AntiSamy测试

AntiSamy为owasp针对xss提供的处理库,可以配置xml策略来决定过滤的内容,比如标签、属性、css等,自定义策略给开发人员使用成本比较高,AntiSamy也提供了几个内置的策略,其安全级别也不同,过滤的内容也不一样,下边是针对自带的策略的测试。

测试代码:

package com.didichuxing.hive.client;

import org.owasp.validator.html.AntiSamy;
import org.owasp.validator.html.CleanResults;
import org.owasp.validator.html.Policy;

public class RichTextXssTest {

public static void main(String[] args) {

AntiSamy as = new AntiSamy();
try{
//Policy policy = Policy.getInstance("antisamy-slashdot.xml");
Policy policy = Policy.getInstance("antisamy-ebay.xml");

CleanResults cr = as.scan("<img src=http://www.qq.com/a.jpg />", policy);
System.out.print(cr.getCleanHTML() + "1\r\n");


cr = as.scan("<sCript src=http://www.qq.com/a.js />", policy);
System.out.print(cr.getCleanHTML() + "2\r\n");

cr = as.scan("<img src=http://www.qq.com/a.jpg onclick=alert(1) />", policy);
System.out.print(cr.getCleanHTML() + "3\r\n");

cr = as.scan("onfinish=javascript:a=alert;a(1)%3E%3C!—", policy);
System.out.print(cr.getCleanHTML() + "4\r\n");


cr = as.scan("<img src=\"javascript:alert('XSS')\">", policy);
System.out.print(cr.getCleanHTML() + "5\r\n");

cr = as.scan("<IMG src=JaVaScRiPt:alert('XSS')>", policy);
System.out.print(cr.getCleanHTML() + "6\r\n");

cr = as.scan("<IMG src=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>", policy);
System.out.print(cr.getCleanHTML() + "7\r\n");

cr = as.scan("<STYLE TYPE=\"text/javascript\">alert('XSS');</STYLE>", policy);
System.out.print(cr.getCleanHTML() + "8\r\n");

cr = as.scan("<A href=http://www.gohttp://www.google.com/ogle.com/>link</A>", policy);
System.out.print(cr.getCleanHTML() + "9\r\n");

cr = as.scan("<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=javascript:alert('XSS');\">", policy);
System.out.print(cr.getCleanHTML() + "10\r\n");




}
catch(Exception ex) {
ex.printStackTrace();
} ;
}

}
一共测试了10个payload,测试结果如下:
antisamy-ebay.xml 策略的测试结果

 

antisamy-slashdot.xml 策略的测试结果:

antisamy-myspace.xml策略的测试结果:

antisamy-tinymce.xml策略的测试结果:

antisamy-anythinggoes.xml策略的测试结果

默认策略antisamy.xml 策略的测试结果:

 




 

 

 

 












posted @ 2018-04-19 09:49  范世强  阅读(1585)  评论(0编辑  收藏  举报