标签:
JSOUP is XSS prevention tool. Jsoup can detect xss script in html and url also. Now i am giving example with url. Jsoup can validate the url with the help of "isValidate()" method. "isValidate()" method return type is boolean. If return type is true that means url having xss script so we need to clean the url with the help of "clean()" method. "clean()" method will return clean url as string.
JSOUP can handle all cheat sheet scenarios. url of cheat sheet is: "https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet"
JSOUP has clear api. "http://jsoup.org/apidocs/"
Antisamy also one of the tool to prevent xss script but, its customized one so we need to configure everything. Its not better than JSOUP
Steps to use JSOUP:
1. Download jsoup jar file
2. Write the code like the following
import java.io.UnsupportedEncodingException;
import org.jsoup.Jsoup;
import org.jsoup.safety.Whitelist;
public class JsoupSolution {
public static void main(String[] args) throws UnsupportedEncodingException {
/*
* Sequrity issue scenario
*/
String input = "GET /selfservice/forgotpwd.jsp?ssError=2&returnUrl=https://stg-wealthinteractive.skandiainternational.com/SecurityAndRoles/SignIn/SignIn?authn_try_count=06f080\"style%3d\"behavior%3aurl(%23default%23time2)\"onbegin%3d\"alert(‘xss‘)\"f6bc57307de&contextType=external&username=string&contextValue=%2Foam&password=sercure_string&challenge_url=https%3A%2F%2Fstg-wealthinteractive.skandiainternational.com%2FSecurityAndRoles%2FSignIn%2FSignIn&request_id=6990594052748823869&OAM_REQ=&locale=en_GB&resource_url=http%253A%252F%252Fstg-wealthinteractive.skandiainternational.com%252Fauth%252Flevel2.jsp%253FreturnURL%25253Dhttp%2525253A%2525252F%2525252Fstg-wealthinteractive.skandiainternational.com%2525252Fselfservice%2525252Flevel3.jsp%2525253FreturnURL%252525253Dhttp%25252525253A%25252525252F%25252525252Fstg-wealthinteractive.skandiainternational.com%25252525252FSkandia%25252525252Flogout HTTP/1.1";
String unsafe = "‘;alert(String.fromCharCode(88,83,83))//‘;alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>\">‘><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>";
String unsafe1 = "<IMG SRC=javascript:alert(‘XSS‘)> ";
// String input =
// "\"behavior%3aurl(%23default%23time2)\"onbegin%3d\"alert(‘xss‘)\"";
// String input = "<IMG \"\"\"><SCRIPT>alert(\"XSS\")</SCRIPT>\">";
// String input = "<form BACKGROUND=\"javascript:alert(‘XSS‘)\">";
// String input = "<form bgcolor=\"#000000\"";
System.out.println("Input : " + input);
boolean check = Jsoup.isValid(unsafe1, Whitelist.relaxed());
if (!check) {
System.out.println("its invalid string");
String safe = Jsoup.clean(unsafe1, Whitelist.basic());
System.out.println("Cleaned code: " + safe);
System.out.println("its cleaned string by jsoup");
boolean oneMoreCheck = Jsoup.isValid(safe, Whitelist.basic());
if (oneMoreCheck) {
System.out.println("its safe code [after clean]");
} else {
System.out.println("its Harmfull code");
}
} else {
System.out.println("its valid string");
}
}
}
标签:
原文地址:http://my.oschina.net/ydsakyclguozi/blog/490169
