我们在我们的spring webapp中添加了一个筛选器,它检查所有传入的请求是否有可能导致XSS漏洞的任何事情。然而,当它试图写入日志,我们可以得到以下堆栈跟踪:ESAPI在尝试记录警告时抛出org.owasp.esapi.errors.ConfigurationException
com.blah.blah.web.controllers.ExceptionLoggingController - ERROR: Exception: code=500,uri=/post.html,servlet=dispatch,class=org.owasp.esapi.errors.ConfigurationException,from=1.2.3.4,message=Request processing failed; nested exception is org.owasp.esapi.errors.ConfigurationException: java.lang.IllegalArgumentException: Classname cannot be null or empty. HTTPUtilities type name cannot be null or empty.
org.owasp.esapi.errors.ConfigurationException: java.lang.IllegalArgumentException: Classname cannot be null or empty. HTTPUtilities type name cannot be null or empty.
at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:105)
at org.owasp.esapi.ESAPI.httpUtilities(ESAPI.java:121)
at org.owasp.esapi.ESAPI.currentRequest(ESAPI.java:70)
at org.owasp.esapi.reference.JavaLogFactory$JavaLogger.log(JavaLogFactory.java:308)
at org.owasp.esapi.reference.JavaLogFactory$JavaLogger.warning(JavaLogFactory.java:242)
at org.owasp.esapi.reference.DefaultEncoder.canonicalize(DefaultEncoder.java:181)
at org.owasp.esapi.reference.DefaultEncoder.canonicalize(DefaultEncoder.java:120)
at com.blah.blah.web.MyFilter.removeXSS(MyFilter.java:26)
我在classpath ESAPI.properties,这似乎是工作,不然,那确实有配置的“失踪”类:
ESAPI.HTTPUtilities=org.owasp.esapi.reference.DefaultHTTPUtilities
DefaultHTTPUtilities也位于类路径中。
也许ESAPI.properties位于多个位置。您是否可以删除您知道正在运行的属性,并查看它是否检查您的更改是否由ESAPI库提取。 – randominstanceOfLivingThing
你可以在本地机器上运行应用程序吗? – avgvstvs