security - Playframework 中的跨站脚本和 Web 参数篡改预防

Question

在推出我们的第一个公开 alpha 版本 http://wwww.trademango.com 后它是用Play框架构建的。我曾经历过某人或某物(即机器人)尝试进行 Web 参数篡改。这些尝试已经持续了一段时间。我们正在考虑加强我们的安全。我想知道是否有人有将 owsap 等工具与 Playframework 集成的经验。我希望获得一些社区反馈，了解其他人针对此类攻击采取的措施。

以下是一些实际的 Web 参数篡改尝试:

    @69mkklokf    Internal Server Error (500) for request GET /supplier/:q/:page?q=:supplierUUID    Execution exception (In {module:common-model}/app/models/services/ID.java around line 46)    NumberFormatException occured : For input string: ""    play.exceptions.JavaExecutionException: For input string: ""        at play.mvc.ActionInvoker.invoke(ActionInvoker.java:231)        at Invocation.HTTP Request(Play!)    Caused by: java.lang.NumberFormatException: For input string: ""        at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)        at java.lang.Long.parseLong(Long.java:450)        at java.lang.Long.valueOf(Long.java:508)        at models.services.ID.base36ToUUID(ID.java:46)        at controllers.Application.supplier(Application.java:177)        at play.mvc.ActionInvoker.invokeWithContinuation(ActionInvoker.java:548)        at play.mvc.ActionInvoker.invoke(ActionInvoker.java:502)        at play.mvc.ActionInvoker.invokeControllerMethod(ActionInvoker.java:478)        at play.mvc.ActionInvoker.invokeControllerMethod(ActionInvoker.java:473)        at play.mvc.ActionInvoker.invoke(ActionInvoker.java:161)        ... 1 more    22 Mar 2012 07:20:57,270 ERROR play:570 -     @69mkklokg    phpmyadmin.translators.html action not found    Action not found    Action phpmyadmin.translators.html could not be found. Error raised is Controller controllers.phpmyadmin.translators not found    play.exceptions.ActionNotFoundException: Action phpmyadmin.translators.html not found        at play.mvc.ActionInvoker.getActionMethod(ActionInvoker.java:590)        at play.mvc.ActionInvoker.resolve(ActionInvoker.java:85)        at Invocation.HTTP Request(Play!)    Caused by: java.lang.Exception: Controller controllers.phpmyadmin.translators not found        ... 3 more    22 Mar 2012 10:13:16,611 ERROR play:570 -     @69mkklokh    nice ports,.Trinity.txt.bak action not found    Action not found    Action nice ports,.Trinity.txt.bak could not be found. Error raised is Controller controllers.nice ports,.Trinity.txt not found    play.exceptions.ActionNotFoundException: Action nice ports,.Trinity.txt.bak not found        at play.mvc.ActionInvoker.getActionMethod(ActionInvoker.java:590)        at play.mvc.ActionInvoker.resolve(ActionInvoker.java:85)        at Invocation.HTTP Request(Play!)    Caused by: java.lang.Exception: Controller controllers.nice ports,.Trinity.txt not found        ... 3 more

Answer 1

我建议删除“catch all”路线

# Catch all  
*       /{controller}/{action}                  {controller}.{action}

删除它，并明确映射到所有 Controller 和操作。