公司进行代码扫描后,我的代码出现问题。
该报告表明,我尝试执行Web服务POST请求的代码具有XSS攻击漏洞。
我对安全问题不是很熟悉。
谁能为我指出有关解决此安全漏洞的正确方向?
非常感谢。
我的Web服务调用是对CA信任的服务器的,所以我使用了:
- (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {
if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) {
SecTrustResultType result;
SecTrustEvaluate(challenge.protectionSpace.serverTrust, & result);
if(result == kSecTrustResultProceed || result == kSecTrustResultUnspecified) {
[challenge.sender useCredential:[NSURLCredential credentialForTrust: challenge.protectionSpace.serverTrust] forAuthenticationChallenge: challenge];
return;
保护连接。
以下代码是我编写URL请求的地方。
再说一次,我对安全性的知识不多,
因此任何帮助将不胜感激!
- (BOOL)httpPostWithUrl:(NSString *)url headersAndValues:(NSDictionary *)headersAndValues delegate:(id)delegate
{
NSMutableString *bodyString = [[NSMutableString alloc] initWithString:@""];
for (NSString *key in [headersAndValues allKeys])
{
[bodyString appendString:[NSString stringWithFormat:@"%@=%@&", key, headersAndValues[key]]];
}
NSMutableURLRequest *urlRequest = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:url]
cachePolicy:NSURLRequestReloadIgnoringLocalCacheData
timeoutInterval:20.0f];
[urlRequest setHTTPMethod:@"POST"];
[urlRequest setValue:@"application/x-www-form-urlencoded" forHTTPHeaderField:@"content-type"];
if (bodyString.length)
{
NSString *requestBody = [bodyString substringToIndex:bodyString.length-1];
NSData *requestData = [requestBody dataUsingEncoding:NSUTF8StringEncoding allowLossyConversion:YES];
[urlRequest setHTTPBody:requestData];
if (!_connectionRunning)
{
NSURLConnection *connection =[[NSURLConnection alloc] initWithRequest:request delegate:self];
return YES;
}
else
{
// error
}
}
}
return NO;
}
最佳答案
我认为这一行中的xss:
[bodyString appendString:[NSString stringWithFormat:@"%@=%@&", key, headersAndValues[key]]];
您需要检查键和headersAndValues [key]上的无效字符。
NSString *checkedKey = [self alphanumericStringFromString:checkedKey];
+ (NSString *)alphanumericString { // NSString category
NSCharacterSet *charactersToRemove = [[NSCharacterSet alphanumericCharacterSet] invertedSet];
NSString *trimmedReplacement = [[self componentsSeparatedByCharactersInSet:charactersToRemove] componentsJoinedByString:@""];
return trimmedReplacement;
}
希望对您有帮助。
关于ios - 适用于iOS的带有XSS漏洞的NSURL POST,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/27053835/