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&amp;%\\$#_]*)?$
  164. Validator.CreditCard=^(\\d{4}[- ]?){3}\\d{4}$
  165. Validator.SSN=^(?!000)([0-6]\\d{2}|7([0-6]\\d|7[012]))([ -]?)(?!00)\\d\\d\\3(?!0000)\\d{4}$
  166. 12345678


测试

增加测试类:

  1. import org.owasp.esapi.ESAPI;
  2.  
  3. public class Test {
  4.  
  5.     public static void main(String args[]) {
  6.         System.out.println(ESAPI.encoder().encodeForHTML("<a href='sdfs'></a> < script > alert(); </ script >"));
  7.     }
  8. }12345678

运行结果如下即为安装成功:

&lt;a href&#x3d;&#x27;sdfs&#x27;&gt;&lt;&#x2f;a&gt; &lt; script &gt; alert&#x28;&#x29;&#x3b; &lt;&#x2f; script &gt;1

使用

1. 针对xss漏洞

  1. //对用户输入“input”进行HTML编码,防止XSS
  2. input = ESAPI.encoder().encodeForHTML(input);
  3. //根据自己不同的需要可以选用以下方法
  4. //input = ESAPI.encoder().encodeForHTMLAttribute(input);
  5. //input = ESAPI.encoder().encodeForJavaScript(input);
  6. //input = ESAPI.encoder().encodeForCSS(input);
  7. //input = ESAPI.encoder().encodeForURL(input);
  8.  
  9. //针对富文本进行html编码123456789
  10.  
  11.

2. 针对sql注入漏洞

除了支持mysql还支持oracle

  1. String input1="用户输入1";
  2. String input2="用户输入2";
  3.  
  4. //解决注入问题
  5. input1 = ESAPI.encoder().encodeForSQL(new MySQLCodec(MySQLCodec.Mode.STANDARD),input1);
  6. input2 = ESAPI.encoder().encodeForSQL(new MySQLCodec(MySQLCodec.Mode.STANDARD),input2);
  7.  
  8. String sqlStr="select name from tableA where id="+input1 +"and date_created ='" + input2+"'";
  9.  
  10. //执行SQL12345678910

3. 验证输入

检查每个输入的有效性,让每个输入合法。这里面的关键是一切都进行验证。ESAPI提供了很多常见的校验,可以方便针对不同的需要做校验。

  1. //type就是定义在validate.properties文件中的正则表达式
  2. //ESAPI.validator().getValidInput(java.lang.String context,java.lang.String input, java.lang.String type,int maxLength,boolean allowNull);
  3.  
  4. //ESAPI.validator().isValidInput(java.lang.String context,java.lang.String input, java.lang.String type,int maxLength,boolean allowNull);
  5.  
  6. //实际使用参考如下:
  7. String input="xxxx.com";
  8.  
  9.         if(!ESAPI.validator().isValidInput("",input,"Email",11,false)){
  10.             System.out.println("出错了");
  11.         }
  12.  
  13.         try{
  14.  
  15.             input = ESAPI.validator().getValidInput("",input,"Email",11,false);
  16.         }catch (Exception e){
  17.             System.out.println("输入错误");
  18.             e.printStackTrace();
  19.         }
  20. 1234567891011121314151617181920

4. 验证恶意文件

  1. //校验文件名
  2. String inputfilename ="xxxx.txt";
  3. ArrayList<String> allowedExtension = new ArrayList<String>();
  4. allowedExtension.add("exe");
  5. allowedExtension.add("jpg");
  6.  
  7. if(!ESAPI.validator().isValidFileName("upload",inputfilename, allowedExtension,false)){
  8.    //文件名不合法,throw exception
  9.    System.out.println("出错了");
  10. }
  11.  
  12. //获取随机文件名
  13. System.out.println(ESAPI.randomizer().getRandomFilename("exe"));
  14. //得到结果rnQO8AK4ymmv.exe1234567891011121314

 

转载链接:https://blog.csdn.net/frog4/article/details/81876462

 

 

 

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/2023面试高手/article/detail/150544
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号