如何在 wso2 api manager 3.2.0 carbon 中避免 xss 攻击?
How to avoid xss attack in wso2 api manager 3.2.0 carbon?
如何解决wso2 api manager 3.2.0 carbon中的xss攻击(注入"Alert")问题?
请求脚本如下:
GET /carbon/generic/list.jsp?region=region3&item=governance_list_api_menu&key=api&breadcrumb=APIs%26%2339%3b)%3balert(76174)%3b%2f%2f&singularLabel=API&pluralLabel=APIs HTTP/1.1
Host: xxx.xx.xx.xx:9443
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: region1_identity_menu=visible; menuPanel=visible; menuPanelType=main; JSESSIONID=55DB064DEF96C3060444A39F6A8412ED; requestedURI=../../carbon/admin/index.jsp; region1_configure_menu=none; region3_registry_menu=none; region4_monitor_menu=none; region5_tools_menu=none; current-breadcrumb=metadata_menu%252Clist_sub_menu%252Cgovernance_list_api_menu%2523
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Pragma: no-cache
Cache-Control: no-cache
在 wso2 APIM 3.0.0 中发布了解决方案,但未在 wso2 (3.1.0,3.2.0) 的更新版本中实现。此过程基于 XSSValve.java : (https://svn.apache.org/repos/asf/stratos/site/trunk/content/apidocs/4.1.5/org/wso2/carbon/ui/valve/XSSValve.html#XSSValve() )
( https://github.com/kasunbg/carbon-kernel-4.x/blob/master/core/org.wso2.carbon.ui/src/main/java/org/wso2/carbon/ui/valve/XSSValve.java )
并且配置模型也已更改,请参考:
(https://apim.docs.wso2.com/en/3.2.0/reference/understanding-the-new-configuration-model/)
所以我放宽了以下步骤:
1.vi APIM-HOME/repository/resources/conf/templates/repository/conf/carbon.xml.j2
<XSSPreventionConfig>
<XSSPatternsLocation>${carbon.home}/repository/conf/security/xss-
patterns.properties</XSSPatternsLocation>
<Enabled>true</Enabled>
<Rule>allow</Rule>
<Patterns>
<!--Pattern>carbon/sequences</Pattern>
<Pattern>carbon/configadmin</Pattern>
<Pattern>carbon/localentries</Pattern>
<Pattern>carbon/api</Pattern>
<Pattern>carbon/proxyservices</Pattern>
<Pattern>carbon/resources</Pattern>
<Pattern>carbon/task</Pattern-->
<Pattern>carbon/resources/update_text_content_ajaxprocessor.jsp</Pattern>
<Pattern>carbon/resources/add_text_resource_ajaxprocessor.jsp</Pattern>
<Pattern>commonauth</Pattern>
</Patterns>
</XSSPreventionConfig>
2.vi APIM-HOME/repository/resources/conf/templates/repository/conf/tomcat/catalina-server.xml.j2
在主机部分添加休闲行
<Valve className="org.wso2.carbon.ui.valve.XSSValve"/>
如何解决wso2 api manager 3.2.0 carbon中的xss攻击(注入"Alert")问题?
请求脚本如下:
GET /carbon/generic/list.jsp?region=region3&item=governance_list_api_menu&key=api&breadcrumb=APIs%26%2339%3b)%3balert(76174)%3b%2f%2f&singularLabel=API&pluralLabel=APIs HTTP/1.1
Host: xxx.xx.xx.xx:9443
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: region1_identity_menu=visible; menuPanel=visible; menuPanelType=main; JSESSIONID=55DB064DEF96C3060444A39F6A8412ED; requestedURI=../../carbon/admin/index.jsp; region1_configure_menu=none; region3_registry_menu=none; region4_monitor_menu=none; region5_tools_menu=none; current-breadcrumb=metadata_menu%252Clist_sub_menu%252Cgovernance_list_api_menu%2523
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Pragma: no-cache
Cache-Control: no-cache
在 wso2 APIM 3.0.0 中发布了解决方案,但未在 wso2 (3.1.0,3.2.0) 的更新版本中实现。此过程基于 XSSValve.java : (https://svn.apache.org/repos/asf/stratos/site/trunk/content/apidocs/4.1.5/org/wso2/carbon/ui/valve/XSSValve.html#XSSValve() ) ( https://github.com/kasunbg/carbon-kernel-4.x/blob/master/core/org.wso2.carbon.ui/src/main/java/org/wso2/carbon/ui/valve/XSSValve.java ) 并且配置模型也已更改,请参考: (https://apim.docs.wso2.com/en/3.2.0/reference/understanding-the-new-configuration-model/) 所以我放宽了以下步骤: 1.vi APIM-HOME/repository/resources/conf/templates/repository/conf/carbon.xml.j2
<XSSPreventionConfig>
<XSSPatternsLocation>${carbon.home}/repository/conf/security/xss-
patterns.properties</XSSPatternsLocation>
<Enabled>true</Enabled>
<Rule>allow</Rule>
<Patterns>
<!--Pattern>carbon/sequences</Pattern>
<Pattern>carbon/configadmin</Pattern>
<Pattern>carbon/localentries</Pattern>
<Pattern>carbon/api</Pattern>
<Pattern>carbon/proxyservices</Pattern>
<Pattern>carbon/resources</Pattern>
<Pattern>carbon/task</Pattern-->
<Pattern>carbon/resources/update_text_content_ajaxprocessor.jsp</Pattern>
<Pattern>carbon/resources/add_text_resource_ajaxprocessor.jsp</Pattern>
<Pattern>commonauth</Pattern>
</Patterns>
</XSSPreventionConfig>
2.vi APIM-HOME/repository/resources/conf/templates/repository/conf/tomcat/catalina-server.xml.j2
在主机部分添加休闲行
<Valve className="org.wso2.carbon.ui.valve.XSSValve"/>