//this field are used tp escape XSS script attach
//get all the html 4 event from http://www.w3schools.com/Html/html_eventattributes.asp
private static final String[][] XSS_CHARS_ESCAPE = {
//Window Events
{"onload", "on_load"},
{"onunload", "on_unload"},
//Form Element Events
{"onchange", "on_change"},
{"onsubmit", "on_submit"},
{"onreset", "on_reset"},
{"onselect", "on_select"},
{"onblur", "on_blur"},
{"onfocus", "on_focus"},
//Keyboard Events
{"onkeydown", "on_keydown"},
{"onkeypress", "on_keypress"},
{"onkeyup", "on_keyup"},
//Mouse Events
{"onclick", "on_click"},
{"ondblclick", "on_dblclick"},
{"onmousedown", "on_mousedown"},
{"onmousemove", "on_mousemove"},
{"onmouseout", "on_mouseout"},
{"onmouseover", "on_mouseover"},
{"onmouseup", "on_mouseup"},
//html 5 event attribute
//from http://www.w3schools.com/tags/html5_ref_eventattributes.asp
{"onabort", "on_abort"},
{"onbeforeunload", "on_beforeunload"},
{"oncontextmenu", "on_contextmenu"},
{"ondrag", "on_drag"},
{"ondragend", "on_dragend"},
{"ondragenter", "on_dragenter"},
{"ondragleave", "on_dragleave"},
{"ondragover", "on_dragover"},
{"ondragstart", "on_dragstart"},
{"ondrop", "on_drop"},
{"onerror", "on_error"},
{"onmessage", "on_message"},
{"onmousewheel", "on_mousewheel"},
{"onresize", "on_resize"},
{"onscroll", "on_scroll"},
{"onunload", "on_unload"},
//JS header
{"javascript:", "java_script:"},
{"jscript:", "j_script:"},
{"vbscript:", "vb_script:"},
{"<script>", "<script>"},
{"</script>", "</script>"},
//IE only event
{"onactivate","onactivate"},
{"onafterprint","onafterprint"},
{"onafterupdate","onafterupdate"},
{"onbeforeactivate","onbeforeactivate"},
{"onbeforecopy","onbeforecopy"},
{"onbeforecut","onbeforecut"},
{"onbeforedeactivate","onbeforedeactivate"},
{"onbeforeeditfocus","onbeforeeditfocus"},
{"onbeforepaste","onbeforepaste"},
{"onbeforeprint","onbeforeprint"},
{"onbeforeupdate","onbeforeupdate"},
{"onbounce","onbounce"},
{"oncontrolselect","oncontrolselect"},
{"oncopy","oncopy"},
{"oncut","oncut"},
{"ondataavailable","ondataavailable"},
{"ondatasetchanged","ondatasetchanged"},
{"ondeactivate","ondeactivate"},
{"onerrorupdate","onerrorupdate"},
{"onfilterchange","onfilterchange"},
{"onfinish","onfinish"},
{"onhelp","onhelp"},
{"onlayoutcomplete","onlayoutcomplete"},
{"onlosecapture","onlosecapture"},
{"onmouseenter","onmouseenter"},
{"onmouseleave","onmouseleave"},
{"onmove","onmove"},
{"onmoveend","onmoveend"},
{"onmovestart","onmovestart"},
{"onpaste","onpaste"},
{"onpropertychange","onpropertychange"},
{"onreadystatechanged","onreadystatechanged"},
{"onresizeend","onresizeend"},
{"onresizestart","onresizestart"},
{"onrowenter","onrowenter"},
{"onrowexit","onrowexit"},
{"onrowsdelete","onrowsdelete"},
{"onrowsinserted","onrowsinserted"},
{"onstart","onstart"},
{"onstop","onstop"},
{"ontimeerror","ontimeerror"}
};
private static String replaceIgnoreSearchCase(String text, String searchString, String replacement) {
if (StringUtils.isEmpty(text) || StringUtils.isEmpty(searchString) || replacement == null) {
return text;
}
searchString = searchString.toUpperCase();
final String textUperCase = text.toUpperCase();
int start = 0;
int end = textUperCase.indexOf(searchString, start);
if (end == -1) {
return text;
}
int replLength = searchString.length();
int increase = replacement.length() - replLength;
increase = (increase < 0 ? 0 : increase);
increase *= 16;
StringBuffer buf = new StringBuffer(text.length() + increase);
while (end != -1) {
buf.append(text.substring(start, end)).append(replacement);
start = end + replLength;
end = textUperCase.indexOf(searchString, start);
}
buf.append(text.substring(start));
return buf.toString();
}
分享到:
相关推荐
xss的利用是一件非常有意思的事情,甚至可以独立于 xss的查找成为 一门学问,最关键的一点是所有的xss 都不要脱离场景,脱离场景...
网络资源:谷歌搜索框XSS漫谈前几天看了谷歌搜索框的XSS,有一个视频讲的非常好 https://www.youtube.com/watch?v=gVrdE6g_fa8,这个视 频不仅讲了该漏洞的原理,同时还说了mk如何来研究这个漏洞,以及告诉你一些...
Python基于SVM模型的XSS攻击代码检测项目源码+报告 含:基于SVM模型的手动特征提取的检测方法;基于SVM的XSS代码的TF-IDF自动特征提取检测。...特征提取基于关键字符的出现次数,模型的目标是分辨XSS代码的恶意性。
此类关键漏洞存在于大量广泛使用web创作工具自动生成Shockwave Flash (SWF)文件中,如Adobe (r) Dreamweaver (r), Abobe Contribute (r), Adobe Acrobat (r) Connect (tm) (formerly Macromedia Breeze),InfoSoft ...
而仅把HttpOnly标记给用于认证的关键Cookie。 HttpOnly CSP 内容安全策略( CSP ): 内容安全策略是一个额外的安全层,用于检测并削弱某些特定类型的攻击,包括跨站脚本 (XSS) 和数据注入攻击等。无论是数据盗取、...
反向审计打蛇打七寸,说明在关键位置做事效率会更高,代码审计找出漏洞也是同理,因此笔者需要找出XSS关键的位置;对于目前的大多数Web应用来说,MVC模式是非常主流的一种形式,因此笔者这里将找到对应的控制器和模板...
DalFox(XSS的查找器) Finder ...目录主要特点模式: url sxss pipe file server 类关键特点描述发现参数分析-查找反映的参数-查找有效/不良的特殊字符,事件处理程序和攻击代码-识别注入点(HTML / JS /属性) inHTML
此回购与博客文章“如何将XSS Bug从中等升级到关键”一起发布, 这是什么? 在此存储库中,您将找到一堆JavaScript文件,可以将这些文件加载到XSS有效负载中,以便在受害人浏览器的上下文中在流行的CMS平台上...
2、关键代码 index.wxml文件 <view class=view xss=removed>我是view标签 <view xss=removed> <block wx:for={{colorArray}} xss=removed wx:for-item=Color> <button class=btn style=background:{{Color}}; ...
bootstrap-animate-with-css jquery.bsAnimate - 使用 css 动画和关键帧使 bootstrap javascript 组件可动画化。 这基于使 Bootsrap 组件具有动画效果 下拉示例下拉没有额外的学习。 只需将以下选项添加到元素具有类...
防止关键文件下载(如.mdb,web.config文件) 防止缓冲区溢出 防止远程文件包含 防止机器人爬虫、自动攻击 封锁攻击者IP,支持设定阻断时间 信任脚本控制(白名单) 软件在线更新、特征库升级 Web服务器访问...
针对基于代理的Cookie保护技术进行了研究, 设计了基于代理的Cookie保护框架, 阐述了框架的基本原理, 给出了关键技术的实现方法, 并实现了一个基于代理的Cookie保护系统, 最后对该保护系统的有效性进行了测试。...
在渗透过程中,一个好的漏洞扫描器在渗透测试中是至关重要的,可以说是渗透成功或者失败的关键点。 一款优秀的扫描器会使渗透更加轻松,但有些漏洞,"神器"也是扫不出来的,比如:逻辑漏洞、一些较隐蔽的XSS和SQL...
<span xss=removed>进行肺部肿瘤计算机辅助诊断的关键问题是实现对诊断组织的正确,快速分割,</ span> <span xss=removed>布局,提出一种能够有效地</ span> <span xss=removed>提高局部邻域预期自适应程度的快速...
防止SQL注入与XSS攻击 加密敏感数据传输与存储 解决方案:参数化查询、HTTPS加密、使用哈希与盐值对密码加密 身份验证与授权 无效或过期token处理 权限泄漏风险 解决方案:JWT令牌、OAuth2协议、RBAC权限模型 四、...
<view class=view xss=removed>我是view标签,我现在的宽度是{{view.Width}}px,高度是{{view.Height}}px <input placeholder=输入view标签的宽度 bindinput=viewWidth></input> <input placeholder=
用颜色突出显示一些关键内容 演示 演示1 演示2 用法 // install yarn add keylight // import import keylight from 'keylight' // use const kl = new keylight ( '#f701bc' ) const content = "hello world" ...
关键特性:* 爬虫(站点目录及文件).* 漏洞扫描器: SQL注入(SQL注入), Cross Site Scripting(跨站), LFI(本地文件包含), RFI(远程文件包含), Redirect(重定向) 等.* 漏洞评估应用WAVSEP v1.5 SQL注入& XSS ...
<a></a><span xss=removed>介绍了中国铁路信号监测技术...阐述了系统的分层功能和所涉及的共享数据甄选、数据集成模式、智能分析、接口规范等关键技术,为</span><span style="font-size:10.5pt;font-family:宋体;