问题描述
我在一个Android移动应用程序中使用各种第三方库,如cordova.js,jquery,jquery mobile,mobilizer等。通过不安全使用eval,settimeout,发现这些库有各种XSS载体, inner / outerhtml等等。
I am using various 3rd party libs like cordova.js, jquery, jquery mobile, mobilizer and so on, in a an android mobile app.. These libs are found to have various XSS vectors through insecure use of eval, settimeout, inner/outerhtml and so on.
我有什么方法可以覆盖/修复这些安全漏洞,并且仍然可以安全地在我的应用程序中使用这些库?
Is there any way by which I could cover/fix these security holes and still use these libs in my app, securely?
推荐答案
这些漏洞应该报告给供应商,你应该使用他们的补丁。
These vulnerabilities should be reported to the vendor, and you should use their patch.
利用和android是可能的,但是攻击媒介更受限制,因为通常攻击者无法使用简单的GET或POST请求利用这些漏洞中的一个。
Exploiting DOM Based XSS and android is possible, however the attack vectors are more limited because usually an attacker cannot exploit one of these vulnerabilities using a simple GET or POST request.
这篇关于如何保护应用程序对抗第三方js库中的XSS向量?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!