AntiSamy测试
生活随笔
收集整理的這篇文章主要介紹了
AntiSamy测试
小編覺得挺不錯的,現(xiàn)在分享給大家,幫大家做個參考.
AntiSamy為owasp針對xss提供的處理庫,可以配置xml策略來決定過濾的內(nèi)容,比如標(biāo)簽、屬性、css等,自定義策略給開發(fā)人員使用成本比較高,AntiSamy也提供了幾個內(nèi)置的策略,其安全級別也不同,過濾的內(nèi)容也不一樣,下邊是針對自帶的策略的測試。
import org.owasp.validator.html.AntiSamy;
import org.owasp.validator.html.CleanResults;
import org.owasp.validator.html.Policy;
public class RichTextXssTest {
public static void main(String[] args) {
AntiSamy as = new AntiSamy();
try{
//Policy policy = Policy.getInstance("antisamy-slashdot.xml");
Policy policy = Policy.getInstance("antisamy-ebay.xml");
CleanResults cr = as.scan("<img src=http://www.qq.com/a.jpg />", policy);
System.out.print(cr.getCleanHTML() + "1\r\n");
cr = as.scan("<sCript src=http://www.qq.com/a.js />", policy);
System.out.print(cr.getCleanHTML() + "2\r\n");
cr = as.scan("<img src=http://www.qq.com/a.jpg οnclick=alert(1) />", policy);
System.out.print(cr.getCleanHTML() + "3\r\n");
cr = as.scan("onfinish=javascript:a=alert;a(1)%3E%3C!—", policy);
System.out.print(cr.getCleanHTML() + "4\r\n");
cr = as.scan("<img src=\"javascript:alert('XSS')\">", policy);
System.out.print(cr.getCleanHTML() + "5\r\n");
cr = as.scan("<IMG src=JaVaScRiPt:alert('XSS')>", policy);
System.out.print(cr.getCleanHTML() + "6\r\n");
cr = as.scan("<IMG src=javascript:alert('XSS')>", policy);
System.out.print(cr.getCleanHTML() + "7\r\n");
cr = as.scan("<STYLE TYPE=\"text/javascript\">alert('XSS');</STYLE>", policy);
System.out.print(cr.getCleanHTML() + "8\r\n");
cr = as.scan("<A href=http://www.gohttp://www.google.com/ogle.com/>link</A>", policy);
System.out.print(cr.getCleanHTML() + "9\r\n");
cr = as.scan("<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=javascript:alert('XSS');\">", policy);
System.out.print(cr.getCleanHTML() + "10\r\n");
}
catch(Exception ex) {
ex.printStackTrace();
} ;
}
}
一共測試了10個payload,測試結(jié)果如下: antisamy-ebay.xml 策略的測試結(jié)果
測試代碼:
package com.didichuxing.hive.client;import org.owasp.validator.html.AntiSamy;
import org.owasp.validator.html.CleanResults;
import org.owasp.validator.html.Policy;
public class RichTextXssTest {
public static void main(String[] args) {
AntiSamy as = new AntiSamy();
try{
//Policy policy = Policy.getInstance("antisamy-slashdot.xml");
Policy policy = Policy.getInstance("antisamy-ebay.xml");
CleanResults cr = as.scan("<img src=http://www.qq.com/a.jpg />", policy);
System.out.print(cr.getCleanHTML() + "1\r\n");
cr = as.scan("<sCript src=http://www.qq.com/a.js />", policy);
System.out.print(cr.getCleanHTML() + "2\r\n");
cr = as.scan("<img src=http://www.qq.com/a.jpg οnclick=alert(1) />", policy);
System.out.print(cr.getCleanHTML() + "3\r\n");
cr = as.scan("onfinish=javascript:a=alert;a(1)%3E%3C!—", policy);
System.out.print(cr.getCleanHTML() + "4\r\n");
cr = as.scan("<img src=\"javascript:alert('XSS')\">", policy);
System.out.print(cr.getCleanHTML() + "5\r\n");
cr = as.scan("<IMG src=JaVaScRiPt:alert('XSS')>", policy);
System.out.print(cr.getCleanHTML() + "6\r\n");
cr = as.scan("<IMG src=javascript:alert('XSS')>", policy);
System.out.print(cr.getCleanHTML() + "7\r\n");
cr = as.scan("<STYLE TYPE=\"text/javascript\">alert('XSS');</STYLE>", policy);
System.out.print(cr.getCleanHTML() + "8\r\n");
cr = as.scan("<A href=http://www.gohttp://www.google.com/ogle.com/>link</A>", policy);
System.out.print(cr.getCleanHTML() + "9\r\n");
cr = as.scan("<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=javascript:alert('XSS');\">", policy);
System.out.print(cr.getCleanHTML() + "10\r\n");
}
catch(Exception ex) {
ex.printStackTrace();
} ;
}
}
一共測試了10個payload,測試結(jié)果如下: antisamy-ebay.xml 策略的測試結(jié)果
?
antisamy-slashdot.xml 策略的測試結(jié)果: antisamy-myspace.xml策略的測試結(jié)果: antisamy-tinymce.xml策略的測試結(jié)果: antisamy-anythinggoes.xml策略的測試結(jié)果默認(rèn)策略antisamy.xml 策略的測試結(jié)果:
?
?
?
?
?
轉(zhuǎn)載于:https://www.cnblogs.com/SEC-fsq/p/8880190.html
總結(jié)
以上是生活随笔為你收集整理的AntiSamy测试的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 卡罗拉撞柱后起火 车门打不开!网友:丰田
- 下一篇: 7月皮卡销量排名:三家暴涨、五菱暴跌