602
No
ESAPI ( XSS, Sql Injection )
OWASP 에 ESAPI는 XSS 및 Sql Injection 방어를 위한 API
[link]
https://www.owasp.org/index.php/Main_Page
[youtube]
http://www.youtube.com/watch?v=suphwAsb-To
http://www.youtube.com/watch?v=13O9RyjuB3o
http://www.youtube.com/watch?v=_B2kv2mSJhE
http://www.youtube.com/watch?v=mMW4fiUI5kQ
- dependency 추가
org.owasp.esapi esapi 2.0.1
https://mvnrepository.com/artifact/org.owasp.esapi/esapi
2. ESAPI.properties 파일을 만들어 아래 내용을 추가한 후 classpath에 넣는다.
Authenticator.UsernameParameterName=userName Authenticator.PasswordParameterName=password ESAPI.Authenticator=com.esapi.authenticator.CustomAuthenticator Authenticator.IdleTimeoutDuration=100000 Authenticator.AbsoluteTimeoutDuration=100000
Test code
import org.owasp.esapi.ESAPI;
import org.owasp.esapi.Encoder;
import org.owasp.esapi.codecs.Codec;
import org.owasp.esapi.codecs.OracleCodec;
public class EsapiTest {
public static void main(String[] args) {
String a = "<script>alert('dddd')</script>";
String b = ESAPI.encoder().encodeForHTML(a);
System.out.println("encoded=" + b);
String username = "airlee' or 1=1";
String password = "pppp";
Codec ORACLE_CODEC = new OracleCodec();
String query = "SELECT user_id FROM user_data WHERE user_name = '" +
ESAPI.encoder().encodeForSQL( ORACLE_CODEC, username) + "' and user_password = '" +
ESAPI.encoder().encodeForSQL( ORACLE_CODEC, password) +"'";
System.out.println("query=" + query);
}
}
댓글 ( 4)
댓글 남기기